diff --git a/.github/workflows/check-restricted-files.yaml b/.github/workflows/check-restricted-files.yaml
new file mode 100644
index 0000000..2e54536
--- /dev/null
+++ b/.github/workflows/check-restricted-files.yaml
@@ -0,0 +1,38 @@
+name: check-restricted-files
+
+# Author: @ralfhandl
+# Issue: https://github.com/OAI/OpenAPI-Specification/issues/3432
+
+# This workflow fails if restricted files are changed in a pull request
+
+on:
+  pull_request:
+    paths:
+      - "versions/[0-9].[0-9].[0-9].md"
+
+jobs:
+  check-files:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5 # checkout repo content
+        with:
+          fetch-depth: 0
+
+      - name: Check changed files
+        shell: bash
+        run: |
+          if [[ "${{ github.event.pull_request.head.repo.full_name }}" == "OAI/Overlay-Specification" ]] && \
+             [[ "${{ github.event.pull_request.base.repo.full_name }}" == "OAI/Overlay-Specification" ]]; then
+
+            if [[ "${{ github.event.pull_request.head.ref }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+-rel$ ]] && \
+               [[ "${{ github.event.pull_request.base.ref }}" == "main" ]]; then
+              echo Release from ${{ github.event.pull_request.head.ref }} to main
+              exit 0
+            fi
+          fi
+
+          echo This PR contains changes to files that should not be changed:
+          echo
+          git diff --compact-summary origin/${{ github.event.pull_request.base.ref }} origin/${{ github.event.pull_request.head.ref }} -- versions/[0-9].[0-9].[0-9].md
+
+          exit 1