diff --git a/.github/workflows/default-blocklist-updater.sh b/.github/workflows/default-blocklist-updater.sh
new file mode 100755
index 0000000..e0bffd1
--- /dev/null
+++ b/.github/workflows/default-blocklist-updater.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+set -eux
+
+git config user.name "GitHub Actions"
+git config user.email "actions@users.noreply.github.com"
+
+BASE_BRANCH=main
+git fetch origin
+git checkout "${BASE_BRANCH}"
+git reset --hard "origin/${BASE_BRANCH}"
+git clean -ffdx
+
+./blocklist/update.exs
+if [[ -z $(git status -s) ]]; then
+    # no update
+    exit
+fi
+
+DATE=$(date -r tmp/cacerts.pem '+%Y/%m/%d') # linux-specific
+BLOCKLIST_REF=$(pushd deps/sqids_blocklist && git rev-parse --short HEAD)
+NEW_BRANCH=automation/default-blocklist-update/$BLOCKLIST_REF
+if git branch -a | grep "${NEW_BRANCH}" >/dev/null; then
+    # branch already created
+    exit
+fi
+
+REMOTE=origin
+PR_TITLE="Update default blocklist to $BLOCKLIST_REF"
+git checkout -b "$BRANCH"
+git add .
+git commit -a -m "${PR_TITLE}"
+git push "$REMOTE" "$BRANCH"
+
+PR_LABEL="default-blocklist-update"
+if ! gh pr list --state open --label "$PR_LABEL" | grep "${PR_TITLE}" >/dev/null; then
+    gh pr create --fill \
+        --title "${PR_TITLE}" \
+        --label "${PR_LABEL}" \
+        --reviewer "g-andrade"
+fi
diff --git a/.github/workflows/default-blocklist-updater.yml b/.github/workflows/default-blocklist-updater.yml
new file mode 100644
index 0000000..48f7140
--- /dev/null
+++ b/.github/workflows/default-blocklist-updater.yml
@@ -0,0 +1,38 @@
+---
+name: Check for updates to default blocklist
+
+on:
+  schedule:
+    - cron: '23 10 * * 1-5'
+
+  workflow_dispatch: # enables "click to run" button
+
+env:
+  ELIXIR_VERSION: 1.15
+
+jobs:
+  blocklist_update:
+    name: Check for updates to the default blocklist
+    runs-on: ubuntu-latest
+    steps:
+      - id: elixir-version-to-otp-version
+        name: "Read %{Elixir version => OTP version} map"
+        uses: juliangruber/read-file-action@v1
+        with:
+          path: ./.github/workflows/elixir_version_to_otp_version.json
+
+      - id: setup-beam
+        name: Setup BEAM
+        uses: erlef/setup-beam@v1
+        with:
+          # otp-version: https://stackoverflow.com/a/64405821
+          otp-version: |
+            ${{ fromJson(steps.elixir-version-to-otp-version.outputs.content)[env.ELIXIR_VERSION] }}
+          elixir-version: ${{env.ELIXIR_VERSION}}
+        env:
+          GITHUB_TOKEN: ${{github.token}}
+
+      - run: |
+          .github/workflows/default-blocklist-updater.sh
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}