diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..64e5779
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,28 @@
+---
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  vanilla:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: sudo apt-get update && sudo apt-get install -y make build-essential
+      - run: sudo make vanilla
+  reproducibility:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: |
+          sudo mkdir /nonexistent
+      - run: |
+          ACTIONS_RUNNER=$USER sudo chown -R $ACTIONS_RUNNER: /nonexistent
+      - run: sudo apt-get update && sudo apt-get install -y make build-essential reprotest
+      - run: make reprotest
+  # reproducibility-securedrop:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #     - run: sudo apt-get update && sudo apt-get install -y make build-essential reprotest
+  #     - run: sudo make reprotest-sd
diff --git a/Makefile b/Makefile
index 4303d0e..10749b1 100644
--- a/Makefile
+++ b/Makefile
@@ -6,11 +6,7 @@ SCRIPT_OUTPUT_EXT=log
 .PHONY: vanilla
 vanilla: OUT:=$(SCRIPT_OUTPUT_PREFIX)-vanilla.$(SCRIPT_OUTPUT_EXT)
 vanilla: ## Builds latest stable kernel, unpatched
-	LINUX_MAJOR_VERSION="5.15" \
-		script \
-		--command ./scripts/build-kernel-wrapper \
-		--return \
-		$(OUT)
+	LINUX_MAJOR_VERSION="5.15" ./scripts/build-kernel-wrapper 
 
 .PHONY: grsec
 grsec: OUT:=$(SCRIPT_OUTPUT_PREFIX)-grsec.$(SCRIPT_OUTPUT_EXT)
diff --git a/scripts/build-kernel-wrapper b/scripts/build-kernel-wrapper
index e5dcfea..2cc2bd1 100755
--- a/scripts/build-kernel-wrapper
+++ b/scripts/build-kernel-wrapper
@@ -1,9 +1,12 @@
 #!/bin/bash
 
+echo "XKCD 1"
+
 set -e
 set -u
 set -o pipefail
 
+echo "XKCD 2"
 
 # SOURCE_DATE_EPOCH="$(git log -1 --pretty=%ct)"
 # DEBUG: setting constant value to make eval easier
@@ -13,6 +16,10 @@ export KBUILD_BUILD_TIMESTAMP="@${SOURCE_DATE_EPOCH}"
 export DEB_BUILD_TIMESTAMP="${SOURCE_DATE_EPOCH}"
 export TERM=dumb  # to omit control characters from "script" transcripts
 
+echo "XKCD 3"
+echo $PWD
+env
+
 # Build container image for kernel dependencies
 IMG_NAME="fpf.local/kernel-builder"
 docker build -t "$IMG_NAME" \
@@ -20,20 +27,37 @@ docker build -t "$IMG_NAME" \
     --build-arg GID="$(id -g)" \
     .
 
+echo "XKCD 4"
+echo $PWD
+env
+
 # Configure local customizations
 local_config_volume_opt=""
 if [[ -n "${LINUX_LOCAL_CONFIG_PATH:-}" ]]; then
     local_config_volume_opt="-v ${LINUX_LOCAL_CONFIG_PATH}:/config:ro"
 fi
+
+echo "XKCD 5"
+
 local_patches_volume_opt=""
 if [[ -n "${LINUX_LOCAL_PATCHES_PATH:-}" ]]; then
     local_patches_volume_opt="-v ${LINUX_LOCAL_PATCHES_PATH}:/patches:ro"
 fi
 
+echo "XKCD 6"
+
+echo $PWD
+env
+
 # Create output dir
 kernel_dir="$PWD/build"
 mkdir -p -m 755 "$kernel_dir"
 
+echo "XKCD 7"
+
+echo $PWD
+env
+
 # TODO: It'd be great to pass `-i` here so the builds can be cancelled,
 # but that breaks reprotest. Pass it conditionally, depending on whether
 # there's an interactive session available.
@@ -53,5 +77,8 @@ docker run --rm -t \
     $local_patches_volume_opt \
     "$IMG_NAME"
 
+echo "XKCD 8"
+
+
 echo "Build complete. Packages can be found at:"
 find "$kernel_dir" -type f | sort