diff --git a/.github/workflows/update-openssl.yml b/.github/workflows/update-openssl.yml
new file mode 100644
index 00000000000000..f79ea550b42818
--- /dev/null
+++ b/.github/workflows/update-openssl.yml
@@ -0,0 +1,71 @@
+name: OpenSSL update
+on:
+  schedule:
+    # Run once a week at 00:05 AM UTC on Sunday.
+    - cron: 5 0 * * 0
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  openssl-update:
+    if: github.repository == 'nodejs/node'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+      - name: Check if update branch already exists
+        run: |
+          BRANCH_EXISTS=$(git ls-remote --heads origin actions/tools-update-openssl)
+          echo "BRANCH_EXISTS=$BRANCH_EXISTS" >> $GITHUB_ENV
+      - name: Check and download new OpenSSL version
+        # Only run rest of the workflow if the update branch does not yet exist
+        if: ${{ env.BRANCH_EXISTS == '' }}
+        run: |
+          NEW_VERSION=$(gh api repos/quictls/openssl/releases -q '.[].tag_name|select(contains("openssl-3"))|ltrimstr("openssl-")' | head -n1)
+          NEW_VERSION_NO_RELEASE_1=$(case $NEW_VERSION in *quic1) echo ${NEW_VERSION%1};; *) echo $NEW_VERSION;; esac)
+          VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
+          CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p" | sed 's/+/-/g')
+          echo "comparing current version: $CURRENT_VERSION with $NEW_VERSION_NO_RELEASE_1"
+          if [ "$NEW_VERSION_NO_RELEASE_1" != "$CURRENT_VERSION" ]; then
+            echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
+            echo "HAS_UPDATE=true" >> $GITHUB_ENV
+            ./tools/dep_updaters/update-openssl.sh download "$NEW_VERSION"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
+      - name: Create PR with first commit
+        if: env.HAS_UPDATE
+        uses: gr2m/create-or-update-pull-request-action@v1
+        # Creates a PR with the new OpenSSL source code committed
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
+        with:
+          author: Node.js GitHub Bot <github-bot@iojs.org>
+          body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.
+          branch: actions/tools-update-openssl  # Custom branch *just* for this Action.
+          commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}'
+          labels: dependencies
+          title: 'deps: update OpenSSL to ${{ env.NEW_VERSION }}'
+          path: deps/openssl
+      - name: Regenerate platform specific files
+        if: env.HAS_UPDATE
+        run: |
+          sudo apt install -y nasm libtext-template-perl
+          ./tools/dep_updaters/update-openssl.sh regenerate
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
+      - name: Add second commit
+        # Adds a second commit to the PR with the generated platform-dependent files
+        if: env.HAS_UPDATE
+        uses: gr2m/create-or-update-pull-request-action@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
+        with:
+          author: Node.js GitHub Bot <github-bot@iojs.org>
+          branch: actions/tools-update-openssl  # Custom branch *just* for this Action.
+          commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
+          path: deps/openssl