diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
new file mode 100644
index 0000000..8351cbf
--- /dev/null
+++ b/.github/workflows/sync.yml
@@ -0,0 +1,43 @@
+name: hub.docker.com -> us-docker.pkg.dev
+
+on:
+  schedule:
+    - cron: "0 7 * * *"
+  workflow_dispatch:
+
+jobs:
+  sync-images:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: Authenticate to Google Cloud
+        id: 'auth'
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: ${{ secrets.GCLOUD_OIDC_POOL }}
+          service_account: ${{ secrets.GSA }}
+          token_format: 'access_token'
+
+      - uses: docker/login-action@v3
+        name: 'Docker login'
+        with:
+          registry: 'us-docker.pkg.dev'
+          username: 'oauth2accesstoken'
+          password: '${{ steps.auth.outputs.access_token }}'
+
+      - name: pull+push
+        run: |
+          REPOS=$(curl -s "https://hub.docker.com/v2/repositories/lehighlts/?page_size=100" | \
+            jq -r '.results[] | select(.name | startswith("scyllaridae-")) | .name')
+          for REPO in $REPOS; do
+            SOURCE="lehighlts/$REPO:main"
+            TARGET="us-docker.pkg.dev/${{ secrets.GCLOUD_PROJECT }}/shared/$REPO:main"
+            docker pull "$SOURCE"
+            docker tag "$SOURCE" "$TARGET"
+            docker push "$TARGET"
+          done