diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
new file mode 100644
index 0000000000000..bf4708eabc1a2
--- /dev/null
+++ b/.github/workflows/codeowners.yml
@@ -0,0 +1,75 @@
+name: Codeowners
+
+on:
+  pull_request_target:
+    types: [opened, ready_for_review, synchronize, reopened, edited]
+
+env:
+  OWNERS_FILE: .github/OWNERS
+
+# This workflow depends on a GitHub App with the following permissions:
+# - Repository > Administration: read-only
+# - Organization > Members: read-only
+# - Repository > Pull Requests: read-write
+# The App needs to be installed on this repository
+# the OWNER_APP_ID repository variable needs to be set
+# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
+
+jobs:
+  check-owners:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        path: base
+
+    - name: Build codeowners validator
+      run: nix-build base/ci -A codeownersValidator
+
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.OWNER_APP_ID }}
+        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+
+    - uses: actions/checkout@v4
+      with:
+        ref: refs/pull/${{ github.event.number }}/merge
+        path: pr
+
+    - name: Validate codeowners
+      run: result/bin/codeowners-validator
+      env:
+        OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
+        GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+        REPOSITORY_PATH: pr
+        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
+        # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
+        EXPERIMENTAL_CHECKS: "avoid-shadowing"
+
+  request:
+    name: Request
+    runs-on: ubuntu-latest
+    # Don't trigger on draft PRs
+    if: ${{ ! github.event.pull_request.draft }}
+    steps:
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Build review request package
+        run: nix-build ci -A requestReviews
+
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.OWNER_APP_ID }}
+          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+
+      - name: Request reviews
+        run: ./result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}