diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 6da2c638..d9f49924 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -46,6 +46,7 @@ jobs:
           python -m pip install --upgrade pip
           pip install -r requirements.txt
           pip install -r certificate_automation/requirements.txt
+          pip install -r blog_automation/requirements.txt
 
       - name: Run pytest
         run: |
diff --git a/.github/workflows/run_blog_exporter.yml b/.github/workflows/run_blog_exporter.yml
new file mode 100644
index 00000000..eb4db064
--- /dev/null
+++ b/.github/workflows/run_blog_exporter.yml
@@ -0,0 +1,72 @@
+name: Publish reviewed blogs
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 7 * * *' # daily at 07:00 UTC: publish any newly reviewed blogs
+
+jobs:
+  publish-blogs:
+    if: github.repository == 'Women-Coding-Community/WomenCodingCommunity.github.io'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Cache pip
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-blog-${{ hashFiles('tools/blog_automation/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-blog-
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r tools/blog_automation/requirements.txt
+
+      - name: Write service account key
+        run: echo "$SERVICE_ACCOUNT_KEY" > tools/blog_automation/service_account_key.json
+        env:
+          SERVICE_ACCOUNT_KEY: ${{ secrets.BLOG_AUTOMATION_SERVICE_ACCOUNT }}
+
+      - name: Export reviewed blogs
+        run: |
+          cd tools/blog_automation
+          python publish_reviewed_blogs.py
+
+      - name: Remove service account key
+        if: always()
+        run: rm -f tools/blog_automation/service_account_key.json
+
+      - name: Create or Update Pull Request
+        id: create-pr
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GHA_ACTIONS_ALLOW_TOKEN }}
+          commit-message: "Automated import of reviewed blog posts"
+          branch: "automation/import-blog"
+          team-reviewers: "Women-Coding-Community/leaders"
+          title: "Automated import of reviewed blog posts"
+          body: |
+            This PR was created automatically by a GitHub Action.
+
+            It contains every blog marked `isReviewedandApproved` (and not yet
+            `isPublished`) in the submissions spreadsheet:
+            - new posts under `_posts/`
+            - cover images under `assets/images/blog/`
+
+            The spreadsheet's `isPublished` column has already been set to TRUE for
+            these rows. Please review the rendered posts before merging.
+          labels: |
+            automation
+          add-paths: |
+            _posts/**
+            assets/images/blog/**
diff --git a/tools/blog_automation/README.md b/tools/blog_automation/README.md
index 426862a9..e49c4d33 100644
--- a/tools/blog_automation/README.md
+++ b/tools/blog_automation/README.md
@@ -17,10 +17,10 @@ To allow our scripts to access Google Drive and export documents, you need to cr
 👉 **Note:** You need the **Project Editor** or **Owner** role on this project to create service accounts and keys.  
 If you’re the one who created the project, you already have these permissions.
 
-### 1. Enable the Drive API
+### 1. Enable the Drive and Sheets APIs
 1. In the left menu, go to **APIs & Services → Library**.
-2. Search for **Google Drive API**.
-3. Click **Enable**.
+2. Search for **Google Drive API** and click **Enable**.
+3. Search for **Google Sheets API** and click **Enable** (needed to read the submissions spreadsheet).
 
 ### 2. Create a Service Account
 1. In the left menu, go to **IAM & Admin → Service Accounts**.
@@ -47,6 +47,7 @@ If you’re the one who created the project, you already have these permissions.
 4. Give it at least **Viewer** access.
 5. Save changes.  
    - Now the service account can read/export files in that folder or doc.
+6. Repeat the **Share** step for the **blog submissions spreadsheet** (the Google Form responses sheet), giving the service account **Editor** access. Editor (not just Viewer) is required because the pipeline writes `isPublished = TRUE` back to a row after exporting it.
 
 ---
 
@@ -75,8 +76,53 @@ Then the **Document ID** is:
 
 Use this ID in your scripts when exporting the document.
 
-## Run Automation
+## Export a single blog manually (for testing)
 1. Activate virtual environment: `source venv/bin/activate`
-2. Run the script: `python doc_to_html_conversion.py <DOC_ID>`
+2. Export one Google Doc into a post:
+   `python blog_exporter.py --doc_id <DOC_ID> --author_name "Jane Doe" --image_link "<DRIVE_IMAGE_LINK>"`
+
+This is handy to check a Doc renders correctly. The full pipeline below reads all
+of this metadata from the spreadsheet automatically.
+
+## Tests
+
+Run `pytest test_blog_exporter.py`
+
+## CI/CD pipeline: publish a blog when you mark it reviewed
+
+The Google Sheet is the **single source of truth** — there is no local CSV. The
+GitHub Action [`.github/workflows/run_blog_exporter.yml`](../../.github/workflows/run_blog_exporter.yml)
+turns a reviewed blog into a draft pull request automatically.
+
+### How to publish a blog (the editor's workflow)
+1. In the submissions spreadsheet (the **Form Responses 1** sheet), set the row's
+   **`isReviewedandApproved`** cell to **`TRUE`** once the draft is reviewed.
+   Leave **`isPublished`** blank/`FALSE`.
+2. Within a day (or immediately via **Actions → Publish reviewed blogs → Run
+   workflow**) the action exports the blog, sets that row's **`isPublished`** to
+   `TRUE` in the sheet, and opens/updates a PR
+   (`Automated import of reviewed blog posts`) with the new post and cover image.
+3. **Review the rendered post and merge.**
+
+### What runs
+`publish_reviewed_blogs.py` reads the sheet and exports every row where
+`isReviewedandApproved` is `TRUE` and `isPublished` is not `TRUE`. Because the
+`isPublished` flag is written straight back to the sheet, a blog is never exported
+twice — and the existing backlog (already `isPublished = TRUE`) is left alone.
+
+> The draft must be a **native Google Doc** (Drive can only export those to
+> Markdown). If a submitter uploaded a `.docx`/`.pdf`, open it and do
+> **File → Save as Google Docs** first, otherwise that row is skipped with an error.
+
+### One-time repo setup
+- **Service account needs Editor access to the spreadsheet** (see setup step 4) so
+  the pipeline can write back `isPublished`.
+- **Secret `BLOG_AUTOMATION_SERVICE_ACCOUNT`** — paste the full contents of
+  `service_account_key.json` into a repository secret with this name
+  (Settings → Secrets and variables → Actions). The workflow writes it to disk at
+  runtime and deletes it afterwards; the key is never committed.
+- **Secret `GHA_ACTIONS_ALLOW_TOKEN`** — already used by the other automations; it
+  lets the action open the pull request.
+
 
 
diff --git a/tools/blog_automation/blog_exporter.py b/tools/blog_automation/blog_exporter.py
new file mode 100644
index 00000000..1facf879
--- /dev/null
+++ b/tools/blog_automation/blog_exporter.py
@@ -0,0 +1,322 @@
+import argparse
+import json
+import os
+import re
+import shutil
+import datetime as dt
+from pathlib import Path
+import bleach
+import markdown
+import pandas as pd
+from google.oauth2 import service_account
+from googleapiclient.discovery import build
+from googleapiclient.errors import HttpError
+
+# --- Configuration ---
+SERVICE_ACCOUNT_FILE = 'service_account_key.json'
+# Used when a submission's cover image can't be downloaded (missing/not shared).
+DEFAULT_IMAGE_PATH = '/assets/images/blog/default.jpg'
+
+# Allowlist for sanitizing HTML converted from submitted Google Docs. Covers the
+# formatting blog posts need; everything else (scripts, iframes, event handlers,
+# etc.) is stripped. See _markdown_to_html.
+ALLOWED_TAGS = [
+    'p', 'br', 'hr', 'span',
+    'strong', 'b', 'em', 'i', 'u', 's', 'sub', 'sup', 'small', 'mark',
+    'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+    'ul', 'ol', 'li', 'dl', 'dt', 'dd',
+    'a', 'img',
+    'code', 'pre', 'blockquote',
+    'table', 'thead', 'tbody', 'tr', 'th', 'td', 'caption',
+]
+ALLOWED_ATTRIBUTES = {
+    'a': ['href', 'title', 'rel'],
+    'img': ['src', 'alt', 'title'],
+}
+ALLOWED_PROTOCOLS = ['http', 'https', 'mailto']
+YAML_HEADER = '''---
+layout: post
+title: {title}
+date: {date}
+author_name: {author_name}
+author_role: {author_role}
+image: {image_path}
+image_source: {image_source}
+description: {description}
+category: blog
+---
+'''
+
+def _yaml_scalar(value):
+    """Return a YAML-safe double-quoted scalar.
+
+    Free-text fields (title, description, ...) can contain ``:``, ``&``, quotes
+    etc. that break unquoted YAML front matter. A JSON-encoded string is always a
+    valid YAML double-quoted scalar, so json.dumps gives us correct escaping.
+    """
+    return json.dumps('' if value is None else str(value), ensure_ascii=False)
+
+def _current_directory():
+    return os.path.dirname(os.path.abspath(__file__))
+
+def drive_connection():
+    service_account_path = os.path.join(_current_directory(), SERVICE_ACCOUNT_FILE)
+    if not os.path.exists(service_account_path):
+        print(f"ERROR: Service account key file '{service_account_path}' not found.\n"
+              "Please obtain your own Google service account key and place it at this path.\n"
+              "(Never commit this file to version control.)")
+        exit(1)
+    creds = service_account.Credentials.from_service_account_file(
+        service_account_path, 
+        scopes=['https://www.googleapis.com/auth/drive.readonly']
+    )
+    drive = build('drive', 'v3', credentials=creds)
+    return drive
+
+def _posts_directory():
+    script_dir = Path(_current_directory())
+    posts_dir = (script_dir / "../../_posts").resolve()
+    return posts_dir
+
+def _today_date_str():
+    return dt.date.today().isoformat()
+
+def _create_blog_filename_with_date(doc_name, date_str):
+    # Slugify: lowercase, and collapse any run of non-alphanumeric characters
+    # (spaces, ':', ',', etc.) into a single hyphen so the filename is valid.
+    slug = re.sub(r'[^a-z0-9]+', '-', doc_name.lower()).strip('-')
+    return f"{date_str}-{slug}"
+
+def _get_doc_name_from_drive(doc_id, drive):
+    """Fetch document name from Google Drive."""
+    try:
+        file = drive.files().get(fileId=doc_id, fields='name').execute()
+        return file['name']
+    except HttpError as error:
+        print(f"ERROR: Could not fetch document from Drive (ID: {doc_id})\n{error}")
+        return None
+
+def _get_doc_content_as_markdown(doc_id, drive):
+    """Export Google Doc as markdown."""
+    try:
+        request = drive.files().export_media(fileId=doc_id, mimeType='text/markdown')
+        file_content = request.execute()
+        return file_content.decode('utf-8')
+    except HttpError as error:
+        print(f"ERROR: Could not export document from Drive (ID: {doc_id})\n{error}")
+        return None
+
+def _markdown_to_html(markdown_text):
+    """Convert Markdown to HTML with custom formatting.
+
+    Blog content comes from community-submitted Google Docs, which can contain
+    arbitrary raw HTML. We sanitize the converted HTML against an explicit
+    allowlist so a submitted document cannot inject <script>, event handlers or
+    javascript: URLs into the published (public) site.
+    """
+    html = markdown.markdown(markdown_text)
+
+    # Remove <strong> tags from inside heading tags
+    html = re.sub(r'<h(\d)><strong>(.+?)</strong></h\1>', r'<h\1>\2</h\1>', html)
+
+    # Remove the first heading if present
+    html = re.sub(r'^<h[1-6]>.*?</h[1-6]>\s*', '', html, flags=re.DOTALL)
+
+    # Strip anything outside the allowlist (drops <script>, on* handlers, etc.)
+    html = bleach.clean(
+        html,
+        tags=ALLOWED_TAGS,
+        attributes=ALLOWED_ATTRIBUTES,
+        protocols=ALLOWED_PROTOCOLS,
+        strip=True,
+    )
+
+    # Wrap the body in <div class="text-justify"> (added after sanitizing, so the
+    # wrapper we control is never stripped).
+    html_body = f'<div class="text-justify">\n{html}\n</div>'
+
+    return html_body
+
+def _download_blog_image(blog_image_drive_link, drive):
+    """Download image from Google Drive link."""
