diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
new file mode 100644
index 000000000..6ba90d657
--- /dev/null
+++ b/.github/actionlint.yaml
@@ -0,0 +1,14 @@
+# Labels of self-hosted runner in array of strings.
+
+# NB. oqs-arm64 is not self-hosted but this configuration
+#     is required for liboqs to lint correctly with actionlint v1.7.1
+
+self-hosted-runner:
+  # Labels of self-hosted runner in array of string
+  labels:
+    - oqs-arm64
+# Configuration variables in array of strings defined in your repository or organization
+config-variables:
+  # - DEFAULT_RUNNER
+  # - JOB_NAME
+  # - ENVIRONMENT_STAGE
diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml
index 3364ec77e..a9db1811e 100644
--- a/.github/workflows/basic.yml
+++ b/.github/workflows/basic.yml
@@ -7,8 +7,19 @@ on: [workflow_call, workflow_dispatch]
 
 jobs:
 
+  workflowcheck:
+    name: Check validity of GitHub workflows
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Ensure GitHub actions are valid
+        run: actionlint -shellcheck "" # run *without* shellcheck
+
   stylecheck:
     name: Check code formatting
+    needs: [ workflowcheck ]
     runs-on: ubuntu-latest
     container: openquantumsafe/ci-ubuntu-latest:latest
     steps:
@@ -23,6 +34,7 @@ jobs:
 
   upstreamcheck:
     name: Check upstream code is properly integrated
+    needs: [ workflowcheck ]
     runs-on: ubuntu-latest
     container: openquantumsafe/ci-ubuntu-latest:latest
     steps:
@@ -47,7 +59,7 @@ jobs:
 
   buildcheck:
     name: Check that code passes a basic build
-    needs: [ stylecheck, upstreamcheck ]
+    needs: [ workflowcheck, stylecheck, upstreamcheck ]
     runs-on: ubuntu-latest
     container: openquantumsafe/ci-ubuntu-latest:latest
     env: