diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
new file mode 100644
index 000000000..5fba3265d
--- /dev/null
+++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
@@ -0,0 +1,96 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: 'PR Check - Go: workaround for indirect tracing'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  go-indirect-tracing-workaround-diagnostic:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+    name: 'Go: workaround for indirect tracing'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+      # We need a Go version that ships with statically linked binaries on Linux
+        go-version: '>=1.21.0'
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+  # Deliberately change Go after the `init` step
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.20'
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+    - name: Check diagnostic appears in SARIF
+      uses: actions/github-script@v6
+      env:
+        SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+      with:
+        script: |
+          const fs = require('fs');
+
+          const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+          const run = sarif.runs[0];
+
+          const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+          const statusPageNotifications = toolExecutionNotifications.filter(n =>
+            n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
+          );
+          if (statusPageNotifications.length !== 1) {
+            core.setFailed(
+              'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+                `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                `${statusPageNotifications.length}. All notification reporting descriptors: ` +
+                `${JSON.stringify(toolExecutionNotifications)}.`
+            );
+          }
+    env:
+      CODEQL_ACTION_TEST_MODE: true
diff --git a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml
new file mode 100644
index 000000000..e59447599
--- /dev/null
+++ b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml
@@ -0,0 +1,49 @@
+name: "Go: workaround for indirect tracing"
+description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works"
+# only Linux is affected
+operatingSystems: ["ubuntu"]
+# pinned to a version which does not support statically linked binaries for indirect tracing
+versions: ["stable-v2.14.6"]
+steps:
+  - uses: actions/setup-go@v4
+    with:
+      # We need a Go version that ships with statically linked binaries on Linux
+      go-version: ">=1.21.0"
+  - uses: ./../action/init
+    with:
+      languages: go
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  # Deliberately change Go after the `init` step
+  - uses: actions/setup-go@v4
+    with:
+      go-version: "1.20"
+  - name: Build code
+    shell: bash
+    run: go build main.go
+  - uses: ./../action/analyze
+    with:
+      output: "${{ runner.temp }}/results"
+      upload-database: false
+  - name: Check diagnostic appears in SARIF
+    uses: actions/github-script@v6
+    env:
+      SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
+    with:
+      script: |
+        const fs = require('fs');
+
+        const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+        const run = sarif.runs[0];
+
+        const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+        const statusPageNotifications = toolExecutionNotifications.filter(n =>
+          n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
+        );
+        if (statusPageNotifications.length !== 1) {
+          core.setFailed(
+            'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+              `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+              `${statusPageNotifications.length}. All notification reporting descriptors: ` +
+              `${JSON.stringify(toolExecutionNotifications)}.`
+          );
+        }