diff --git a/.coderabbit.yaml b/.coderabbit.yaml
new file mode 100644
index 000000000..adaa4f55f
--- /dev/null
+++ b/.coderabbit.yaml
@@ -0,0 +1,17 @@
+language: "zh-CN"
+reviews:
+  profile: "chill"
+  request_changes_workflow: false
+  high_level_summary: true
+  poem: false
+  review_status: true
+  collapse_walkthrough: true
+  path_instructions:
+    - path: "apps/web-antd/**"
+      instructions: "重点关注业务回归风险、路由权限、表单校验和上传逻辑。"
+    - path: "packages/**"
+      instructions: "重点关注公共 API 兼容性、类型安全、以及潜在破坏性变更。"
+    - path: "**/*.md"
+      instructions: "文档变更只做简要建议，不阻断。"
+chat:
+  auto_reply: false
diff --git a/.github/labeler.yml b/.github/labeler.yml
new file mode 100644
index 000000000..759b63648
--- /dev/null
+++ b/.github/labeler.yml
@@ -0,0 +1,48 @@
+docs:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'docs/**'
+          - 'README*'
+          - '**/*.md'
+
+ci:
+  - changed-files:
+      - any-glob-to-any-file:
+          - '.github/workflows/**'
+          - '.github/*.yml'
+          - '.github/*.yaml'
+
+web-antd:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'apps/web-antd/**'
+
+backend-mock:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'apps/backend-mock/**'
+
+packages:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'packages/**'
+
+internal:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'internal/**'
+
+scripts:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'scripts/**'
+
+config:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'package.json'
+          - 'pnpm-lock.yaml'
+          - 'pnpm-workspace.yaml'
+          - 'turbo.json'
+          - 'tsconfig*.json'
+          - '.npmrc'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 000000000..5cc6b123d
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,37 @@
+name: CodeQL
+
+on:
+  push:
+    branches: ["dev", "main"]
+  pull_request:
+    branches: ["dev", "main"]
+  schedule:
+    - cron: '30 2 * * 1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript-typescript' ]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
new file mode 100644
index 000000000..6b3b1c35d
--- /dev/null
+++ b/.github/workflows/labeler.yml
@@ -0,0 +1,18 @@
+name: PR Labeler
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v5
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-path: .github/labeler.yml