diff --git a/.github/workflows/warden.yml b/.github/workflows/warden.yml
new file mode 100644
index 0000000..89f9837
--- /dev/null
+++ b/.github/workflows/warden.yml
@@ -0,0 +1,29 @@
+name: Warden
+
+permissions:
+  contents: write
+  pull-requests: write
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    env:
+      WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }}
+      WARDEN_SENTRY_DSN: ${{ secrets.WARDEN_SENTRY_DSN }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.WARDEN_APP_ID }}
+          private-key: ${{ secrets.WARDEN_PRIVATE_KEY }}
+
+      - uses: getsentry/warden@v0
+        with:
+          anthropic-api-key: ${{ secrets.WARDEN_ANTHROPIC_API_KEY }}
+          github-token: ${{ steps.app-token.outputs.token }}
diff --git a/warden.toml b/warden.toml
index e49f255..04c64aa 100644
--- a/warden.toml
+++ b/warden.toml
@@ -1,12 +1,35 @@
 version = 1
 
-[defaults.output]
+[defaults]
 failOn = "high"
-commentOn = "medium"
+reportOn = "medium"
+ignorePaths = ["dist/**"]
 
-[[triggers]]
-name = "find-bugs"
-event = "pull_request"
+[[skills]]
+name = "notseer"
+paths = ["src/**/*.ts"]
+ignorePaths = ["src/**/*.test.ts"]
+
+[[skills.triggers]]
+type = "pull_request"
 actions = ["opened", "synchronize", "reopened"]
-skill = "find-bugs"
+
+[[skills]]
+name = "security-review"
 remote = "getsentry/sentry-skills"
+paths = ["src/**/*.ts"]
+ignorePaths = ["src/**/*.test.ts"]
+
+[[skills.triggers]]
+type = "pull_request"
+actions = ["opened", "synchronize", "reopened"]
+
+# TODO: enable once getsentry/warden#144 lands
+# [[skills]]
+# name = "warden-lint-judge"
+# remote = "getsentry/skills"
+# scope = "report"
+#
+# [[skills.triggers]]
+# type = "pull_request"
+# actions = ["opened", "synchronize", "reopened"]