diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5b00e7d..a022c78 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,23 @@ on:
       - '!**/*.md'
   workflow_dispatch:
 jobs:
+  obfuscan:
+    if: github.event_name == 'pull_request'
+    name: Obfuscan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: write
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+    - name: Scan PR diff
+      uses: ByteBardOrg/obfuscan-action@v1
+      with:
+        fail-on: block
+
   build:
 
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/pr-title-lint.yml b/.github/workflows/pr-title-lint.yml
index abe0796..4858b42 100644
--- a/.github/workflows/pr-title-lint.yml
+++ b/.github/workflows/pr-title-lint.yml
@@ -4,6 +4,10 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize, edited, ready_for_review]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   lint-pr-title:
     name: Lint PR title