diff --git a/.github/workflows/update-tor.yml b/.github/workflows/update-tor.yml
new file mode 100644
index 000000000..60519f600
--- /dev/null
+++ b/.github/workflows/update-tor.yml
@@ -0,0 +1,36 @@
+name: Check for and commit Tor package updates
+# TODO: Switch to nightly
+on: [pull_request]
+
+jobs:
+    buildinfo:
+        runs-on: ubuntu-latest
+        container: debian:bullseye-backports
+        steps:
+            - name: Install dependencies
+              run: |
+                apt-get update && apt-get install --yes reprepro ca-certificates dctrl-tools \
+                  git git-lfs openssh-client
+            - name: Checkout
+              uses: actions/checkout@v4
+              with:
+                lfs: true
+                fetch-depth: 0
+            - name: Check for and commit Tor package updates
+              run: |
+                git config user.email "securedrop@freedom.press"
+                git config user.name "sdcibot"
+
+                # Import the Tor repo signing key
+                gpg --import repo/conf/updates-keys/*.gpg
+                # Run reprepro update, skip export since we just want the debs (and we don't have
+                # the repo signing key anyways)
+                REPREPRO_BASE_DIR=repo reprepro --export=never update
+
+                # Move the new packages over, intentionally leaving the old ones around
+                mv repo/pool/main/t/tor/*.deb core/focal/
+                git add core/focal/*.deb
+                git diff-index --quiet HEAD
+                # If there are changes, diff-index will fail, so we commit and push
+                # git diff-index --quiet HEAD || (git commit -m "Automatically updating Tor packages" \
+                #    && git push origin main && ../scripts/new-tor-issue)
\ No newline at end of file