diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
new file mode 100644
index 0000000..8675d4d
--- /dev/null
+++ b/.github/workflows/pre-commit.yml
@@ -0,0 +1,97 @@
+name: Pre-commit
+
+on:
+  workflow_call:
+    inputs:
+      python_version:
+        type: string
+        default: "3.13"
+      pre_commit_version:
+        type: string
+        default: "latest"
+      working_directory:
+        type: string
+        default: "."
+      cache_dependency_path:
+        type: string
+        default: ".pre-commit-config.yaml"
+      env:
+        description: >
+          Multiline env vars, one per line: KEY=VALUE
+        required: false
+        type: string
+        default: ""
+      pre_commit_command:
+        type: string
+        default: "pre-commit run --all-files --show-diff-on-failure"
+    secrets:
+      ssh_private_key:
+        required: false
+      ssh_known_hosts:
+        required: false
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: ${{ inputs.working_directory }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Load env vars
+        if: ${{ inputs.env != '' }}
+        run: |
+          while IFS= read -r line; do
+            [ -z "$line" ] && continue
+            case "$line" in \#*) continue;; esac
+            if [[ "$line" != *=* ]]; then
+              echo "Invalid env line: $line" >&2
+              exit 1
+            fi
+            echo "$line" >> "$GITHUB_ENV"
+          done <<< "${{ inputs.env }}"
+
+      - name: Start ssh-agent
+        if: ${{ secrets.ssh_private_key != '' }}
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.ssh_private_key }}
+
+      - name: Add SSH known hosts
+        if: ${{ secrets.ssh_known_hosts != '' }}
+        run: |
+          mkdir -p ~/.ssh
+          printf '%s\n' "${{ secrets.ssh_known_hosts }}" >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ inputs.python_version }}
+
+      - name: Install pre-commit
+        env:
+          PRE_COMMIT_VERSION: ${{ inputs.pre_commit_version }}
+        run: |
+          python -m pip install --upgrade pip
+          if [ -z "$PRE_COMMIT_VERSION" ] || [ "$PRE_COMMIT_VERSION" = "latest" ]; then
+            python -m pip install pre-commit
+          else
+            python -m pip install "pre-commit==$PRE_COMMIT_VERSION"
+          fi
+
+      - name: Cache pre-commit
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ runner.os }}-${{ hashFiles(inputs.cache_dependency_path) }}
+          restore-keys: |
+            pre-commit-${{ runner.os }}-
+
+      - name: Run pre-commit
+        if: ${{ inputs.pre_commit_command != '' }}
+        run: ${{ inputs.pre_commit_command }}