diff --git a/.github/workflows/deploy-to-gcs.yml b/.github/workflows/deploy-to-gcs.yml
new file mode 100644
index 0000000..d058cbb
--- /dev/null
+++ b/.github/workflows/deploy-to-gcs.yml
@@ -0,0 +1,53 @@
+name: Deploy repository to GCS
+
+on:
+  workflow_call:
+    inputs:
+      gcp_workload_identity_provider:
+        required: true
+        type: string
+      gcp_service_account:
+        required: true
+        type: string
+
+permissions: {}
+
+jobs:
+  deploy-to-gcs:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: 'write' # For authenticating with the GitHub workflow identity
+
+    steps:
+      - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        with:
+          name: github-pages
+
+      - name: Prepare data for upload
+        run: |
+          # Extract the github-pages arcive into ./repository/
+          mkdir repository
+          tar --directory repository -xvf artifact.tar
+
+      - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ inputs.gcp_workload_identity_provider }}
+          service_account: ${{ inputs.gcp_service_account }}
+
+      - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
+        with:
+          project_id: projectsigstore-staging
+
+      - name: Upload repository to GCS
+        run: |
+          BUCKET="gs://tuf-root-staging/"
+          LOAD_BALANCER="tuf-repo-cdn-lb"
+
+          # Upload metadata, make sure we upload timestamp last
+          gcloud storage rsync --cache-control=no-store --recursive --exclude=timestamp.json \
+              repository/ $BUCKET
+          gcloud storage cp --cache-control=no-store repository/timestamp.json $BUCKET
+
+          # invalidate CDN cache
+          gcloud compute url-maps invalidate-cdn-cache $LOAD_BALANCER --path "/*" --async
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 53d9bb9..bdd1238 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -43,9 +43,18 @@ jobs:
       id-token: 'write' # for signing with the GitHub Actions workflow identity
     uses: ./.github/workflows/test.yml
 
+  deploy-to-gcs:
+    needs: [test-deployed-repository]
+    permissions:
+      id-token: 'write' # for authenticating with OIDC
+    uses: ./.github/workflows/deploy-to-gcs.yml
+    with:
+      gcp_workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+      gcp_service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
   update-issue:
     runs-on: ubuntu-latest
-    needs: [build, deploy-to-pages, test-deployed-repository]
+    needs: [build, deploy-to-pages, test-deployed-repository, deploy-to-gcs]
     if: always() && !cancelled()
     permissions:
       issues: 'write' # for modifying Issues