diff --git a/.github/workflows/tuf.yml b/.github/workflows/tuf.yml
new file mode 100644
index 00000000..8596a07d
--- /dev/null
+++ b/.github/workflows/tuf.yml
@@ -0,0 +1,30 @@
+name: Sign TUF metadata
+on:
+  schedule:
+    # every 4 hours
+    - cron: '0 */4 * * *'
+  workflow_dispatch:
+    branches: [ main ]
+
+jobs:
+  resign:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: tuf
+      - name: Setup signing keys
+        env:
+          SNAPSHOT_JSON: ${{ secrets.TUF_SNAPSHOT_JSON }}
+          TIMESTAMP_JSON: ${{ secrets.TUF_TIMESTAMP_JSON }}
+        run: |
+          mkdir keys
+          echo "$SNAPSHOT_JSON" > keys/snapshot.json
+          echo "$TIMESTAMP_JSON" > keys/timestamp.json
+      - name: Sign
+        env:
+          TUF_SNAPSHOT_PASSPHRASE: ${{ secrets.TUF_SNAPSHOT_PASSPHRASE}}
+          TUF_TIMESTAMP_PASSPHRASE: ${{ secrets.TUF_TIMESTAMP_PASSPHRASE}}
+        run: |
+          ./refresh-metadata.sh