diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4e83275dc..d1f586e9e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,14 +23,7 @@ jobs:
         uses: oracle-actions/setup-java@v1
         with:
           release: ${{ matrix.java }}
-      - name: Install softhsm2
-        run: sudo apt-get install -y softhsm2
-      - name: Install opensc
-        run: sudo apt-get install -y opensc
-      - name: Ensure SoftHSM user configuration
-        run: impl/src/test/scripts/softhsm configure
-      - name: Populate SoftHSM with JJWT test keys
-        run: impl/src/test/scripts/softhsm import
+      - uses: ./.github/workflows/env-setup.yml
       - name: Build
         # run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg
         # to sign artifacts, since we don't want to mess with storing signing credentials in CI:
@@ -51,14 +44,7 @@ jobs:
           distribution: 'temurin'
           cache: 'maven'
           check-latest: true
-      - name: Install softhsm2
-        run: sudo apt-get install -y softhsm2
-      - name: Install opensc
-        run: sudo apt-get install -y opensc
-      - name: Ensure SoftHSM user configuration
-        run: impl/src/test/scripts/softhsm configure
-      - name: Populate SoftHSM with JJWT test keys
-        run: impl/src/test/scripts/softhsm import
+      - uses: ./.github/workflows/env-setup.yml
       - name: Build
         # run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg
         # to sign artifacts, since we don't want to mess with storing signing credentials in CI:
@@ -81,14 +67,7 @@ jobs:
           distribution: 'zulu'
           cache: 'maven'
           check-latest: true
-      - name: Install softhsm2
-        run: sudo apt-get install -y softhsm2
-      - name: Install opensc
-        run: sudo apt-get install -y opensc
-      - name: Ensure SoftHSM user configuration
-        run: impl/src/test/scripts/softhsm configure
-      - name: Populate SoftHSM with JJWT test keys
-        run: impl/src/test/scripts/softhsm import
+      - uses: ./.github/workflows/env-setup.yml
       - name: Build
         # run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg
         # to sign artifacts, since we don't want to mess with storing signing credentials in CI:
@@ -129,14 +108,7 @@ jobs:
           java-version: '8'
           cache: 'maven'
           check-latest: true
-      - name: Install softhsm2
-        run: sudo apt-get install -y softhsm2
-      - name: Install opensc
-        run: sudo apt-get install -y opensc
-      - name: Ensure SoftHSM user configuration
-        run: impl/src/test/scripts/softhsm configure
-      - name: Populate SoftHSM with JJWT test keys
-        run: impl/src/test/scripts/softhsm import
+      - uses: ./.github/workflows/env-setup.yml
       - name: Wait to start
         # wait a little to start: code coverage usually only takes about 1 1/2 minutes.  If coverage fails, it will
         # cancel the other running builds, and we don't want that (because we want to see if jobs fail due to
diff --git a/.github/workflows/env-setup.yml b/.github/workflows/env-setup.yml
new file mode 100644
index 000000000..4ac1668de
--- /dev/null
+++ b/.github/workflows/env-setup.yml
@@ -0,0 +1,16 @@
+on:
+  # Reusable GitHub Action
+  workflow_call:
+
+jobs:
+  setup_env:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install softhsm2
+      run: sudo apt-get install -y softhsm2
+    - name: Install opensc
+      run: sudo apt-get install -y opensc
+    - name: Ensure SoftHSM user configuration
+      run: impl/src/test/scripts/softhsm configure
+    - name: Populate SoftHSM with JJWT test keys
+      run: impl/src/test/scripts/softhsm import
\ No newline at end of file