diff --git a/.github/workflows/test-sign.yml b/.github/workflows/test-sign.yml
new file mode 100644
index 0000000000..e9390a1dd2
--- /dev/null
+++ b/.github/workflows/test-sign.yml
@@ -0,0 +1,52 @@
+name: "Test signing"
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    environment: Automation
+
+    permissions: {}
+
+    steps:
+      - name: Dump environment
+        run: env
+
+      - name: Dump GitHub context
+        env:
+          GITHUB_CONTEXT: '${{ toJson(github) }}'
+        run: echo "${GITHUB_CONTEXT}"
+
+      - name: Generate token
+        uses: actions/create-github-app-token@v2.1.1
+        id: app-token
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Configure git user
+        run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          fetch-depth: 0  # ensure we have all tags and can push commits
+
+      - name: Test signing
+        shell: bash
+        run: |
+          git tag -s --annotate "vTEST" --message "vTEST"
+          echo "test" > .test
+          git add .test
+          git commit -s -m 'Test commit'