diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a15c2b56d..87916a0a1 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -369,7 +369,20 @@ jobs:
       - name: C:/msys64/mingw64/bin/gcc.exe not installed
         run: ruby -e "abort if File.exist?('C:/msys64/mingw64/bin/gcc.exe')"
 
-  lint:
+  validate-windows-versions:
+    name: "Check windows*versions.json are up-to-date"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6
+    - uses: ./
+      with:
+        ruby-version: ruby
+    - run: ruby generate-windows-versions.rb
+    - name: Check generated files are up to date
+      run: git diff --exit-code
+
+  check-dist-index:
+    name: "Check dist/index.js is up-to-date"
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v6
diff --git a/generate-windows-versions.rb b/generate-windows-versions.rb
index 6fb1fd26d..ab885ffdf 100644
--- a/generate-windows-versions.rb
+++ b/generate-windows-versions.rb
@@ -2,6 +2,31 @@
 require 'yaml'
 require 'json'
 
+# General rules:
+# - All the static parts of the expected URL are checked literally.
+# - Each path component must begin with [\w], or a more restrictive character set.
+# - Percent (`%`) shall not be allowed to avoid any percent encoding.
+WINDOWS_VERSIONS_URLS_REGEXPS = [
+  %r{\A#{Regexp.escape 'https://github.com/oneclick/rubyinstaller/releases/download'}/\w[\w.-]*/\w[\w.-]*\z},
+  %r{\A#{Regexp.escape 'https://github.com/oneclick/rubyinstaller2/releases/download'}/\w[\w.-]*/\w[\w.-]*\z},
+  %r{\A#{Regexp.escape 'https://github.com/MSP-Greg/ruby-loco/releases/download'}/\w[\w.-]*/\w[\w.-]*\z}
+].freeze
+
+WINDOWS_TOOLCHAIN_VERSIONS_URLS_REGEXPS = [
+  %r{\A#{Regexp.escape 'https://github.com/oneclick/rubyinstaller/releases/download/devkit-4.7.2/DevKit-mingw64-64-4.7.2-20130224-1432-sfx.exe'}\z},
+  %r{\A#{Regexp.escape 'https://github.com/ruby/setup-msys2-gcc/releases/download'}/\w[\w.-]*/\w[\w@.-]*\z},
+  %r{\A#{Regexp.escape 'https://github.com/ruby/setup-msys2-gcc/releases/latest/download'}/\w[\w@.-]*\z}
+].freeze
+
+# Validate all the URLs in the versions json
+def validate(versions, allowed_urls_regexps)
+  versions.values.flat_map(&:values).each do |url|
+    if allowed_urls_regexps.none? { |regexp| regexp.match? url }
+      raise SecurityError, "Unexpected URL: #{url}"
+    end
+  end
+end
+
 min_requirements = ['~> 2.0.0', '~> 2.1.9', '>= 2.2.6'].map { |req| Gem::Requirement.new(req) }
 
 url = 'https://raw.githubusercontent.com/oneclick/rubyinstaller.org-website/master/_data/downloads.yaml'
@@ -48,6 +73,7 @@
   'x64' => 'https://github.com/MSP-Greg/ruby-loco/releases/download/ruby-master/ruby-ucrt.7z'
 }
 
+validate(versions, WINDOWS_VERSIONS_URLS_REGEXPS)
 File.binwrite 'windows-versions.json', "#{JSON.pretty_generate(versions)}\n"
 
 base_url = 'https://github.com/ruby/setup-msys2-gcc/releases/latest/download/windows-toolchain.json'
@@ -90,4 +116,5 @@
   end
 end
 
+validate(versions, WINDOWS_TOOLCHAIN_VERSIONS_URLS_REGEXPS)
 File.binwrite 'windows-toolchain-versions.json', "#{JSON.pretty_generate(versions)}\n"