diff --git a/.github/workflows/puppet.yaml b/.github/workflows/puppet.yaml
new file mode 100644
index 0000000..fffa437
--- /dev/null
+++ b/.github/workflows/puppet.yaml
@@ -0,0 +1,41 @@
+name: Puppet module
+on:
+  push:
+    paths:
+      - .github/workflows/puppet.yaml
+      - puppet
+
+jobs:
+  prep:
+    name: Download modules
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          submodules: false
+      - name: Install dependencies
+        run: |
+          wget https://apt.puppet.com/puppet-release-focal.deb
+          sudo dpkg -i puppet-release-focal.deb
+          wget https://apt.puppet.com/puppet-tools-release-focal.deb
+          sudo dpkg -i puppet-tools-release-focal.deb
+          sudo apt-get update
+          sudo apt-get install -y puppet-agent puppet-bolt
+          sudo update-alternatives --install /usr/bin/puppet puppet-agent /opt/puppetlabs/bin/puppet 10
+          sudo chmod +t /tmp # workaround ruby need within prep.sh
+      - name: Prep project
+        run: |
+          ./puppet/prep.sh
+
+  puppet-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          submodules: false
+      - name: puppet-lint
+        uses: scottbrenner/puppet-lint-action@master
+        with:
+          args: puppet/ --fail-on-warnings
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c9790be..74e304c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -63,7 +63,7 @@ stages:
 .prep-install-python: &prep-install-python |
   dnf install -y python3 python3-pip python3-wheel
   dnf clean all && rm -rf /var/cache/yum
-  pip3 install --upgrade pip pip-tools && ln -s pip3 /usr/bin/pip
+  pip3 install --upgrade pip pip-tools
 
 .prep-install-docker: &prep-install-docker |
   dnf remove -y docker \
@@ -277,22 +277,6 @@ transcoder_unit-test:
         coverage_format: cobertura
         path: transcoder/coverage.xml
 
-puppet-lint:
-  stage: test
-  needs: []
-  allow_failure: true
-  rules:
-    - if: $TRY_LATEST_PROMOTE != "true"
-      changes:
-        - ".gitlab-ci.yml"
-        - puppet/**/*
-  before_script:
-    - *prep-install-ca
-    - dnf module install -y ruby:2.7
-    - gem install puppet-lint
-  script:
-    - puppet-lint puppet
-
 # Pull in the latest commits from default submodule branches
 promote:
   stage: build
diff --git a/puppet/modules/apl_test/manifests/camserver.pp b/puppet/modules/apl_test/manifests/camserver.pp
index 0b3779a..756f274 100644
--- a/puppet/modules/apl_test/manifests/camserver.pp
+++ b/puppet/modules/apl_test/manifests/camserver.pp
@@ -62,23 +62,23 @@
 
   class { 'trusted_ca': }
   concat { '/ammos/etc/pki/tls/certs/ammos-ca-bundle.crt':
-    owner  => 'root',
-    group  => 'ammos-tls',
-    mode   => '0444',
+    owner   => 'root',
+    group   => 'ammos-tls',
+    mode    => '0444',
     require => Package[$cam_main_package], # for owner/group
   }
   file { '/ammos/etc/pki/tls/certs/ammos-server-cert.pem':
-    source => $tls_server_cert,
-    owner  => 'cam-srv',
-    group  => 'ammos-tls',
-    mode   => '0444',
+    source  => $tls_server_cert,
+    owner   => 'cam-srv',
+    group   => 'ammos-tls',
+    mode    => '0444',
     require => Package[$cam_main_package], # for owner/group
   }
   file { '/ammos/etc/pki/tls/private/ammos-server-key.pem':
-    source => $tls_server_key,
-    owner  => 'cam-srv',
-    group  => 'ammos-tls',
-    mode   => '0400',
+    source  => $tls_server_key,
+    owner   => 'cam-srv',
+    group   => 'ammos-tls',
+    mode    => '0400',
     require => Package[$cam_main_package], # for owner/group
   }
   openssl::export::pkcs12 { 'ammos-server-keystore':
@@ -121,9 +121,9 @@
     }
   }
   file { '/ammos/etc/pki/tls/certs/ammos-truststore.jks':
-    owner   => 'cam-srv',
-    group   => 'ammos-tls',
-    mode    => '0444',
+    owner => 'cam-srv',
+    group => 'ammos-tls',
+    mode  => '0444',
   }
 
   file { '/ammos/cam-server/server':