diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..edf893f
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    cooldown:
+      default-days: 3
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..180380a
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,73 @@
+name: build
+
+on:
+  push:
+    branches:
+      - main
+
+  pull_request:
+    paths:
+      - .github/workflows/build.yml
+      - dockerfile
+      - build.sh
+      - fvp.sh
+      - fvprc
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Install Ubuntu deps
+        run: |
+          sudo apt-get update
+          sudo apt-get install \
+            shellcheck
+
+      - uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master
+
+      - name: Run ShellCheck
+        run: |
+          shellcheck -s bash -f gcc *.sh fvprc
+
+      - name: Lint Dockerfile
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: dockerfile
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+            
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Create .armlm
+        run: mkdir -p ~/.armlm
+
+      - name: Build Docker image
+        run: ./build.sh
+
+      - name: Run FVP binaries to verify build
+        run: | 
+          for x in ./bin/*; do
+            $x --version || exit 1
+          done
diff --git a/dockerfile b/dockerfile
index c175d9a..6cc3b5e 100644
--- a/dockerfile
+++ b/dockerfile
@@ -1,3 +1,5 @@
+
+# hadolint global ignore=DL3008,DL3015
 FROM ubuntu:22.04
 
 ARG DEBIAN_FRONTEND=noninteractive
diff --git a/fvp.sh b/fvp.sh
index c1208c3..4fe47c8 100755
--- a/fvp.sh
+++ b/fvp.sh
@@ -66,7 +66,7 @@ docker run \
   "${MOUNTS[@]}" \
   --workdir "$workdir" \
   --env "ARMLM_CACHED_LICENSES_LOCATION=${HOME}/.armlm" \
-  --env DISPLAY=${DISPLAY_IP}:0 \
+  --env "DISPLAY=${DISPLAY_IP}:0" \
   --volume /tmp/.X11-unix:/tmp/.X11-unix \
   "fvp:${FVP_VERSION}" "${MODEL}" "${FLAGS[@]}"