diff --git a/.github/workflows/code-quality.yaml b/.github/workflows/code-quality.yaml
new file mode 100644
index 00000000000..b6f72bf666a
--- /dev/null
+++ b/.github/workflows/code-quality.yaml
@@ -0,0 +1,71 @@
+---
+name: Code static analysis
+"on":
+  push:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  golangci:
+    name: golangci-lint
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        component:
+          - components/notebook-controller
+          - components/odh-notebook-controller
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version-file: components/notebook-controller/go.mod
+          cache-dependency-path: ${{ matrix.component }}/go.sum
+
+      - name: golangci-lint
+        if: "${{ !cancelled() }}"
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.59.1
+          only-new-issues: true
+          working-directory: ${{ matrix.component }}
+
+      # additional checks not part of golangci-lint
+
+      # https://github.com/golangci/golangci-lint/issues/4123
+      - name: go mod verify
+        if: "${{ !cancelled() }}"
+        run: go mod verify
+        working-directory: ${{ matrix.component }}
+
+      # https://github.com/golang/go/issues/27005
+      - name: go mod tidy -diff
+        if: "${{ !cancelled() }}"
+        run: |
+          set -x
+
+          go mod tidy
+
+          # if the above changed any files, report the differences and fail the step
+          if [[ $(git ls-files . -d -m -o --exclude-standard --full-name -v | wc -l) -gt 0 ]]; then
+            echo "There are changes:"
+            git diff
+            exit 1
+          fi
+        working-directory: ${{ matrix.component }}
+
+      # https://github.com/golangci/golangci-lint/issues/3094
+      - name: govulncheck
+        if: "${{ !cancelled() }}"
+        run: |
+          # https://go.googlesource.com/vuln
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...
+        working-directory: ${{ matrix.component }}
diff --git a/.github/workflows/notebook_controller_unit_test.yaml b/.github/workflows/notebook_controller_unit_test.yaml
index 39b8e770b8d..c67ed0df52b 100644
--- a/.github/workflows/notebook_controller_unit_test.yaml
+++ b/.github/workflows/notebook_controller_unit_test.yaml
@@ -17,7 +17,7 @@ jobs:
       uses: actions/setup-go@v5
       with:
         check-latest: true
-        go-version-file: components/notebook-controller/go.mod
+        go-version-file: components/notebook-controller/go.mod``
         cache-dependency-path: components/notebook-controller/go.sum
 
     - name: Run unit tests
diff --git a/components/notebook-controller/.golang-ci.yaml b/components/notebook-controller/.golang-ci.yaml
new file mode 100644
index 00000000000..13191570fa2
--- /dev/null
+++ b/components/notebook-controller/.golang-ci.yaml
@@ -0,0 +1,45 @@
+# https://github.com/golangci/golangci-lint
+
+# Newer Kubebuilder adds this as a default
+# https://github.com/kubernetes-sigs/kubebuilder/issues/1887
+
+run:
+  timeout: 5m
+  allow-parallel-runners: true
+
+issues:
+  # don't skip warning about doc comments
+  # don't exclude the default set of lint
+  exclude-use-default: false
+  # restore some of the defaults
+  # (fill in the rest as needed)
+  exclude-rules:
+    - path: "api/*"
+      linters:
+        - lll
+    - path: "internal/*"
+      linters:
+        - dupl
+        - lll
+linters:
+  disable-all: true
+  enable:
+    - dupl
+    - errcheck
+    - exportloopref
+    - goconst
+    - gocyclo
+    - gofmt
+    - goimports
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - misspell
+    - nakedret
+    - prealloc
+    - staticcheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
diff --git a/components/odh-notebook-controller/.golang-ci.yaml b/components/odh-notebook-controller/.golang-ci.yaml
new file mode 100644
index 00000000000..13191570fa2
--- /dev/null
+++ b/components/odh-notebook-controller/.golang-ci.yaml
@@ -0,0 +1,45 @@
+# https://github.com/golangci/golangci-lint
+
+# Newer Kubebuilder adds this as a default
+# https://github.com/kubernetes-sigs/kubebuilder/issues/1887
+
+run:
+  timeout: 5m
+  allow-parallel-runners: true
+
+issues:
+  # don't skip warning about doc comments
+  # don't exclude the default set of lint
+  exclude-use-default: false
+  # restore some of the defaults
+  # (fill in the rest as needed)
+  exclude-rules:
+    - path: "api/*"
+      linters:
+        - lll
+    - path: "internal/*"
+      linters:
+        - dupl
+        - lll
+linters:
+  disable-all: true
+  enable:
+    - dupl
+    - errcheck
+    - exportloopref
+    - goconst
+    - gocyclo
+    - gofmt
+    - goimports
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - misspell
+    - nakedret
+    - prealloc
+    - staticcheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused