diff --git a/.github/workflows/mirror-to-s3.yml b/.github/workflows/mirror-to-s3.yml
new file mode 100644
index 0000000..01ab6b3
--- /dev/null
+++ b/.github/workflows/mirror-to-s3.yml
@@ -0,0 +1,44 @@
+name: Mirror updates manifests to S3
+on:
+ push:
+ branches: [updates.simplerisk.com, updates-test.simplerisk.com]
+
+permissions:
+ id-token: write # for OIDC
+ contents: read
+
+jobs:
+ mirror:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Resolve channel prefix from branch
+ env:
+ REF_NAME: ${{ github.ref_name }}
+ run: |
+ set -euo pipefail
+ if [ "$REF_NAME" = "updates.simplerisk.com" ]; then
+ echo "PREFIX=latest/updates/" >> "$GITHUB_ENV"
+ elif [ "$REF_NAME" = "updates-test.simplerisk.com" ]; then
+ echo "PREFIX=testing/updates/" >> "$GITHUB_ENV"
+ else
+ echo "Unexpected branch: $REF_NAME" >&2
+ exit 1
+ fi
+
+ - name: Configure AWS credentials (OIDC)
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ vars.UPDATES_PUBLISHER_ROLE_ARN }}
+ aws-region: ${{ vars.AWS_REGION }}
+
+ - name: Upload manifests
+ env:
+ EXTRAS_BUCKET: ${{ vars.EXTRAS_BUCKET }}
+ run: |
+ set -euo pipefail
+ for f in releases.xml Current_Version.xml upgrade_path.xml announcements.xml extra_compatibility.xml; do
+ aws s3 cp "$f" "s3://$EXTRAS_BUCKET/${PREFIX}${f}" \
+ --content-type "text/xml" --no-progress
+ done
diff --git a/Current_Version.xml b/Current_Version.xml
index 3ca8012..b6f2a2f 100644
--- a/Current_Version.xml
+++ b/Current_Version.xml
@@ -16,6 +16,6 @@
20260519-001
20260519-001
20260519-001
- 20260519-001
+ 20260604-001
20260519-001
diff --git a/extra_compatibility.xml b/extra_compatibility.xml
index e459da2..42e21b4 100644
--- a/extra_compatibility.xml
+++ b/extra_compatibility.xml
@@ -2673,6 +2673,9 @@
+
+ 20260519-001
+
20260519-001
diff --git a/releases.xml b/releases.xml
index 3099a09..13ede0e 100644
--- a/releases.xml
+++ b/releases.xml
@@ -32,6 +32,7 @@
+