diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000000..9bd6486042
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,60 @@
+name: Package builds
+on:
+  - merge_group
+  - push
+  - pull_request
+
+# Only build for latest push/PR unless it's main or release/
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) }}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build-debs:
+    strategy:
+      matrix:
+        build: [one, two]
+    runs-on: ubuntu-latest
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.8'
+      - name: Build packages
+        run: |
+          ./builder/build-debs.sh
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          name: build-${{ matrix.build }}
+          path: build
+          if-no-files-found: error
+
+  reproducible-debs:
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    needs:
+      - build-debs
+    steps:
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes diffoscope-minimal \
+            --no-install-recommends
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "build-*"
+      - name: diffoscope
+        run: |
+          find . -name '*.deb' -exec sha256sum {} \;
+          # FIXME: securedrop-app-code isn't reproducible
+          for pkg in ossec-agent ossec-server securedrop-config securedrop-keyring securedrop-ossec-agent securedrop-ossec-server
+          do
+              echo "Checking ${pkg}..."
+              diffoscope build-one/focal/${pkg}*.deb build-two/focal/${pkg}*.deb
+          done
diff --git a/devops/scripts/boot-strap-venv.sh b/devops/scripts/boot-strap-venv.sh
index 0ef192bfb1..1a4dacb17e 100755
--- a/devops/scripts/boot-strap-venv.sh
+++ b/devops/scripts/boot-strap-venv.sh
@@ -51,7 +51,7 @@ function virtualenv_bootstrap() {
         then
             p=$(command -v "python${PYTHON_VERSION}" 2> /dev/null || command -v python3)
             echo "Creating ${p} virtualenv in ${VENV}"
-            virtualenv -p "${p}" "${VENV}"
+            "${p}" -m venv "${VENV}"
         fi
 
         PIP_CONSTRAINT=${DEV_CONSTRAINT} "${VENV}/bin/pip" install -q -r "securedrop/requirements/python3/develop-requirements.txt"