diff --git a/.github/workflows/validate-sync-diffs.yaml b/.github/workflows/validate-sync-diffs.yaml
new file mode 100644
index 0000000..42fd94a
--- /dev/null
+++ b/.github/workflows/validate-sync-diffs.yaml
@@ -0,0 +1,29 @@
+name: "Validate sync diffs"
+on:
+  pull_request:
+    branches:
+      - main
+  push: {}
+
+jobs:
+  check:
+    name: "Check sync.sh was called"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download vendir
+        uses: giantswarm/install-binary-action@v3
+        with:
+          binary: "vendir"
+          version: "0.40.2"
+          download_url: "https://github.com/carvel-dev/vendir/releases/download/v${version}/vendir-linux-amd64"
+          smoke_test: "${binary} --version"
+
+      - name: Run sync.sh
+        run: |
+          ./sync/sync.sh
+      - name: Check there is no diff
+        run: |
+          git diff --exit-code
diff --git a/README.md b/README.md
index f164e3d..d56f1c2 100644
--- a/README.md
+++ b/README.md
@@ -63,6 +63,10 @@ Not following these limitations will most likely result in a broken deployment.
 
 - The [Gateway API App](https://github.com/giantswarm/gateway-api-app) needs to be deployed beforehand.
 
+## Development
+
+Information about chart and version development can be found in [sync/README.md](https://github.com/giantswarm/envoy-gateway-app/blob/main/sync/README.md).
+
 ## Credit
 
 - https://github.com/envoyproxy/gateway
diff --git a/sync/patches/README.md b/sync/patches/README.md
deleted file mode 100644
index 0d8ab20..0000000
--- a/sync/patches/README.md
+++ /dev/null
@@ -1,30 +0,0 @@
-# Patches
-
-### image-registry
-
-- Adapt image templating to use the `image.registry` value.
-- Set `image.registry` as the `gsoci.azurecr.io`.
-- Use `name` instead of `repository` as image name.
-
-### team-label
-
-- Include team label in `eg.labels` template function.
-
-### values
-
-- Add GS values
-- Add values.schema.json.
-- Set resources requests and limits for certgen Job.
-
-TODO: 
-- Generate values.schema.json in sync.sh
-- Discuss with upstream to include as default values.
-
-### pss-comply
-
-- Add `readOnlyRootFilesystem=true` to container SecurityContext.
-- Add `seccompProfile.type=RuntimeDefault` to SecurityContext.
-- Drop ALL capabilities.
-
-TODO: Push to upstream as default or make it configurable through values.
-