diff --git a/.github/workflows/envoy-sync.yaml b/.github/workflows/envoy-sync.yaml
new file mode 100644
index 0000000..380dad7
--- /dev/null
+++ b/.github/workflows/envoy-sync.yaml
@@ -0,0 +1,80 @@
+name: Sync Envoy
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+    inputs:
+      commit_sha:
+        type: string
+        required: true
+
+concurrency:
+  group: SYNC
+
+jobs:
+  sync:
+    runs-on: ubuntu-22.04
+    if: |
+      ${{
+          !contains(github.actor, '[bot]')
+          || github.actor == 'sync-envoy[bot]'
+      }}
+    steps:
+    - id: appauth
+      uses: envoyproxy/toolshed/gh-actions/appauth@8a8f4f64d8bccc99427740197479c0a5353ca8de  # actions-v0.0.18
+      with:
+        key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }}
+        app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }}
+
+    # Checkout the repo
+    - name: 'Checkout Repository (envoy-website)'
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      with:
+        ref: main
+        token: ${{ steps.appauth.outputs.token  }}
+        path: envoy-website
+
+    - run: |
+        envoy_version="$(awk '/"envoy"/ { in_block=1 } in_block && /"version"/ { gsub(/[",]/, "", $2); print $2; in_block=0 }' envoy-website/versions.bzl)"
+        echo "envoy_version=${envoy_version}" >> "$GITHUB_OUTPUT"
+      id: current
+      name: Get current Envoy version
+
+    # Checkout the Envoy repo
+    - name: 'Checkout Repository (envoy)'
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      with:
+        repository: envoyproxy/envoy
+        ref: main
+        path: envoy
+        fetch-depth: 0
+
+    - run: |
+        if [[ "${{ inputs.commit_sha }}" == "${{ steps.current.outputs.envoy_version }}" ]]; then
+            echo "Envoy is already up-to-date (${{ inputs.commit_sha }})" >&2
+            exit 0
+        fi
+        if ! git merge-base --is-ancestor "${{ inputs.commit_sha }}" HEAD; then
+            echo "Provided Envoy sha (${{ inputs.commit_sha }}) is not an ancestor of main" >&2
+            exit 1
+        fi
+        git checkout "${{ inputs.commit_sha }}"
+        if ! git merge-base --is-ancestor "${{ steps.current.outputs.envoy_version }}" HEAD; then
+            echo "Provided Envoy sha (${{ inputs.commit_sha }}) is not newer than " \
+                 "the current sha (${{ steps.current.outputs.envoy_version }})" >&2
+            exit 0
+        fi
+        echo "should_update=true" >> "$GITHUB_OUTPUT"
+      id: state
+      working-directory: envoy
+      name: Check provided Envoy version
+
+    - run: ./sync_envoy.sh
+      if: ${{ steps.state.outputs.should_update == 'true' }}
+      working-directory: envoy-website
+      env:
+        ENVOY_SRC_DIR: ../envoy
+        COMMITTER_NAME: "update-envoy[bot]"
+        COMMITTER_EMAIL: "135279899+update-envoy[bot]@users.noreply.github.com"
diff --git a/bazel/BUILD b/bazel/BUILD
new file mode 100644
index 0000000..2cc2291
--- /dev/null
+++ b/bazel/BUILD
@@ -0,0 +1,7 @@
+load("@envoy_toolshed//dependency:macros.bzl", "updater")
+
+updater(
+    name = "update",
+    dependencies = "//:dependency_versions",
+    version_file = "//:versions.bzl",
+)