diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 000000000..5f15ae2d0
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,84 @@
+name: CI
+
+on:
+  push:
+    branches: 
+      - main
+    paths:
+      - 'app/**'
+      - '.github/workflows/**'
+  pull_request:
+    branches: 
+      - main
+    paths:
+      - 'app/**'
+      - '.github/workflows/**'
+
+permissions:
+  contents: read
+
+jobs:
+  vet:
+    runs-on: ubuntu-24.04
+
+    strategy:
+      fail-fast: false
+      matrix:
+        go-version: ['1.25', '1.24']
+
+    defaults:
+      run:
+        working-directory: app
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with: 
+          go-version: ${{ matrix.go-version }}
+          cache: true
+          cache-dependency-path: app/go.sum
+      - run: go vet ./...
+
+  test:
+    runs-on: ubuntu-24.04
+
+    strategy:
+      fail-fast: false
+      matrix:
+        go-version: ['1.25', '1.24']
+
+    defaults:
+      run:
+        working-directory: app
+
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with: 
+          go-version: ${{ matrix.go-version }}
+          cache: true
+          cache-dependency-path: app/go.sum
+      - run: go test -race -count=1 ./...
+
+  lint:
+    runs-on: ubuntu-24.04
+
+    strategy:
+      fail-fast: false
+      matrix:
+        go-version: ['1.25', '1.24']
+
+    defaults:
+      run:
+        working-directory: app
+
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0      
+        with: 
+          go-version: ${{ matrix.go-version }}
+          cache: true
+          cache-dependency-path: app/go.sum
+      - uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
+        with:
+          version: v2.5.0
+          working-directory: app
\ No newline at end of file
diff --git a/submissions/image-1.png b/submissions/image-1.png
new file mode 100644
index 000000000..5878b3181
Binary files /dev/null and b/submissions/image-1.png differ
diff --git a/submissions/image-2.png b/submissions/image-2.png
new file mode 100644
index 000000000..a903274a6
Binary files /dev/null and b/submissions/image-2.png differ
diff --git a/submissions/image-3.png b/submissions/image-3.png
new file mode 100644
index 000000000..3ebb2491f
Binary files /dev/null and b/submissions/image-3.png differ
diff --git a/submissions/image.png b/submissions/image.png
new file mode 100644
index 000000000..80a52a1e4
Binary files /dev/null and b/submissions/image.png differ
diff --git a/submissions/lab3.md b/submissions/lab3.md
new file mode 100644
index 000000000..4bebe11dd
--- /dev/null
+++ b/submissions/lab3.md
@@ -0,0 +1,55 @@
+# Lab 3 submission
+
+# I CHOOSE GITHUB ACTIONS PATH
+
+## 1.2
+### a
+
+ubuntu-24.04 is a sertain, stable, LTS version of OS. It's been out for several years, therefore, tests've been done, vulnerabilities - fixed. This label will run the same OS every run. No random unknown changes. Meanwhile, ubuntu-latest can be changed to some new, not tested OS ad can break anything at any moment
+
+### b
+
+Split -> runs in paralel -> faster. Also, much more clear, as I can see, witch point caused failure. In united job afret first failure other checks woun't be done at all.
+
+### c
+
+An attacker can, possibly, change the version tag and make VM execude someone other's code. By pinning exact commit I make CI use exact checked commit, therefore there wouldn't be such vulnearbility.
+
+### d
+
+Permission shows what GH workflow can do with repository. Principle - least priveledge. It means, that is someone can do their job without some priveledge - this someone shouldn't have this priveledge. 
+
+![branch rulset updated](image.png)
+
+## Bad commit screenshot
+
+![alt text](image-1.png)
+
+## Logs
+
+![alt text](image-3.png)
+
+## Fix commit screenshot
+
+![alt text](image-2.png)
+
+![link to good commit] (https://github.com/Long1Tail/DevOps-Intro/pull/3/changes/61ce79952dde9ed59597353acb487e23c208eb24)
+
+| Scenario | Wall-clock |
+|----------|------------|
+| Baseline | 39s |
+| With chache | 40s |
+| With matrix | 1.42s |
+
+I did the following optimisations:
+- caching
+- paralel execution
+
+### f 
+Caching dependencies using a key derived from go.sum ensures deterministic and reproducible build environments by locking the exact dependency graph. In contrast, caching build artifacts is generally less reliable because the generated binaries may depend on the runner’s hardware, compiler version, or system configuration, making them unsafe to reuse across different environments.
+
+### g 
+Setting fail-fast: false allows every job in the matrix to run to completion, even if some jobs fail, providing a complete view of all existing issues. By comparison, fail-fast: true is often preferable during active development or pull request validation, as it terminates the workflow after the first failure, reducing resource consumption and accelerating feedback.
+
+### h
+A potential security concern is cache poisoning, where an attacker attempts to inject malicious artifacts into a cache through a pull request. GitHub addresses this risk through strict cache isolation: workflows triggered by pull requests may read caches associated with the target branch, but they cannot create, modify, or overwrite caches belonging to protected branches.
\ No newline at end of file