diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index bba2a01..07befd0 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -17,9 +17,12 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - id: goversion
+        run: echo "goversion=$(cat .go-version)" >> "$GITHUB_OUTPUT"
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: 1.21.8
+          go-version: ${{ steps.goversion.outputs.goversion }}
       - uses: actions/checkout@v4
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
diff --git a/.github/workflows/govuln.yaml b/.github/workflows/govuln.yaml
new file mode 100644
index 0000000..7d1ce95
--- /dev/null
+++ b/.github/workflows/govuln.yaml
@@ -0,0 +1,19 @@
+---
+name: Go Vulnerability Checker
+on: [push, pull_request]
+permissions: read-all
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - id: goversion
+        run: echo "goversion=$(cat .go-version)" >> "$GITHUB_OUTPUT"
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version: ${{ steps.goversion.outputs.goversion }}
+      - run: date
+      - run: |
+          set -euo pipefail
+
+          go install golang.org/x/vuln/cmd/govulncheck@latest && govulncheck ./...
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 79b5d39..bf838c8 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -17,9 +17,11 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v5
+      - id: goversion
+        run: echo "goversion=$(cat .go-version)" >> "$GITHUB_OUTPUT"
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: 1.21.8
+          go-version: ${{ steps.goversion.outputs.goversion }}
       - uses: actions/checkout@v4
       - name: tests
         run: |
diff --git a/.go-version b/.go-version
new file mode 100644
index 0000000..ae7bbdf
--- /dev/null
+++ b/.go-version
@@ -0,0 +1 @@
+1.21.10
diff --git a/go.mod b/go.mod
index 73dc63f..e4dcdc5 100644
--- a/go.mod
+++ b/go.mod
@@ -2,6 +2,8 @@ module go.etcd.io/gofail
 
 go 1.21
 
+toolchain go1.21.10
+
 require github.com/stretchr/testify v1.9.0
 
 require (