diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index f5c69049..745d7792 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -1,34 +1,90 @@
 #
-# Configuration for GitHub-based CI
+# Configuration for GitHub-based CI.
 #
-name: Build
+# Runs fmt / clippy / tests / docs / advisories / MSRV in parallel on
+# every PR and every push to main. All jobs share a Swatinem cargo
+# cache keyed off Cargo.lock. Toolchain is `stable` everywhere except
+# the MSRV job, which pins Rust 1.82.
+#
+name: CI
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+  CARGO_INCREMENTAL: 0
+  RUST_BACKTRACE: 1
 
 jobs:
-  check-style:
+  fmt:
+    name: cargo fmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+      - run: cargo fmt --all -- --check
+
+  clippy:
+    name: cargo clippy
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Report cargo version
-      run: cargo --version
-    - name: Report rustfmt version
-      run: cargo fmt -- --version
-    - name: Check style
-      run: cargo fmt -- --check
-
-  build-and-test:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+      - uses: Swatinem/rust-cache@v2
+      # typify-test only exists to compile typify's generated output; the
+      # warnings it surfaces (clippy::derivable_impls, redundant_closure)
+      # belong to the codegen, not source code, and are tracked separately.
+      - run: cargo clippy --workspace --all-targets --locked --exclude typify-test -- -D warnings
+
+  test:
+    name: test (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: Build
+        run: cargo build --workspace --locked --tests --verbose
+      - name: Test
+        run: cargo test --workspace --locked --verbose
+
+  doc:
+    name: cargo doc
+    runs-on: ubuntu-latest
+    env:
+      RUSTDOCFLAGS: "-D warnings"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo doc --workspace --no-deps --locked
+
+  deny:
+    name: cargo deny (advisories)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check advisories
+
+  msrv:
+    name: MSRV build (1.82)
+    runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Build
-      run: cargo build --locked --tests --verbose
-    - name: Run tests
-      run: cargo test --locked --verbose
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@1.82
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo build --workspace --locked
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 00000000..81028884
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,30 @@
+# cargo-deny configuration.
+#
+# CI runs `cargo deny check advisories`. The ignore list below covers
+# unmaintained-crate advisories and one CVE that all enter the tree
+# transitively through dev-dependencies; none affect published crate
+# code paths. Re-evaluate when bumping or removing the cited dep.
+
+[advisories]
+ignore = [
+    # adler 1.0.2 — unmaintained, superseded by adler2.
+    # Pulled in transitively by miniz_oxide. Wait for the ecosystem to
+    # migrate (mostly through flate2/png updates).
+    "RUSTSEC-2025-0056",
+
+    # paste 1.0.15 — unmaintained, see pastey / with_builtin_macros.
+    # Used by both typify's generated code (paste in workspace deps)
+    # and several transitive deps. Worth replacing in generated output.
+    "RUSTSEC-2024-0436",
+
+    # tempdir 0.3.7 — deprecated in favour of tempfile.
+    # Dev-dependency of cargo-typify only (integration tests). TODO:
+    # swap to tempfile and drop both this and RUSTSEC-2023-0018.
+    "RUSTSEC-2018-0017",
+
+    # remove_dir_all 0.5.3 — race-condition CVE.
+    # Reaches the tree only via tempdir (above) in cargo-typify dev
+    # tests. No production code path. Cleared automatically once the
+    # tempdir → tempfile swap above lands.
+    "RUSTSEC-2023-0018",
+]
diff --git a/typify-impl/src/util.rs b/typify-impl/src/util.rs
index 51ee7618..106dcf3a 100644
--- a/typify-impl/src/util.rs
+++ b/typify-impl/src/util.rs
@@ -51,6 +51,7 @@ pub(crate) fn metadata_title_and_description(metadata: &Option<Box<Metadata>>) -
 /// conceptually identical to the logic below that validates **if** the schemas
 /// **could** be merged (i.e. if they're compatible).
 #[cfg(test)]
+#[allow(dead_code)]
 pub(crate) fn all_mutually_exclusive(
     subschemas: &[Schema],
     definitions: &BTreeMap<RefKey, Schema>,
@@ -573,6 +574,7 @@ pub(crate) fn ref_key(ref_name: &str) -> RefKey {
 }
 
 #[cfg(test)]
+#[allow(dead_code)]
 fn resolve<'a>(
     schema: &'a Schema,
     definitions: &'a std::collections::BTreeMap<RefKey, Schema>,