+
+    pattern = re.compile(r"(?:id=|/d/)([^/&?]+)")
+
+    try:
+        file_id = re.search(
+            pattern,
+            blog_image_drive_link
+        )
+        if not file_id:
+            raise Exception(f"WARNING: Could not extract file ID from image link: {blog_image_drive_link}")
+        
+        file_id = file_id.group(1)
+        print(f'{file_id=}')
+        file_metadata = drive.files().get(fileId=file_id, fields='name, mimeType').execute()
+        file_name = file_metadata['name']
+
+        mime_type = file_metadata.get('mimeType', '')
+        if not mime_type.startswith('image/'):
+            print(f"WARNING: cover file is '{mime_type}', not an image ({file_name}); skipping.")
+            return None
+
+        request = drive.files().get_media(fileId=file_id)
+        file_content = request.execute()
+        
+        # Save temporarily
+        temp_path = os.path.join(_current_directory(), file_name)
+        with open(temp_path, 'wb') as f:
+            f.write(file_content)
+        
+        return temp_path
+    except HttpError as error:
+        print(f"WARNING: Could not download image from Drive\n{error}")
+        return None
+
+def _copy_image_to_blog_assets(image_path, blog_filename):
+    """Copy image to assets directory and return relative path."""
+    if not image_path or not os.path.exists(image_path):
+        return None
+    
+    assets_dir = Path(_current_directory()).resolve().parent.parent / 'assets' / 'images' / 'blog'
+    assets_dir.mkdir(parents=True, exist_ok=True)
+
+    new_image_filename = blog_filename.split('.')[0] + '.' +image_path.split('.')[-1]
+    new_image_path = assets_dir / new_image_filename
+
+    shutil.copy(image_path, new_image_path)
+    
+    return f"/assets/images/blog/{new_image_filename}"
+
+# def _get_image_path_from_blog_filename_and_image_extension(blog_filename, image_extension):
+#     assets_dir = Path(_current_directory()).resolve().parent.parent / 'assets' / 'images' / 'blog'
+#     image_filename = assets_dir / (blog_filename.split('.')[0] + image_extension)
+#     return image_filename
+
+def download_image_and_copy_to_repo(image_link, blog_filename, drive):
+    downloaded_image_path = _download_blog_image(image_link, drive)
+    if downloaded_image_path is None:
+        # Image missing or not shared with the service account; caller falls back
+        # to the default cover image.
+        return None
+
+    image_path_relative = _copy_image_to_blog_assets(
+        downloaded_image_path,
+        blog_filename
+    )
+
+    os.remove(downloaded_image_path)  # Clean up temp file
+
+    return image_path_relative
+
+
+def export_blog(blog_info, date=None, doc_id_override=None):
+    """
+    Export a single blog into a Jekyll post (HTML) plus its cover image.
+
+    Args:
+        blog_info: Mapping (dict / pandas Series) with the keys produced by
+            blog_info_from_spreadsheet._extract_and_rename_relevant_fields:
+            doc_id, author_name, author_role, description, source, image_link.
+        date: Blog post date (defaults to today).
+        doc_id_override: Optional Google Doc ID to use instead of blog_info['doc_id'].
+
+    Returns:
+        blog_filename if successful, None otherwise.
+    """
+    if date is None:
+        date = _today_date_str()
+
+    blog_info_ser = blog_info
+
+    # Determine doc_id
+    doc_id = doc_id_override or blog_info_ser.get('doc_id')
+
+    if pd.isna(doc_id) or not doc_id:
+        print("SKIP: row has no doc_id (external blog link)")
+        raise ValueError("No doc_id found in spreadsheet row. Please specify a doc_id_override.")
+
+    # Connect to Google Drive
+    drive = drive_connection()
+    
+    # 1. Get document name and content
+    doc_name = _get_doc_name_from_drive(doc_id, drive)
+    doc_content = _get_doc_content_as_markdown(doc_id, drive)
+    if doc_name is None or doc_content is None:
+        raise ValueError(
+            f"Could not fetch Google Doc {doc_id} - it may not exist, not be a "
+            f"native Google Doc, or not be shared with the service account."
+        )
+    blog_filename = _create_blog_filename_with_date(doc_name, date)
+    
+    # 2. Convert to HTML
+    html_body = _markdown_to_html(doc_content)
+    
+    # 3. Build YAML header
+    author_name = blog_info_ser.get('author_name', 'Unknown')
+    author_role = blog_info_ser.get('author_role', '')
+    description = blog_info_ser.get('description', '')
+    source = blog_info_ser.get('source', '')
+
+    
+    yaml_header = YAML_HEADER.format(
+        title=_yaml_scalar(doc_name),
+        date=date,
+        author_name=_yaml_scalar(author_name),
+        author_role=_yaml_scalar(author_role),
+        image_path='[IMAGE_PATH]',  # Placeholder, will update after image download
+        image_source=_yaml_scalar(source),
+        description=_yaml_scalar(description)
+    )
+    
+    # 4. Download cover image; fall back to the default if it's missing or not
+    #    shared with the service account, so a bad image never blocks the post.
+    image_path_relative = None
+    image_link = blog_info_ser.get('image_link')
+    if image_link:
+        image_path_relative = download_image_and_copy_to_repo(
+            image_link, blog_filename=blog_filename, drive=drive
+        )
+    if not image_path_relative:
+        print(f"WARNING: no usable cover image for '{doc_name}'; using default cover.")
+        image_path_relative = DEFAULT_IMAGE_PATH
+    yaml_header = yaml_header.replace('[IMAGE_PATH]', image_path_relative)
+
+    # 5. Combine and save
+    final_html = yaml_header + '\n' + html_body
+    
+    posts_dir = _posts_directory()
+    posts_dir.mkdir(parents=True, exist_ok=True)
+    
+    filename = posts_dir / f"{blog_filename}.html"
+    with open(filename, 'w', encoding='utf-8') as f:
+        f.write(final_html)
+    
+    print(f"✓ Exported blog to: {filename}")
+    return blog_filename
+
+
+if __name__ == "__main__":
+    # Ad-hoc single-blog export, handy for testing a Google Doc renders correctly:
+    #   python blog_exporter.py --doc_id <DOC_ID> --author_name "Jane Doe"
+    parser = argparse.ArgumentParser(description="Export a single blog Doc into an HTML post.")
+    parser.add_argument("--doc_id", required=True, help="Google Doc ID to export.")
+    parser.add_argument("--author_name", default="")
+    parser.add_argument("--author_role", default="")
+    parser.add_argument("--description", default="")
+    parser.add_argument("--source", default="")
+    parser.add_argument("--image_link", default="", help="Google Drive link to the cover image.")
+    parser.add_argument("--date", help="Date for blog post (YYYY-MM-DD). Defaults to today.")
+
+    args = parser.parse_args()
+    export_blog(
+        {
+            "doc_id": args.doc_id,
+            "author_name": args.author_name,
+            "author_role": args.author_role,
+            "description": args.description,
+            "source": args.source,
+            "image_link": args.image_link,
+        },
+        date=args.date,
+    )
diff --git a/tools/blog_automation/blog_info_from_spreadsheet.py b/tools/blog_automation/blog_info_from_spreadsheet.py
new file mode 100644
index 00000000..e57ed815
--- /dev/null
+++ b/tools/blog_automation/blog_info_from_spreadsheet.py
@@ -0,0 +1,84 @@
+import re
+import pandas as pd
+
+SPREADSHEET_ID = '1Pje2qOn23OgtAyhjqKwQFYcaEAE3gAy5f3T_5LCgA2o'
+WORKSHEET_NAME = 'Form Responses 1'
+
+# Spreadsheet columns that drive the pipeline (maintained by the review team):
+#   REVIEWED_COLUMN  -> reviewer ticks TRUE once a blog is reviewed & approved.
+#   PUBLISHED_COLUMN -> TRUE once the blog is live on the site.
+# A blog is exported when REVIEWED_COLUMN is TRUE and PUBLISHED_COLUMN is not.
+REVIEWED_COLUMN = 'isReviewedandApproved'
+PUBLISHED_COLUMN = 'isPublished'
+
+def _extract_doc_id_from_url(url):
+    """Extract the Google document/file ID from a Drive or Docs URL.
+
+    Handles the formats the submission form produces, e.g.
