diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
new file mode 100644
index 0000000000000000000000000000000000000000..99dc986012ab99ef52a63c0d6de8ea6f13f8f5e0
--- /dev/null
+++ b/.github/workflows/sync.yml
@@ -0,0 +1,44 @@
+name: Sync DockerHub with AWS ECR
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: 23 20 * * *
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+  sync-awsecr:
+    name: Sync Docker Hub to AWS ECR Public
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR Public
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+        with:
+          registry-type: public
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build, tag, and push docker image to Amazon ECR Public
+        run: |
+          ./sync-awsecr.sh > sync-real.sh
+          chmod +x sync-real.sh
+          ./sync-real.sh