diff --git a/.github/workflows/code-freeze.yml b/.github/workflows/code-freeze.yml
new file mode 100644
index 00000000..a6cc73a7
--- /dev/null
+++ b/.github/workflows/code-freeze.yml
@@ -0,0 +1,47 @@
+name: Code Freeze
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  FROZEN: ${{ vars.FROZEN }}
+  UNFROZEN_PREFIX: ${{ vars.UNFROZEN_PREFIX }}
+
+jobs:
+  check-pr-frozen-status:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Fetch PR data and check if merge allowed
+      if: env.FROZEN == 'true'
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        PR_DATA=$(curl -s \
+          -H "Authorization: Bearer $GITHUB_TOKEN" \
+          -H "Accept: application/vnd.github.v3+json" \
+          https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }})
+        BRANCH_NAME=$(echo $PR_DATA | jq .head.ref -r)
+        PR_TITLE=$(echo $PR_DATA | jq .title -r)
+        echo $BRANCH_NAME
+        echo $PR_TITLE
+        # if it's not a critical fix
+        if ! [[ "$PR_TITLE" == fix\(critical\):* ]]; then
+          # and there's an unfrozen prefix
+          if ! [[ -z $UNFROZEN_PREFIX ]]; then
+            # check if the branch matches unfrozen prefix
+            if [[ "$BRANCH_NAME" != $UNFROZEN_PREFIX* ]]; then
+              echo "Error: You can only merge from branches that start with '$UNFROZEN_PREFIX', or PRs titled with prefix 'fix(critical): '."
+              exit 1
+            fi
+          # repo is fully frozen
+          else
+            echo "Error: You can only merge PRs titled with prefix 'fix(critical): '."
+            exit 1
+          fi
+        fi