+      https://docs.google.com/document/d/<ID>/edit
+      https://drive.google.com/open?id=<ID>
+      https://drive.google.com/file/d/<ID>/view
+    """
+    if not isinstance(url, str):
+        return None
+    match = re.search(r'(?:/d/|[?&]id=)([a-zA-Z0-9-_]+)', url)
+    if match:
+        return match.group(1)
+    return None
+
+def _extract_and_rename_relevant_fields(df):
+    formatted_df = pd.DataFrame({})
+    formatted_df['url'] = df['Upload your writing draft for review']
+    formatted_df['doc_id'] = formatted_df['url'].apply(_extract_doc_id_from_url)
+    formatted_df['author_name'] = df['What is your full name? ']
+    formatted_df['author_role'] = df['What is your position / company you are working at / associated with? ']
+    formatted_df['description'] = df['Please provide a short description of your writing idea / blog post? ']
+    formatted_df['source'] = df[
+            'Please provide a source of how you obtained/created the infographic/photo/picture used.'
+        ]
+    formatted_df['image_link'] = df['Submit your blog cover image']
+    # Review/publish tracking columns; default to blank if not present yet.
+    formatted_df['is_reviewed_and_approved'] = df[REVIEWED_COLUMN] if REVIEWED_COLUMN in df.columns else ''
+    formatted_df['is_published'] = df[PUBLISHED_COLUMN] if PUBLISHED_COLUMN in df.columns else ''
+    return formatted_df
+
+def get_worksheet(spreadsheet_id=SPREADSHEET_ID):
+    """Open the submissions worksheet with the service account (read + write)."""
+    import gspread
+
+    gc = gspread.service_account(filename="service_account_key.json")
+    return gc.open_by_key(spreadsheet_id).worksheet(WORKSHEET_NAME)
+
+def dataframe_from_worksheet(worksheet):
+    """Build a DataFrame from a worksheet's raw cell values.
+
+    Uses raw values rather than get_all_records(): the form sheet has duplicate
+    (blank) header cells, which get_all_records() rejects. pandas tolerates
+    duplicate column names, and we only ever select uniquely-named columns.
+    """
+    values = worksheet.get_all_values()
+    header, rows = values[0], values[1:]
+    return pd.DataFrame(rows, columns=header)
+
+def dataframe_of_blog_spreadsheet_info(spreadsheet_id=SPREADSHEET_ID):
+    return dataframe_from_worksheet(get_worksheet(spreadsheet_id))
+
+def mark_row_published(worksheet, data_row_index):
+    """Set the isPublished cell to TRUE for a data row (0-based, header excluded).
+
+    Requires the service account to have edit access to the spreadsheet.
+    """
+    header = worksheet.row_values(1)
+    col = header.index(PUBLISHED_COLUMN) + 1   # gspread is 1-based
+    worksheet.update_cell(data_row_index + 2, col, 'TRUE')  # +2: header row + 1-based
+
+if __name__ == '__main__':
+    # Quick connectivity check: print the columns and review/publish counts.
+    df = dataframe_of_blog_spreadsheet_info()
+    print(f"{len(df)} rows; columns: {list(df.columns)}")
+
+
+
+
+
+
diff --git a/tools/blog_automation/doc_to_html_conversion.py b/tools/blog_automation/doc_to_html_conversion.py
deleted file mode 100644
index 3d9cc987..00000000
--- a/tools/blog_automation/doc_to_html_conversion.py
+++ /dev/null
@@ -1,109 +0,0 @@
-from google.oauth2 import service_account
-from googleapiclient.discovery import build
-import os
-import markdown
-import argparse
-from pathlib import Path
-from googleapiclient.errors import HttpError
-import datetime as dt
-
-# --- Configuration ---
-SERVICE_ACCOUNT_FILE = 'service_account_key.json'
-YAML_HEADER = '''
----
-layout: post
-title: [TITLE]
-date: [DATE]
-author_name: [AUTHOR]
-author_role: [AUTHOR ROLE]
-image: [IMG PATH]
-image_source: [IMG SOURCE (optional)]
-description: [BLOG DESCRIPTION]
-category: [CATEGORY]
----
-'''
-
-def _current_directory():
-    return Path(__file__).resolve().parent
-
-def _posts_directory():
-    # Path to the directory where the script itself is located
-    script_dir = _current_directory()
-
-    # Construct the path relative to the script’s location
-    posts_dir = (script_dir / "../../_posts").resolve()
-
-    return posts_dir
-
-def _today_date_str():
-    return dt.date.today().isoformat()
-
-def _create_blog_filename_with_date(doc_name, date_str):
-    formatted_blog_title = doc_name.lower().replace(' ', '-').strip()
-    filename = f"{date_str}-{formatted_blog_title}"
-    return filename
-
-def export_blog_as_html(document_id, date=None):
-    if date is None:
-        date = _today_date_str()
-    service_account_path = os.path.join(_current_directory(), SERVICE_ACCOUNT_FILE)
-    if not os.path.exists(service_account_path):
-        print(f"ERROR: Service account key file '{service_account_path}' not found.\n"
-              "Please obtain your own Google service account key and place it at this path.\n"
-              "(Never commit this file to version control.)")
