diff --git a/.github/workflows/migrate.yml b/.github/workflows/migrate.yml
new file mode 100644
index 0000000..8a1c1cd
--- /dev/null
+++ b/.github/workflows/migrate.yml
@@ -0,0 +1,51 @@
+name: Validate RSA and Run Migrations
+
+on:
+  push:
+    branches: [ dev ]
+  workflow_dispatch: {}
+
+jobs:
+  migrate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.20'
+
+      - name: Validate RSA_PRIVATE_KEY_BASE64 secret
+        env:
+          RSA_B64: ${{ secrets.RSA_PRIVATE_KEY_BASE64 }}
+        run: |
+          if [ -z "$RSA_B64" ]; then
+            echo "RSA_PRIVATE_KEY_BASE64 secret is missing. Add it in repository secrets." >&2
+            exit 1
+          fi
+          echo "$RSA_B64" > rsa_base64.txt
+          if ! base64 -d rsa_base64.txt > /tmp/key.pem 2>/dev/null; then
+            # try convert literal \n
+            printf '%b' "$RSA_B64" > /tmp/key.pem || true
+          fi
+          if ! openssl pkey -in /tmp/key.pem -noout -text >/dev/null 2>&1; then
+            echo "RSA private key is invalid" >&2
+            exit 1
+          fi
+
+      - name: Validate DATABASE_URL secret
+        if: ${{ always() }}
+        run: |
+          if [ -z "${{ secrets.DATABASE_URL }}" ]; then
+            echo "DATABASE_URL secret is missing. Set up your DB connection string in secrets." >&2
+            exit 1
+          fi
+
+      - name: Run migrations
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+        run: |
+          cd backend
+          go run ./cmd/manual_migrate