diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2eaae69b59f9a..2bbe41174161e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,6 +72,8 @@ jobs:
         run: ./ci/scripts/check-links.sh
       - name: Generated documentation
         run: ./ci/scripts/check-cmdgen.sh
+      - name: Lock files
+        run: ./ci/scripts/check-lock-files.sh
 
   slow_lint:
     name: Lint (slow)
diff --git a/ci/scripts/check-lock-files.sh b/ci/scripts/check-lock-files.sh
new file mode 100755
index 0000000000000..7afbadbface70
--- /dev/null
+++ b/ci/scripts/check-lock-files.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+REPO_TOP="$(git rev-parse --show-toplevel)"
+
+cd "$REPO_TOP"
+
+fail() {
+  file="$1"
+  command="$2"
+
+  echo "::error::${file} is not up to date"             >&2
+  echo "Regenerate this lock file using \`${command}\`" >&2
+
+  exit 1
+}
+
+# Regenerate `MODULE.bazel.lock` file.
+./bazelisk.sh mod deps
+if ! git diff --exit-code MODULE.bazel.lock; then
+  fail MODULE.bazel.lock "./bazelisk.sh mod deps"
+fi
+
+# Regenerate `Cargo.lock` files.
+# We use the Cargo from Bazel to ensure there are no resolver version differences.
+cargo=(bazel run @rules_rust//tools/upstream_wrapper:cargo --)
+cargo_manifests=(
+  third_party/rust/Cargo.toml
+  third_party/tock/Cargo.toml
+  third_party/mdbook/Cargo.toml
+)
+for toml in "${cargo_manifests[@]}"; do
+  "${cargo[@]}" update -w --manifest-path "$toml"
+  if ! git diff --exit-code "${toml/toml/lock}"; then
+    fail "${toml/toml/lock}" "${cargo[*]} update -w --manifest-path ${toml}"
+  fi
+done
+
+# Regenerate python lock file.
+./util/sh/scripts/gen-python-requirements.sh
+if ! git diff --exit-code python-requirements.txt; then
+  fail python-requirements.txt ./util/sh/scripts/gen-python-requirements.txt
+fi