diff --git a/.checkov.yaml b/.checkov.yaml
new file mode 100644
index 00000000..46bcd091
--- /dev/null
+++ b/.checkov.yaml
@@ -0,0 +1,10 @@
+directory:
+  - charts
+skip-path:
+  - /\w+/charts
+evaluate-variables: true
+framework:
+  - helm
+compact: true
+quiet: true
+soft-fail: true
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
new file mode 100644
index 00000000..25992dc8
--- /dev/null
+++ b/.github/workflows/analysis.yml
@@ -0,0 +1,34 @@
+# https://docs.github.com/actions
+
+name: Analysis
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '43 2 * * 6'
+  workflow_dispatch:
+
+jobs:
+  checkov:
+    name: Checkov
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Checkov scanner
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+
+      - name: Upload scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 00000000..beb7429a
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,55 @@
+# yamllint disable rule:document-start
+# https://docs.github.com/actions
+
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  prepare:
+    name: Prepare
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.list-changed.outputs.changed }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.1
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config config.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+  test:
+    name: Test
+    if: needs.prepare.outputs.changed == 'true'
+    needs:
+      - prepare
+    uses: ./.github/workflows/test.yml
+    with:
+      action-matrix: '["lint", "install", "install --upgrade"]'
+
+  release:
+    name: Release
+    if: github.ref == 'refs/heads/main'
+    uses: ./.github/workflows/release.yml
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    # secrets:
+    #   GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 00000000..731a4a0c
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,70 @@
+# yamllint disable rule:document-start
+# https://docs.github.com/actions
+
+name: Release
+
+on:
+  workflow_call:
+    secrets:
+      GPG_KEY_BASE64:
+        required: true
+        description: GPG key for signing
+
+jobs:
+  publish:
+    name: Publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      # - name: Prepare GPG key
+      #   run: |
+      #     gpg_dir=.cr-gpg
+      #     mkdir "$gpg_dir"
+      #     keyring="$gpg_dir/secring.gpg"
+      #     base64 -d <<< "$GPG_KEY_BASE64" > "$keyring"
+      #     echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
+      #   env:
+      #     GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4.2.0
+
+      - name: Add Helm repos
+        run: helm repo add bitnami https://charts.bitnami.com/bitnami
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.6.0
+        with:
+          config: config.yaml
+        env:
+          CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push charts to GitHub Container Registry
+        run: |
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*.tgz; do
+            if [ -z "${pkg:-}" ]; then
+              break
+            fi
+            helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY@L}"
+          done
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 00000000..7d8c62b9
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,45 @@
+# yamllint disable rule:document-start
+# https://docs.github.com/actions
+
+name: Test
+
+on:
+  workflow_call:
+    inputs:
+      action-matrix:
+        required: false
+        default: '["install"]'
+        type: string
+        description: Matrix of actions to run
+
+jobs:
+  ct:
+    name: Run chart-testing
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        action: ${{ fromJSON(inputs.action-matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+
+      - uses: actions/setup-python@v5
+        if: startsWith(matrix.action, 'lint')
+        with:
+          python-version: 3.x
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.1
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.9.0
+        if: startsWith(matrix.action, 'install')
+
+      - name: Run chart-testing (${{ matrix.action }})
+        run: ct ${{ matrix.action }} --config config.yaml --debug
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
deleted file mode 100644
index a0e8dab9..00000000
--- a/.gitlab-ci.yml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-stages:
-  - test
-  - release
-
-helm-lint:
-  stage: test
-  image:
-    name: alpine/helm:latest
-    entrypoint: [""]
-  script:
-    - helm version
-    - helm dependency build
-    - helm lint --strict
-
-yamllint:
-  stage: test
-  image: pipelinecomponents/yamllint:latest
-  script:
-    - yamllint --version
-    - yamllint --strict .
-
-release-chart:
-  stage: release
-  image:
-    name: curlimages/curl:latest
-    entrypoint: [""]
-  script:
-    - >-
-      curl -X POST -F token=${CHARTS_TRIGGER_TOKEN} -F ref=master
-      -F variables[CHART_NAME]=${CI_PROJECT_NAME}
-      -F variables[CHART_VERSION]=${CI_COMMIT_TAG}
-      https://git.boo.tc/api/v4/projects/20/trigger/pipeline
-  only:
-    - tags
-
-# vim: ai ts=2 sw=2 et sts=2 ft=yaml
diff --git a/config.yaml b/config.yaml
new file mode 100644
index 00000000..6320d128
--- /dev/null
+++ b/config.yaml
@@ -0,0 +1,11 @@
+owner: netbox-community
+repo: netbox-chart
+remote: origin
+target-branch: develop
+sign: false
+key: NetBox Community
+chart-dirs:
+  - charts
+chart-repos:
+  - bitnami=https://charts.bitnami.com/bitnami
+generate-release-notes: true