diff --git a/.github/workflows/coverity-scan.yml b/.github/workflows/coverity-scan.yml
new file mode 100644
index 00000000..2f012ab2
--- /dev/null
+++ b/.github/workflows/coverity-scan.yml
@@ -0,0 +1,122 @@
+#                          __  __            _
+#                       ___\ \/ /_ __   __ _| |_
+#                      / _ \\  /| '_ \ / _` | __|
+#                     |  __//  \| |_) | (_| | |_
+#                      \___/_/\_\ .__/ \__,_|\__|
+#                               |_| XML parser
+#
+# Copyright (c) 2025 Sebastian Pipping <sebastian@pipping.org>
+# Licensed under the MIT license:
+#
+# Permission is  hereby granted,  free of charge,  to any  person obtaining
+# a  copy  of  this  software   and  associated  documentation  files  (the
+# "Software"),  to  deal in  the  Software  without restriction,  including
+# without  limitation the  rights  to use,  copy,  modify, merge,  publish,
+# distribute, sublicense, and/or sell copies of the Software, and to permit
+# persons  to whom  the Software  is  furnished to  do so,  subject to  the
+# following conditions:
+#
+# The above copyright  notice and this permission notice  shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE  SOFTWARE  IS  PROVIDED  "AS  IS",  WITHOUT  WARRANTY  OF  ANY  KIND,
+# EXPRESS  OR IMPLIED,  INCLUDING  BUT  NOT LIMITED  TO  THE WARRANTIES  OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+# NO EVENT SHALL THE AUTHORS OR  COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+# DAMAGES OR  OTHER LIABILITY, WHETHER  IN AN  ACTION OF CONTRACT,  TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+# USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+name: Upload build to Coverity Scan
+
+on:
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: '0 2 * * 5'  # Every Friday at 2am
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  coverity_scan_upload:
+    name: Upload build to Coverity Scan
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        # The next two lines ensure clean and public-only submissions
+        repository: libexpat/libexpat
+        ref: master
+        # This will allow to do "git describe --tags" further done
+        fetch-depth: 0
+
+    - name: Determine version string
+      id: determine_version
+      run: |-
+        set -x
+        tee    "${GITHUB_OUTPUT}" <<< "version=$(git describe --tags | sed -e 's,^R_,,' -e 's,_,.,g')"
+        tee -a "${GITHUB_OUTPUT}" <<< "git_commit=$(git rev-parse HEAD)"
+
+    - name: Install Clang 19
+      run: |-
+        set -x
+        source /etc/os-release
+        wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
+        sudo add-apt-repository "deb https://apt.llvm.org/${UBUNTU_CODENAME}/ llvm-toolchain-${UBUNTU_CODENAME}-19 main"
+        sudo apt-get update  # due to new repository
+        sudo apt-get install --yes --no-install-recommends -V \
+            clang-19 \
+            libclang-rt-19-dev \
+            llvm-19
+        echo /usr/lib/llvm-19/bin >>"${GITHUB_PATH}"
+
+    - name: Install build dependencies
+      run: |-
+        set -x
+        sudo apt-get install --yes --no-install-recommends -V \
+            libprotobuf-dev \
+            protobuf-compiler
+
+    - name: Configure using CMake
+      run: |
+        set -x -o pipefail
+
+        type -P clang clang++
+        clang --version | head -n1
+        clang++ --version | head -n1
+
+        cd expat/
+        args=(
+            -DEXPAT_BUILD_DOCS=OFF
+            -DEXPAT_BUILD_FUZZERS=ON
+
+            # Tune compilation of fuzzers to (1) pass all sanity checks from
+            # CMakeLists.txt (that e.g. require use of fuzzers with sanitizers)
+            # and (2) ideally speed up compilation since no machine or human
+            # will be running the binaries we build for nothing but Coverity:
+            -DCMAKE_C_COMPILER=clang
+            -DCMAKE_CXX_COMPILER=clang++
+            -DCMAKE_{C,CXX}_FLAGS='-O1 -g -fsanitize=address'
+            -DCMAKE_{EXE,MODULE,SHARED}_LINKER_FLAGS='-g -fsanitize=address'
+        )
+        cmake "${args[@]}" -S . -B .
+
+    - uses: vapier/coverity-scan-action@2068473c7bdf8c2fb984a6a40ae76ee7facd7a85  # v1.8.0
+      with:
+        email: ${{ secrets.COVERITY_SCAN_EMAIL }}
+        token: ${{ secrets.COVERITY_SCAN_TOKEN }}
+        command: make VERBOSE=1
+        working-directory: "${{ github.workspace }}/expat"
+        version: "${{ steps.determine_version.outputs.version }}"
+        # NOTE: The commit here is not necessarily the same as ${{ github.sha }} that triggered the action.
+        description: "coverity-scan-action libexpat/libexpat / ${{ steps.determine_version.outputs.git_commit }}"
+
+    - name: Offer analysis tarball for inspection
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08  # v4.6.0
+      with:
+        name: expat_coverity_scan_upload_${{ github.sha }}
+        path: expat/cov-int.tgz
+        if-no-files-found: error