diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml
index 5f037d08aa33..08547268e3b8 100644
--- a/.github/workflows/build-ripunzip.yml
+++ b/.github/workflows/build-ripunzip.yml
@@ -4,20 +4,45 @@ on:
   workflow_dispatch:
     inputs:
       ripunzip-version:
-        description: "what reference to checktout from google/runzip"
+        description: What reference to checkout from google/ripunzip. Latest by default
         required: false
       openssl-version:
-        description: "what reference to checkout from openssl/openssl for Linux"
+        description: What reference to checkout from openssl/openssl for Linux. Latest by default
         required: false
+      open-pr:
+        description: Open a pull request updating the ripunzip versions committed to lfs
+        required: false
+        default: true  # will be false on PRs
   pull_request:
     paths:
       - .github/workflows/build-ripunzip.yml
-env:
-  RIPUNZIP_DEFAULT: v2.0.3
-  OPENSSL_DEFAULT: openssl-3.6.0
 
+permissions: {}
+  
 jobs:
+  versions:
+    runs-on: ubuntu-slim
+    outputs:
+      ripunzip-version: ${{ inputs.ripunzip-version || steps.fetch-ripunzip-version.outputs.version }}
+      openssl-version: ${{ inputs.openssl-version || steps.fetch-openssl-version.outputs.version }}
+    steps:
+      - name: Fetch latest ripunzip version
+        id: fetch-ripunzip-version
+        if: "!inputs.ripunzip-version"
+        run: &fetch-version
+          echo "version=$(gh release view --repo $REPO --json tagName --jq .tagName)" | tee -a $GITHUB_OUTPUT
+        env:
+          REPO: "google/ripunzip"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Fetch latest openssl version
+        id: fetch-openssl-version
+        if: "!inputs.openssl-version"
+        run: *fetch-version
+        env:
+          REPO: "openssl/openssl"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build:
+    needs: versions
     strategy:
       fail-fast: false
       matrix:
@@ -27,7 +52,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           repository: google/ripunzip
-          ref: ${{ inputs.ripunzip-version || env.RIPUNZIP_DEFAULT }}
+          ref: ${{ needs.versions.outputs.ripunzip-version }}
       # we need to avoid ripunzip dynamically linking into libssl
       # see https://github.com/sfackler/rust-openssl/issues/183
       - if: runner.os == 'Linux'
@@ -36,7 +61,7 @@ jobs:
         with:
           repository: openssl/openssl
           path: openssl
-          ref: ${{ inputs.openssl-version || env.OPENSSL_DEFAULT }}
+          ref: ${{ needs.versions.outputs.openssl-version }}
       - if: runner.os == 'Linux'
         name: build and install openssl with fPIC
         shell: bash
@@ -68,11 +93,74 @@ jobs:
           lipo -create -output ripunzip-macos \
             -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
             -arch arm64 target/aarch64-apple-darwin/release/ripunzip
-      - uses: actions/upload-artifact@v4
+      - name: Archive
+        shell: bash
+        run: |
+          tar acf ripunzip-$RUNNER_OS.tar.zst ripunzip-$(echo $RUNNER_OS | tr '[:upper:]' '[:lower:]')
+      - name: Upload built binary
+        uses: actions/upload-artifact@v4
         with:
           name: ripunzip-${{ runner.os }}
-          path: ripunzip-*
+          path: ripunzip-${{ runner.os }}.tar.zst
+          retention-days: 5
+          compression: 0
       - name: Check built binary
         shell: bash
         run: |
+          rm -f ripunzip-*.tar.zst
           ./ripunzip-* --version
+  publish:
+    needs: [versions, build]
+    if: inputs.open-pr == 'true'
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-slim
+    steps:
+      # workaround for git-lfs not being installed yet on ubuntu-slim runners
+      - name: Ensure git-lfs is installed
+        shell: bash
+        run: |
+          if which git-lfs &>/dev/null; then
+            echo "git-lfs is already installed"
+            exit 0
+          fi
+          cd $TMP
+          gh release download --repo git-lfs/git-lfs --pattern "git-lfs-linux-amd64-*.tar.gz" --clobber
+          tar xzf git-lfs-linux-amd64-*.tar.gz
+          rm git-lfs-linux-amd64-*.tar.gz
+          cd git-lfs-*
+          pwd | tee -a $GITHUB_PATH
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v5
+        with:
+          sparse-checkout: |
+            .github
+            misc/ripunzip
+          lfs: true
+      - name: Download built binaries
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+          path: misc/ripunzip
+      - name: Open PR
+        shell: bash
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git switch -c update-ripunzip
+          git add misc/ripunzip
+          git commit -m "Update ripunzip binaries to version $VERSION"
+          git push --set-upstream origin update-ripunzip --force
+          TITLE="Update ripunzip binaries to version $VERSION"
+          gh pr create \
+            --draft \
+            --title "$TITLE" \
+            --body "Automated update of ripunzip binaries." \
+            --assignee "$ACTOR" ||
+              (gh pr edit --title "$TITLE" --add-assignee "$ACTOR" && gh pr ready --undo)
+        env:
+          ACTOR: ${{ github.actor }}
+          VERSION: ${{ needs.versions.outputs.ripunzip-version }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}