diff --git a/.github/workflows/image-siso.yaml b/.github/workflows/image-siso.yaml
new file mode 100644
index 000000000..705c1bd37
--- /dev/null
+++ b/.github/workflows/image-siso.yaml
@@ -0,0 +1,62 @@
+---
+name: Create OCI image
+on:
+  pull_request:
+    branches:
+      - bump-siso
+  push:
+    branches:
+      - bump-siso
+
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/bump-siso' }}
+
+jobs:
+  publish-image:
+    strategy:
+      fail-fast: false
+      matrix:
+        image: [nativelink-worker-siso-chromium]
+    name: Publish ${{ matrix.image }}
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: write
+      id-token: write
+      security-events: write
+    timeout-minutes: 30
+    steps:
+
+      - name: Checkout
+        uses: >- # v4.1.1
+          actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Install Nix
+        uses: >- # v10
+          DeterminateSystems/nix-installer-action@de22e16c4711fca50c816cc9081563429d1cf563
+
+      - name: Cache Nix derivations
+        uses: >- # v4
+          DeterminateSystems/magic-nix-cache-action@fc6aaceb40b9845a02b91e059ec147e78d1b4e41
+
+      - name: Test image
+        run: |
+          nix run .#local-image-test ${{ matrix.image }}
+
+      - name: Upload image
+        run: |
+          nix run .#publish-ghcr ${{ matrix.image }}
+        env:
+          GHCR_REGISTRY: ghcr.io/${{ github.repository_owner }}
+          GHCR_USERNAME: ${{ github.actor }}
+          GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+        if: github.ref == 'refs/heads/bump-siso'
+
+      - name: Upload trivy scan results to GitHub Security tab
+        uses: >- # v2.16.3
+          github/codeql-action/upload-sarif@592977e6ae857384aa79bb31e7a1d62d63449ec5
+        with:
+          sarif_file: 'trivy-results.sarif'
+        if: github.ref == 'refs/heads/bump-siso'
diff --git a/flake.nix b/flake.nix
index f4db47604..67752b091 100644
--- a/flake.nix
+++ b/flake.nix
@@ -272,8 +272,8 @@
           name = "siso-chromium";
           fromImage = pullImage {
             imageName = "gcr.io/chops-public-images-prod/rbe/siso-chromium/linux";
-            imageDigest = "sha256:26de99218a1a8b527d4840490bcbf1690ee0b55c84316300b60776e6b3a03fe1";
-            sha256 = "sha256-v2wctuZStb6eexcmJdkxKcGHjRk2LuZwyJvi/BerMyw=";
+            imageDigest = "sha256:4a5222f7395c659140082307bf4827edbe8bb2261b26633150e2ccbd9edf80bb";
+            sha256 = "sha256-ExAWueGDpiJMUE85H19E7Lzj3+hU9Dlyu0l0el7Tvc0=";
             tlsVerify = true;
             arch = "amd64";
             os = "linux";