-        exit(1)
-    creds = service_account.Credentials.from_service_account_file(
-        service_account_path, 
-        scopes=['https://www.googleapis.com/auth/drive.readonly']
-    )
-    drive = build('drive', 'v3', credentials=creds)
-
-    try:
-        # 1. Get document name from Drive
-        doc_metadata = drive.files().get(fileId=document_id, fields='name').execute()
-        doc_name = doc_metadata.get('name', 'exported_blog')
-        blog_filename = _create_blog_filename_with_date(doc_name, date)
-
-        # 2. Export as Markdown
-        request = drive.files().export_media(
-            fileId=document_id,
-            mimeType='text/markdown'
-        )
-        md_bytes = request.execute()
-    except HttpError as error:
-        if error.resp.status == 404:
-            raise FileNotFoundError(f"Document ID '{document_id}' not found.") from error
-        else:
-            raise
-
-    # 3. Convert Markdown to HTML and save to local file
-    import re
-    html = markdown.markdown(md_bytes.decode('utf-8'))
-    # Remove <strong> tags from inside heading tags (e.g. <h2><strong>Heading</strong></h2> -> <h2>Heading</h2>)
-    html = re.sub(r'<h(\d)><strong>(.+?)</strong></h\1>', r'<h\1>\2</h\1>', html)
-
-    # Remove the first heading if present (e.g. <h1>...</h1> or <h2>...</h2> at the start)
-    html = re.sub(r'^<h[1-6]>.*?</h[1-6]>\s*', '', html, flags=re.DOTALL)
-
-    # Wrap the body in <div class="text-justify">
-    html_body = f'<div class="text-justify">\n{html}\n</div>'
-
-    # YAML front matter
-    yaml_header = YAML_HEADER.replace('[TITLE]', doc_name.title()).replace('[DATE]', date)
-
-    final_html = yaml_header + '\n' + html_body
-
-    posts_dir = _posts_directory()
-    filename = f"{posts_dir}/{blog_filename}.html"
-    with open(filename, 'w', encoding='utf-8') as f:
-        f.write(final_html)
-
-    print(f"Saved HTML to: {filename}")
-
-if __name__ == "__main__":
-    # To run script: `python export_blog.py <DOC_ID> --date <DATE>`
-    parser = argparse.ArgumentParser(description="Export a Google Doc as HTML with custom formatting.")
-    parser.add_argument("doc_id", help="The Google Doc ID to export.")
-    parser.add_argument("--date", help="Date for the blog post (YYYY-MM-DD). If not provided, uses today.", default=None)
-    args = parser.parse_args()
-    export_blog_as_html(args.doc_id, args.date)
diff --git a/tools/blog_automation/publish_reviewed_blogs.py b/tools/blog_automation/publish_reviewed_blogs.py
new file mode 100644
index 00000000..190b23eb
--- /dev/null
+++ b/tools/blog_automation/publish_reviewed_blogs.py
@@ -0,0 +1,78 @@
+"""Export every blog that has been reviewed but not yet published.
+
+This is the single entry point the GitHub Action runs. The Google Sheet is the
+only source of truth; there is no local snapshot. On each run it:
+
+  1. Reads the Form Responses sheet via the service account.
