diff --git a/.ansible-lint b/.ansible-lint
index 64705b6c..69849218 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -7,6 +7,8 @@ skip_list:
   - jinja
 
 exclude_paths:
+  - meta/main.yml # https://github.com/ansible/ansible-lint/issues/4387
+  - molecule
   - molecule/_tests/
   - examples/
   - tests/
diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
new file mode 100644
index 00000000..d46f5772
--- /dev/null
+++ b/.github/workflows/ansible-lint.yml
@@ -0,0 +1,17 @@
+---
+name: Ansible Lint
+on:
+  push:
+    tags_ignore:
+      - '*'
+  pull_request:
+jobs:
+  run:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@main
+        with:
+          requirements_file: molecule/requirements.yml
diff --git a/.yamllint b/.yamllint
deleted file mode 100644
index cf58a015..00000000
--- a/.yamllint
+++ /dev/null
@@ -1,9 +0,0 @@
----
-extends: default
-
-rules:
-  truthy:
-    allowed-values: ['true', 'false', 'on']
-    check-keys: true
-  line-length:
-    max: 180
diff --git a/defaults/main.yml b/defaults/main.yml
index ab5432c8..5d65a201 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,7 +6,8 @@
 # ---------------------------------------------------------------------------
 
 # Package variables
-vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.5.5', true) }}{{ '+prem' if vault_enterprise_premium else '' }}{{ '.hsm' if vault_enterprise_premium_hsm else '' }}"
+vault_version_suffix: "{{ '+prem' if vault_enterprise_premium else '' }}{{ '.hsm' if vault_enterprise_premium_hsm else '' }}"
+vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.5.5', true) }}{{ vault_version_suffix }}"
 vault_architecture_map:
   # this first entry seems... redundant (but it's required for reasons)
   amd64: amd64
@@ -126,7 +127,8 @@ vault_backend_gcs: vault_backend_gcs.j2
 vault_cluster_disable: false
 vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1 }}"
 vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}"
-vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | default(hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address']) }}:{{ vault_port }}"
+vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address |
+  default(hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address']) }}:{{ vault_port }}"
 vault_disable_api_health_check: false
 
 vault_max_lease_ttl: "768h"
@@ -213,7 +215,8 @@ vault_raft_cluster_members: |
     {
       "peer": "{{ server }}",
       "api_addr": "{{ hostvars[server]['vault_api_addr'] |
-      default(vault_protocol + '://' + hostvars[server]['ansible_' + hostvars[server]['ansible_default_ipv4']['interface']]['ipv4']['address'] + ':' + (vault_port|string)) }}"
+      default(vault_protocol + '://' +
+      hostvars[server]['ansible_' + hostvars[server]['ansible_default_ipv4']['interface']]['ipv4']['address'] + ':' + (vault_port|string)) }}"
     },
   {% endfor %}
   ]
diff --git a/tasks/backend_tls.yml b/tasks/backend_tls.yml
index f300a7fe..f9818828 100644
--- a/tasks/backend_tls.yml
+++ b/tasks/backend_tls.yml
@@ -8,7 +8,7 @@
     state: directory
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: 0700
+    mode: "0700"
   with_items:
     - "{{ vault_backend_tls_certs_path }}"
     - "{{ vault_backend_tls_private_path }}"
diff --git a/tasks/install.yml b/tasks/install.yml
index 9f27938c..3f8db106 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -35,7 +35,7 @@
     dest: "{{ role_path }}/files/{{ vault_pkg }}"
     checksum: "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + vault_pkg + '$') | first).split()[0] }}"
     timeout: "42"
-    mode: 0644
+    mode: "0644"
   become: "{{ vault_privileged_install }}"
   run_once: true
   tags: installation
diff --git a/tasks/install_enterprise.yml b/tasks/install_enterprise.yml
index 85e78520..1c392a89 100644
--- a/tasks/install_enterprise.yml
+++ b/tasks/install_enterprise.yml
@@ -44,7 +44,7 @@
     dest: "{{ role_path }}/files/{{ vault_enterprise_pkg }}"
     checksum: sha256:{{ vault_sha256.stdout }}
     timeout: 42
-    mode: 0644
+    mode: "0644"
   become: false
   run_once: true
   tags: installation
diff --git a/tasks/install_remote.yml b/tasks/install_remote.yml
index a746f1bf..d305f7d1 100644
--- a/tasks/install_remote.yml
+++ b/tasks/install_remote.yml
@@ -14,7 +14,7 @@
   file:
     path: /tmp/vault
     state: directory
-    mode: 0750
+    mode: "0750"
 
 - name: Check Vault package file
   stat:
@@ -28,7 +28,7 @@
     dest: "/tmp/vault/{{ vault_pkg }}"
     checksum: "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + vault_pkg + '$') | first).split()[0] }}"
     timeout: "42"
-    mode: 0644
+    mode: "0644"
   tags: installation
   when: not vault_package.stat.exists | bool
 
diff --git a/tasks/main.yml b/tasks/main.yml
index 22972c5a..a497da5a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -126,7 +126,7 @@
     dest: /etc/logrotate.d/vault
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   when: vault_enable_logrotate | bool
 
 - name: TLS configuration
@@ -342,7 +342,7 @@
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
     create: true
-    mode: 0600
+    mode: "0600"
   when:
     - not vault_dotfile_disable
     - ansible_os_family != 'Windows'
@@ -356,7 +356,7 @@
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
     create: true
-    mode: 0600
+    mode: "0600"
   when:
     - not vault_dotfile_disable
     - not vault_tls_disable | bool
diff --git a/tasks/plugins/acme.yml b/tasks/plugins/acme.yml
index 25b5d154..7de7671b 100644
--- a/tasks/plugins/acme.yml
+++ b/tasks/plugins/acme.yml
@@ -23,7 +23,7 @@
           file:
             path: "{{ (vault_plugin_acme_install == 'local') | ternary(vault_plugins_src_dir_local, vault_plugins_src_dir_remote) }}/acme"
             state: directory
-            mode: 0755
+            mode: "0755"
             owner: "{{ (vault_plugin_acme_install == 'local') | ternary(omit, vault_user) }}"
             group: "{{ (vault_plugin_acme_install == 'local') | ternary(omit, vault_group) }}"
           register: __vault_plugin_acme_zip_dir
@@ -34,7 +34,7 @@
             url: "{{ vault_plugin_acme_release_url }}/{{ vault_plugin_acme_zip }}"
             dest: "{{ __vault_plugin_acme_zip_dir.path }}"
             checksum: "sha256:{{ vault_plugin_acme_zip_sha256sum }}"
-            mode: 0644
+            mode: "0644"
           register: __vault_plugin_acme_zip_file
           run_once: "{{ (vault_plugin_acme_install == 'local') }}"
 
@@ -43,7 +43,7 @@
             remote_src: "{{ (vault_plugin_acme_install == 'remote') }}"
             src: "{{ __vault_plugin_acme_zip_file.dest }}"
             dest: "{{ __vault_plugin_acme_zip_dir.path }}"
-            mode: 0644
+            mode: "0644"
           run_once: "{{ (vault_plugin_acme_install == 'local') }}"
 
     - name: Install acme vault plugin
diff --git a/tasks/tls.yml b/tasks/tls.yml
index 8faa55ee..c6787b66 100644
--- a/tasks/tls.yml
+++ b/tasks/tls.yml
@@ -8,7 +8,7 @@
     state: directory
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: 0750
+    mode: "0750"
   with_items:
     - "{{ vault_tls_certs_path }}"
     - "{{ vault_tls_private_path }}"