diff --git a/.github/workflows/toc-tou.yml b/.github/workflows/toc-tou.yml
new file mode 100644
index 000000000..403f34758
--- /dev/null
+++ b/.github/workflows/toc-tou.yml
@@ -0,0 +1,58 @@
+name: TOCTOU Pattern
+on:
+  pull_request_target:
+    types: [labeled]
+
+permissions: {}  # No permissions by default
+
+jobs:
+  vulnerable-pattern:
+    # DO NOT USE THIS PATTERN - It is vulnerable to TOCTOU
+    if: github.event.label.name == 'approved'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Wait for demo purposes
+        run: |
+          echo "Waiting 2 minutes to allow push of new commit..."
+          sleep 120
+      
+      # VULNERABLE: Could get different code than what was approved
+      - name: Checkout PR (Vulnerable)
+        run: |
+          gh pr checkout ${{ github.event.pull_request.number }}
+          # Show what we got
+          echo "Commit we got:"
+          git rev-parse HEAD
+          echo "Content of README.md:"
+          cat README.md
+
+  secure-pattern:
+    # USE THIS PATTERN - It is secure against TOCTOU
+    if: github.event.label.name == 'approved'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Wait for demo purposes
+        run: |
+          echo "Waiting 2 minutes to allow push of new commit..."
+          sleep 120
+      
+      # SECURE: Gets exactly the code that was approved
+      - name: Checkout PR (Secure)
+        run: |
+          gh pr checkout ${{ github.event.pull_request.number }} --commit ${{ github.event.pull_request.head.sha }}
+          
+          # Show what we got
+          echo "Commit we got:"
+          git rev-parse HEAD
+          echo "Content of README.md:"
+          cat README.md