diff --git a/.github/workflows/database.yml b/.github/workflows/database.yml
new file mode 100644
index 0000000000..d3405c9198
--- /dev/null
+++ b/.github/workflows/database.yml
@@ -0,0 +1,100 @@
+---
+name: Validate Database
+
+on:
+  push:
+    branches-ignore:
+      - 'l10n_master'
+      - 'gh-pages'
+    paths:
+      - 'src/Sql/**'
+      - 'util/Migrator/**'
+  workflow_dispatch:
+    inputs: {}
+
+jobs:
+  build:
+    name: Build DACPAC
+    runs-on: windows-2022
+    env:
+      NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
+    steps:
+      - name: Set up dotnet
+        uses: actions/setup-dotnet@9211491ffb35dd6a6657ca4f45d43dfe6e97c829
+        with:
+          dotnet-version: '6.0.x'
+      - name: Set up MSBuild
+        uses: microsoft/setup-msbuild@ab534842b4bdf384b8aaf93765dc6f721d9f5fab
+
+      - name: Print environment
+        run: |
+          dotnet --info
+          msbuild -version
+          nuget help | grep Version
+          echo "GitHub ref: $GITHUB_REF"
+          echo "GitHub event: $GITHUB_EVENT"
+
+      - name: Checkout repo
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+
+      - name: Build DACPAC
+        run: msbuild src/Sql/Sql.sqlproj /p:Configuration=Release /verbosity:minimal
+        shell: pwsh
+
+      - name: Upload DACPAC
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        with:
+          name: sql.dacpac
+          path: src/Sql/bin/Release/Sql.dacpac
+
+  validate:
+    name: Validate
+    runs-on: ubuntu-20.04
+    needs: build
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+
+      - name: Download dacpac
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: sql.dacpac
+
+      - name: Docker Compose up
+        working-directory: "dev"
+        run: |
+          cp .env.example .env
+          docker compose --profile mssql up -d
+        shell: pwsh
+
+      - name: Migrate
+        working-directory: "dev"
+        run: "pwsh ./migrate.ps1"
+        shell: pwsh
+
+      - name: Diff sqlproj to migrations
+        run: /usr/local/sqlpackage/sqlpackage /action:DeployReport /SourceFile:"Sql.dacpac" /TargetConnectionString:"Server=localhost;Database=vault_dev;User Id=SA;Password=SET_A_PASSWORD_HERE_123;Encrypt=True;TrustServerCertificate=True;" /OutputPath:"report.xml" /p:IgnoreColumnOrder=True /p:IgnoreComments=True
+        shell: pwsh
+
+      - name: Upload Report
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        with:
+          name: report.xml
+          path: report.xml
+
+      - name: Validate XML
+        run: |
+          if grep -q "<Operations>" "report.xml"; then
+             echo
+             echo "Migrations are out of sync with sqlproj!"
+             exit 1
+           else
+             echo "Report looks good"
+           fi
+        shell: bash
+
+      - name: Docker compose down
+        if: ${{ always() }}
+        working-directory: "dev"
+        run: docker compose down
+        shell: pwsh
diff --git a/dev/migrate.ps1 b/dev/migrate.ps1
index 46a2aa4122..52a622eba7 100755
--- a/dev/migrate.ps1
+++ b/dev/migrate.ps1
@@ -13,6 +13,5 @@ docker run `
   --env-file .env `
   --network=bitwardenserver_default `
   --rm `
-  -it `
   mcr.microsoft.com/mssql-tools `
   /mnt/helpers/run_migrations.sh @args