diff --git a/.github/workflows/python-pipenv.yml b/.github/workflows/python-pipenv.yml
new file mode 100644
index 0000000..111a0f4
--- /dev/null
+++ b/.github/workflows/python-pipenv.yml
@@ -0,0 +1,96 @@
+name: Python Pipenv
+
+on:
+  workflow_call:
+    inputs:
+      workflow-path:
+        description: Workflow file used for change detection.
+        required: false
+        type: string
+      working-directory:
+        description: Relative path under $GITHUB_WORKSPACE where the project is located.
+        required: false
+        type: string
+
+jobs:
+  pre-checks:
+    name: Pre-checks
+    runs-on: ubuntu-latest
+    outputs:
+      should-skip: ${{ steps.skip-check.outputs.should_skip }}
+
+    steps:
+      - id: skip-check
+        uses: fkirc/skip-duplicate-actions@v3.4.1
+        with:
+          concurrent_skipping: same_content
+          do_not_skip: >-
+            [
+              "push",
+              "schedule",
+              "workflow_dispatch"
+            ]
+          paths: >-
+            [
+              ".tool-versions",
+              "${{ inputs.workflow-path }}",
+              "${{ inputs.working-directory }}/**"
+            ]
+          skip_after_successful_duplicate: true
+
+  setup:
+    name: Setup
+    needs: [pre-checks]
+    if: ${{ needs.pre_checks.outputs.should-skip != 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+
+  unit-tests:
+    name: Unit tests
+    needs: [setup]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+
+      - name: Run pytest
+        working-directory: ${{ inputs.working-directory }}
+        run: pipenv run pytest -v
+
+  type-check:
+    name: Type check
+    needs: [setup]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+
+      - name: Run pytype
+        working-directory: ${{ inputs.working-directory }}
+        run: pipenv run pytype
+
+  code-style:
+    name: Code style
+    needs: [setup]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+
+      - name: Run pycodestyle
+        working-directory: ${{ inputs.working-directory }}
+        run: pipenv run pycodestyle --statistics --count
diff --git a/.github/workflows/python-security.yml b/.github/workflows/python-security.yml
new file mode 100644
index 0000000..049e212
--- /dev/null
+++ b/.github/workflows/python-security.yml
@@ -0,0 +1,42 @@
+name: Python Security
+
+on:
+  workflow_call:
+    inputs:
+      working-directory:
+        description: Relative path under $GITHUB_WORKSPACE where the project is located.
+        required: false
+        type: string
+
+jobs:
+  secrets:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Run secret scanner
+        uses: kronostechnologies/actions/scan-secrets@v0.0.20
+
+  sast:
+    name: SAST
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup Python
+        uses: equisoft-actions/setup-python@v1.0.0
+
+      - name: Run Semgrep
+        run: make check.sast
+
+      - name: Upload SAST report
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: semgrep-${{ inputs.working-directory }}.sarif
+          path: ${{ inputs.working-directory }}/build/reports/semgrep/semgrep.sarif