diff --git a/.woodpecker.yml b/.woodpecker.yml
new file mode 100644
index 0000000..76ebfd0
--- /dev/null
+++ b/.woodpecker.yml
@@ -0,0 +1,19 @@
+steps:
+  - name: test-vault
+    image: hashicorp/vault:latest
+    environment:
+      VAULT_ADDR:
+        from_secret: vault_addr
+      VAULT_ROLE_ID:
+        from_secret: vault_role_id
+      VAULT_SECRET_ID:
+        from_secret: vault_secret_id
+    commands:
+      - echo "=== Authenticating with Vault via AppRole ==="
+      - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
+      - echo "Auth successful, got token"
+      - echo "=== Reading secrets from projects/test/demo ==="
+      - vault kv get projects/test/demo
+      - echo "=== As env vars ==="
+      - vault kv get -format=json projects/test/demo | sed -n 's/.*"\([^"]*\)": "\([^"]*\)".*/\1=\2/p'
+      - echo "=== Vault integration works! ==="