diff --git a/.github/workflows/test-annotation.yml b/.github/workflows/test-annotation.yml
new file mode 100644
index 0000000..0368bf6
--- /dev/null
+++ b/.github/workflows/test-annotation.yml
@@ -0,0 +1,37 @@
+name: Test GitHub annotation
+
+on: pull_request
+
+jobs:
+  test-github-annotation:
+    name: Test GitHub annotation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup gitleaks
+        env:
+          TARGET: linux_amd64
+          VERSION: 8.18.1-patch1
+          # From https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_checksums.txt
+          SHA256_SUM: aed536718ac444b6727754ca2e34e243ec1aee8bce928975233709d57bc61387
+        # Explicitly specifing `bash` changes behavior: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell
+        shell: bash
+        run: |
+          set -x
+          curl -L "https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_${TARGET}.tar.gz" -O
+          echo "${SHA256_SUM} gitleaks_${VERSION}_${TARGET}.tar.gz" | sha256sum --check
+          # Generate `gitleaks` binary
+          tar --extract --gzip --file "gitleaks_${VERSION}_${TARGET}.tar.gz" --verbose
+          sudo install gitleaks /usr/local/bin/gitleaks
+      - uses: dtolnay/rust-toolchain@439cf607258077187679211f12aa6f19af4a0af7 # Latest as of 2023-11-16
+        with:
+          toolchain: stable
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Test apply
+        env:
+          REPORT_PATH: tmp/report.json
+        shell: bash
+        run: |
+          set -x
+          mkdir -p tmp
+          gitleaks detect --verbose --exit-code=0 --no-banner --config=dev/gitleaks.toml --report-path="${REPORT_PATH}"
+          cargo run apply --config-path=dev/gitleaks-allowlist.toml --report-path="${REPORT_PATH}"