diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
new file mode 100644
index 0000000..e69308f
--- /dev/null
+++ b/.github/workflows/unit-tests.yml
@@ -0,0 +1,56 @@
+name: Unit Tests
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/unit-tests.yml"
+      - 'extras/test/**'
+      - 'src/**'
+
+  push:
+    paths:
+      - ".github/workflows/unit-tests.yml"
+      - 'extras/test/**'
+      - 'src/**'
+
+jobs:
+  test:
+    name: Run unit tests
+    runs-on: ubuntu-latest
+
+    env:
+      COVERAGE_DATA_PATH: extras/coverage-data/coverage.info
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: arduino/cpp-test-action@main
+        with:
+          runtime-paths: |
+            - extras/test/build/bin/testNetworkConfigurator
+          coverage-exclude-paths: |
+            - '*/extras/test/*'
+            - '/usr/*'
+          coverage-data-path: ${{ env.COVERAGE_DATA_PATH }}
+
+      # A token is used to avoid intermittent spurious job failures caused by rate limiting.
+      - name: Set up Codecov upload token
+        run: |
+          if [[ "${{ github.repository }}" == "arduino-libraries/Arduino_NetworkConfigurator" ]]; then
+            # In order to avoid uploads of data from forks, only use the token for runs in the parent repo.
+            # Token is intentionally exposed.
+            # See: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954
+            CODECOV_TOKEN="49f6e3b9-4c5b-40a0-ba75-0f5ce723a2ad"
+          else
+            # codecov/codecov-action does unauthenticated upload if empty string is passed via the `token` input.
+            CODECOV_TOKEN=""
+          fi
+          echo "CODECOV_TOKEN=$CODECOV_TOKEN" >> "$GITHUB_ENV"
+
+      - name: Upload coverage report to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          file: "${{ env.COVERAGE_DATA_PATH }}"
+          fail_ci_if_error: true
+          token: ${{ env.CODECOV_TOKEN }}
diff --git a/extras/test/src/test_provisioning_command_encode.cpp b/extras/test/src/test_provisioning_command_encode.cpp
index b0f7198..64872fc 100644
--- a/extras/test/src/test_provisioning_command_encode.cpp
+++ b/extras/test/src/test_provisioning_command_encode.cpp
@@ -123,6 +123,7 @@
    {
     JWTProvisioningMessage command;
     command.c.id = ProvisioningMessageId::JWTProvisioningMessageId;
+    memset(command.jwt, 0x00, 269);
     memset(command.jwt, 0xCA, 268);
     uint8_t buffer[512];
     size_t bytes_encoded = sizeof(buffer);
diff --git a/src/configuratorAgents/agents/boardConfigurationProtocol/cbor/ProvisioningMessage.h b/src/configuratorAgents/agents/boardConfigurationProtocol/cbor/ProvisioningMessage.h
index ac9d467..97387d5 100644
--- a/src/configuratorAgents/agents/boardConfigurationProtocol/cbor/ProvisioningMessage.h
+++ b/src/configuratorAgents/agents/boardConfigurationProtocol/cbor/ProvisioningMessage.h
@@ -105,7 +105,7 @@ struct UniqueHardwareIdProvisioningMessage {
 struct JWTProvisioningMessage {
   ProvisioningMessage c;
   struct {
-    char jwt[PROVISIONING_JWT_SIZE]; //The payload is an array of char with a maximum length of 268, not null terminated. It's not a string.
+    char jwt[PROVISIONING_JWT_SIZE]; //The payload is a string with maximum dimension of 268 characters + '\0'.
   };
 };