diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index d1d9082c610..d54df222cd1 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -611,6 +611,8 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
 /.github/workflows/pr-commands-closed.yml @tolzhabayev
 /.github/workflows/pr-commands.yml @marefr
+/.github/workflows/pr-security-patch-check.yml @grafana/grafana-delivery
+/.github/workflows/pr-security-patch-mirror-and-apply.yml @grafana/grafana-delivery
 /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-grafana
 /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-grafana
 /.github/workflows/remove-milestone.yml @grafana/grafana-delivery
diff --git a/.github/workflows/pr-security-patch-check.yml b/.github/workflows/pr-security-patch-check.yml
new file mode 100644
index 00000000000..ff61ed2e2a7
--- /dev/null
+++ b/.github/workflows/pr-security-patch-check.yml
@@ -0,0 +1,24 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo Ex: grafana/grafana 
+name: Check for security patch conflicts
+run-name: check-security-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
+on:
+  pull_request_target:
+    types:
+      - opened
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+# Since this is run on a pull request, we want to apply the patches intended for the
+# target branch onto the source branch, to verify compatibility before merging.
+jobs:
+  trigger_downstream_patch_check:
+    uses: grafana/security-patch-actions/.github/workflows/test-patches.yml@main
+    with:
+      src_repo: "${{ github.repository }}"
+      src_ref: "${{ github.head_ref }}" # this is the source branch name, Ex: "feature/newthing"
+      patch_repo: "${{ github.repository }}-security-patches"
+      patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
+    secrets: inherit
diff --git a/.github/workflows/pr-security-patch-mirror-and-apply.yml b/.github/workflows/pr-security-patch-mirror-and-apply.yml
new file mode 100644
index 00000000000..6359e4c9dce
--- /dev/null
+++ b/.github/workflows/pr-security-patch-mirror-and-apply.yml
@@ -0,0 +1,26 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo, Ex: grafana/grafana
+name: Sync to security mirror
+run-name: sync-to-security-mirror-${{ github.base_ref }}-${{ github.head_ref }}
+on:
+  pull_request_target:
+    types:
+      - closed
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+# This is run after the pull request has been merged, so we'll run against the target branch
+jobs:
+  trigger_downstream_security_mirror:
+    concurrency: security-mirror-${{ github.ref }}
+    if: github.event.pull_request.merged == true
+    uses: grafana/security-patch-actions/.github/workflows/mirror-branch-and-apply-patches.yml@main
+    with:
+      ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
+      src_repo: "${{ github.repository }}"
+      dest_repo: "${{ github.repository }}-security-mirror"
+      patch_repo: "${{ github.repository }}-security-patches"
+    secrets: inherit
+