diff --git a/.github/workflows/upgrade-ranger.yaml b/.github/workflows/upgrade-ranger.yaml
new file mode 100644
index 0000000000..0625a2e165
--- /dev/null
+++ b/.github/workflows/upgrade-ranger.yaml
@@ -0,0 +1,93 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Upgrade Ranger
+
+on:
+  workflow_dispatch:
+    inputs:
+      build-branch:
+        description: 'branch to checkout for docker-build'
+        required: true
+      source-run-id:
+        description: "GitHub Actions run ID to fetch build artifacts from"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  upgrade:
+    strategy:
+      fail-fast: false
+      matrix:
+        earlier-release: [2.6.0, 2.7.0]
+        db: [postgres, mysql, oracle]
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.build-branch }}
+
+      - name: Download artifacts from another workflow run
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh run download ${{ inputs.source-run-id }} --repo apache/ranger --name target-8 --dir external-artifacts
+
+      - name: Copy artifacts for docker build
+        id: version
+        run: |
+          cp external-artifacts/ranger-*.tar.gz dev-support/ranger-docker/dist
+          cp external-artifacts/version dev-support/ranger-docker/dist
+          VERSION=$(cat external-artifacts/version)
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          ls -lrt dev-support/ranger-docker/dist/
+      
+      - name: Run download-archives.sh
+        run: |
+          cd dev-support/ranger-docker
+          ./download-archives.sh none
+          
+          curl -LO https://downloads.apache.org/ranger/KEYS
+          gpg --import KEYS
+      
+      - name: Bringing up Ranger ${{ matrix.earlier-release }} in Docker
+        run: |
+          cd dev-support/ranger-docker
+          export RANGER_DB_TYPE=${{ matrix.db }}
+          export RANGER_VERSION=${{ matrix.earlier-release }}
+          chmod +x download-ranger.sh && ./download-ranger.sh
+          docker compose -f docker-compose.ranger.yml build
+          docker compose -f docker-compose.ranger.yml up -d
+          sleep 30
+          docker logs ranger
+
+      - name: Upgrading to ${{ steps.version.outputs.version }} in Docker
+        run: |
+          cd dev-support/ranger-docker
+          export RANGER_DB_TYPE=${{ matrix.db }}
+          export RANGER_VERSION=${{ steps.version.outputs.version }}
+          docker compose -f docker-compose.ranger.yml build
+          docker compose -f docker-compose.ranger.yml up -d
+          sleep 180
+          docker logs ranger
+
+      - name: Remove running containers
+        run: |
+          docker stop $(docker ps -q) && docker rm $(docker ps -aq)
diff --git a/dev-support/ranger-docker/download-ranger.sh b/dev-support/ranger-docker/download-ranger.sh
new file mode 100755
index 0000000000..b16788386a
--- /dev/null
+++ b/dev-support/ranger-docker/download-ranger.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+set -u -o pipefail
+
+: ${BASE_URL:="https://www.apache.org/dyn/closer.lua?action=download&filename="}
+: ${CHECKSUM_BASE_URL:="https://downloads.apache.org/"}
+: ${RANGER_VERSION:=2.6.0}
+
+download_if_not_exists() {
+  local url="$1"
+  local file="$2"
+
+  if [[ -e "${file}" ]]; then
+    echo "${file} already downloaded"
+  else
+    echo "Downloading ${file} from ${url}"
+    curl --fail --location --output "${file}" --show-error --silent "${url}" || rm -fv "${file}"
+  fi
+}
+
+download_and_verify() {
+  local remote_path="$1"
+  local file="$(basename "${remote_path}")"
+
+  pushd dist
+  download_if_not_exists "${BASE_URL}${remote_path}" "${file}"
+  download_if_not_exists "${CHECKSUM_BASE_URL}${remote_path}.asc" "${file}.asc"
+  gpg --verify "${file}.asc" "${file}" || exit 1
+  popd
+}
+
+mkdir -p dist
+# source
+download_and_verify "ranger/${RANGER_VERSION}/apache-ranger-${RANGER_VERSION}.tar.gz"
+# binary
+download_and_verify "ranger/${RANGER_VERSION}/services/admin/ranger-${RANGER_VERSION}-admin.tar.gz"