diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 000000000..d69a1c1dd
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,18 @@
+## Goal
+Complete Lab 1 requirements for DevOps Foundations.
+
+## Changes
+- Added submissions/lab1.md
+- Configured SSH commit signing
+- Added PR template
+
+## Testing
+- Ran QuickNotes locally
+- Tested /health endpoint
+- Tested /notes endpoint
+- Tested POST /notes endpoint
+
+## Checklist
+- [x] Title is a clear sentence (≤ 70 chars)
+- [x] Commits are signed (`git log --show-signature`)
+- [x] `submissions/labN.md` updated
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 000000000..e306149eb
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,62 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+
+  vet:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.24'
+
+      - name: Go Vet
+        working-directory: app
+        run: go vet ./...
+
+  test:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.2.2
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.24'
+
+      - name: Go Test
+        working-directory: app
+        run: go test -race -count=1 ./...
+
+  lint:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.2.2
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.24'
+
+      - name: Install golangci-lint
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $HOME/bin v2.5.0
+
+      - name: Lint
+        working-directory: app
+        run: |
+          $HOME/bin/golangci-lint run
\ No newline at end of file
diff --git a/submissions/lab3.md b/submissions/lab3.md
new file mode 100644
index 000000000..909408ff9
--- /dev/null
+++ b/submissions/lab3.md
@@ -0,0 +1,55 @@
+# Lab 3 Submission
+
+## Path
+GitHub Actions
+
+I selected GitHub Actions because I have access to GitHub and it provides integrated PR checks.
+
+## CI run
+Green CI run:
+https://github.com/darknesod1-netizen/DevOps-Outro/actions/runs/27643947370/job/81750915744
+
+## Failed run evidence
+I intentionally introduced a failing change to verify the PR gate behavior.
+The failed run was fixed by reverting the breaking change.
+
+Failed run:
+https://github.com/darknesod1-netizen/DevOps-Outro/actions/runs/27644857962/job/81754022138
+
+Fix commit:
+544e445
+
+## Branch protection
+Screenshot attached in PR/submission.
+
+## Task 1 Design Questions
+
+### a) Why pin ubuntu-24.04 instead of ubuntu-latest?
+Pinning prevents unexpected runner changes. ubuntu-latest can move to a newer OS image and introduce breaking changes.
+
+### b) Why split vet, test and lint?
+Separate jobs allow independent failures and parallel execution. With one combined job it is harder to identify failures and debugging takes longer.
+
+### c) What does SHA pinning prevent?
+SHA pinning protects against supply-chain attacks where a dependency action tag is moved to malicious code. Example: tj-actions/changed-files incident in March 2025.
+
+### d) What is permissions?
+permissions defines the GitHub token access level. Least privilege means only granting the access required, such as contents: read.
+
+## Task 2
+
+Not completed due to time constraints.
+
+I completed the PR gate pipeline with vet, test, and lint jobs. 
+The remaining optimizations (Go cache, matrix testing, and path filtering) were not implemented.
+
+## Task 2 Design Questions
+
+### f) Why cache go.sum-keyed inputs and not build outputs?
+Caching dependency inputs is safer because dependencies are deterministic based on go.sum. Build outputs may depend on environment and toolchain details.
+
+### g) What does fail-fast false change?
+fail-fast false allows all matrix jobs to finish and report their results. fail-fast true is useful when saving CI time is more important than seeing all failures.
+
+### h) What is the risk of cache poisoning?
+An attacker could attempt to put malicious data into a cache that later trusted builds use. CI systems isolate caches and restrict cache usage to reduce this risk.
\ No newline at end of file