diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
new file mode 100644
index 0000000..3cb932b
--- /dev/null
+++ b/.github/workflows/cd.yaml
@@ -0,0 +1,70 @@
+# Continuous deployment workflow
+# - Create release
+# - Deploy package on GitHub and PYPI
+#
+# Requires GitHub secrets
+# - GITHUB_TOKEN
+# - PYPI_TOKEN
+# - SLACK_WEBHOOK_URL
+
+name: CD
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    env:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Checkout repository
+        id: checkout-repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install Python
+        id: install-python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+          architecture: x64
+
+      - name: Install dependencies
+        id: install-dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install poetry python-semantic-release
+          python -m poetry install --no-dev
+
+      - name: Semantic release
+        id: semantic-release
+        run: |
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
+          semantic-release publish -D commit_author="github-actions <github-actions@github.com>" -v DEBUG
+
+      - name: Build package
+        id: build-package
+        run: python -m poetry build
+
+      - name: Publish package
+        id: publish-package
+        run: |
+          python -m twine upload dist/* -u __token__ -p ${{ secrets.PYPI_TOKEN }} --skip-existing --verbose
+
+      - name: Send Slack notification
+        id: send-slack-notification
+        uses: act10ns/slack@v1
+        with:
+          status: ${{ job.status }}
+          steps: ${{ toJson(steps) }}
+          channel: "#project-releases"
+          config: .github/config/slack.yaml
+        if: always()
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..79c4181
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,89 @@
+# CI workflow
+# - Run linters (flake8, mypy, security)
+# - Run tests (doctests, unittests)
+#
+# Requires GitHub secrets
+# - CODECOV_TOKEN
+
+name: CI
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  linters:
+    name: Run linters
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        id: checkout-repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install Python
+        id: install-python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+          architecture: x64
+
+      - name: Install dependencies
+        id: install-dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install poetry
+          python -m poetry install
+
+      - name: Run flake8
+        id: run-flake8
+        run: |
+          python -m poetry run poe lint-flake8
+
+      - name: Run mypy
+        id: run-mypy
+        run: |
+          python -m poetry run poe lint-mypy
+
+  tests:
+    name: Run tests
+    needs: linters
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        python-version: [ "3.7", "3.8", "3.9", "3.10" ]
+    steps:
+      - name: Checkout repository
+        id: checkout-repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install Python
+        id: install-python
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python-version }}
+          architecture: x64
+
+      - name: Install dependencies
+        id: install-dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install poetry
+          python -m poetry install
+
+      - name: Run pytest | xdoctest
+        id: run-pytest-xdoctest
+        run: |
+          python -m poetry run poe tests
+
+      - name: Upload coverage to Codecov
+        id: upload-coverage-to-codecov
+        uses: codecov/codecov-action@v1.0.13
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          name: ${{ matrix.os }}, ${{ matrix.python-version }}
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
new file mode 100644
index 0000000..23002f9
--- /dev/null
+++ b/.github/workflows/codeql.yaml
@@ -0,0 +1,47 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ "python" ]
+    steps:
+      - name: Checkout repository
+        id: checkout-repository
+        uses: actions/checkout@v2
+
+      - name: Initialize CodeQL
+        id: initialize-codeql
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        id: autobuild
+        uses: github/codeql-action/autobuild@v1
+
+      - name: Perform CodeQL analysis
+        id: perform-codeql-analysis
+        uses: github/codeql-action/analyze@v1