diff --git a/.ci/.matrix_framework_fips.yml b/.ci/.matrix_framework_fips.yml
new file mode 100644
index 000000000..112004d1e
--- /dev/null
+++ b/.ci/.matrix_framework_fips.yml
@@ -0,0 +1,26 @@
+# this is a limited list of matrix builds to be used for PRs
+# see .jenkins_framework_full.yml for a full list
+FRAMEWORK:
+  - none
+  - django-5.0
+  - flask-3.0
+  - jinja2-3
+  - opentelemetry-newest
+  - opentracing-newest
+  - twisted-newest
+  - celery-5-flask-2
+  - celery-5-django-5
+  - requests-newest
+  - boto3-newest
+  - cassandra-newest
+  - psutil-newest
+  - gevent-newest
+  - aiohttp-newest
+  - tornado-newest
+  - starlette-newest
+  - graphene-2
+  - httpx-newest
+  - httplib2-newest
+  - prometheus_client-newest
+  - sanic-newest
+  - kafka-python-newest
diff --git a/.ci/.matrix_python_fips.yml b/.ci/.matrix_python_fips.yml
new file mode 100644
index 000000000..01cf811ac
--- /dev/null
+++ b/.ci/.matrix_python_fips.yml
@@ -0,0 +1,2 @@
+VERSION:
+  - python-3.12
diff --git a/.github/workflows/test-fips.yml b/.github/workflows/test-fips.yml
new file mode 100644
index 000000000..8608d082f
--- /dev/null
+++ b/.github/workflows/test-fips.yml
@@ -0,0 +1,73 @@
+
+# run test suite inside a FIPS 140 container
+name: test-fips
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 4 * * 1'
+  pull_request:
+    # FIXME: REMOVE ME
+
+permissions:
+  contents: read
+
+jobs:
+  create-matrix:
+    runs-on: ubuntu-24.04
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: generate
+        uses: elastic/oblt-actions/version-framework@v1
+        with:
+          versions-file: .ci/.matrix_python_fips.yml
+          frameworks-file: .ci/.matrix_framework_fips.yml
+
+  test-fips:
+    needs: create-matrix
+    runs-on: ubuntu-24.04
+    # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container
+    # docker run -it --rm --name fipsy docker.elastic.co/wolfi/python-fips:3.12
+    container:
+      image: docker.elastic.co/wolfi/python-fips:3.12-dev
+      options: --user root
+      credentials:
+        username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
+        password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      max-parallel: 10
+      matrix: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: check that python has fips mode enabled
+        run: |
+          python3 -c 'import _hashlib; assert _hashlib.get_fips_mode() == 1'
+      - run: |
+          python3 -c 'from zoneinfo import ZoneInfo ; assert ZoneInfo("America/Chicago")'
+      - name: install run_tests.sh requirements
+        run: apk install netcat-openbsd
+      - name: Run tests
+        run: ./tests/scripts/run_tests.sh
+        env:
+          FRAMEWORK: ${{ matrix.framework }}
+
+  notify-on-failure:
+    if: always()
+    runs-on: ubuntu-24.04
+    needs: test-fips
+    steps:
+      - id: check
+        uses: elastic/oblt-actions/check-dependent-jobs@v1
+        with:
+          jobs: ${{ toJSON(needs) }}
+      - name: Notify in Slack
+        if: steps.check.outputs.status == 'failure'
+        uses: elastic/oblt-actions/slack/notify-result@v1
+        with:
+          bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          status: ${{ steps.check.outputs.status }}
+          channel-id: "#apm-agent-python"