+  2. Selects rows where ``isReviewedandApproved`` is TRUE and ``isPublished`` is
+     not TRUE (i.e. approved but not yet on the site).
+  3. Exports each selected blog (Doc -> HTML post + cover image).
+  4. Writes ``isPublished = TRUE`` back to the sheet for each exported row, so it
+     is never exported again.
+
+The workflow then opens a PR with the new ``_posts/`` files and images for a
+human to review before merging.
+
+Requirements:
+  - The service account must have **edit** access to the spreadsheet (step 4
+    writes back to it).
+  - Must be run from this directory (the service account key and the Jekyll
+    ``_posts`` folder are resolved relative to it).
+"""
+import pandas as pd
+
+from blog_info_from_spreadsheet import (
+    get_worksheet,
+    dataframe_from_worksheet,
+    _extract_and_rename_relevant_fields,
+    mark_row_published,
+)
+from blog_exporter import export_blog
+
+
+def _is_true(value):
+    """True for the sheet's ``TRUE``/truthy cell values (case-insensitive)."""
+    return str(value).strip().lower() in {'true', 'yes', '1'}
+
+
+def _select_rows_to_publish(df):
+    """Indices of rows that are approved, not yet published, and have a doc_id."""
+    to_publish = []
+    for i, (_, row) in enumerate(df.iterrows()):
+        if not _is_true(row.get('is_reviewed_and_approved')):
+            continue
+        if _is_true(row.get('is_published')):
+            continue
+        if pd.isna(row.get('doc_id')) or not str(row.get('doc_id')).strip():
+            print(f"SKIP row {i}: approved but has no doc_id (external blog link).")
+            continue
+        to_publish.append(i)
+    return to_publish
+
+
+def main():
+    worksheet = get_worksheet()
+    df = _extract_and_rename_relevant_fields(
+        dataframe_from_worksheet(worksheet)
+    ).reset_index(drop=True)
+
+    to_publish = _select_rows_to_publish(df)
+    if not to_publish:
+        print("No reviewed, unpublished blogs to export.")
+        return
+
+    print(f"Exporting {len(to_publish)} reviewed blog(s): rows {to_publish}")
+    for i in to_publish:
+        row = df.iloc[i]
+        try:
+            blog_filename = export_blog(row)
+        except Exception as error:  # keep going so one bad row can't block the rest
+            print(f"ERROR exporting row {i} ({row.get('author_name')!r}): {error}")
+            continue
+        if blog_filename:
+            mark_row_published(worksheet, i)
+            print(f"Marked row {i} as published in the sheet.")
+
+
+if __name__ == '__main__':
+    main()
diff --git a/tools/blog_automation/requirements.txt b/tools/blog_automation/requirements.txt
index fa7d8270..beab2132 100644
--- a/tools/blog_automation/requirements.txt
+++ b/tools/blog_automation/requirements.txt
@@ -1,23 +1,6 @@
-cachetools==5.5.2
-certifi==2025.8.3
-charset-normalizer==3.4.2
-google-api-core==2.25.1
+bleach==6.1.0
 google-api-python-client==2.177.0
 google-auth==2.40.3
-google-auth-httplib2==0.2.0
-google-auth-oauthlib==1.2.2
-googleapis-common-protos==1.70.0
-httplib2==0.22.0
-idna==3.10
+gspread==6.2.0
+pandas==2.2.1
 Markdown==3.8.2
-oauthlib==3.3.1
-proto-plus==1.26.1
-protobuf==6.31.1
-pyasn1==0.6.1
-pyasn1_modules==0.4.2
-pyparsing==3.2.3
-requests==2.32.4
-requests-oauthlib==2.0.0
-rsa==4.9.1
-uritemplate==4.2.0
-urllib3==2.5.0
diff --git a/tools/blog_automation/test_blog_exporter.py b/tools/blog_automation/test_blog_exporter.py
new file mode 100644
index 00000000..32553d27
--- /dev/null
+++ b/tools/blog_automation/test_blog_exporter.py
@@ -0,0 +1,38 @@
+import pytest
+from blog_exporter import drive_connection, download_image_and_copy_to_repo
+import os
+from pathlib import Path
+
+# This is an integration test: it needs the service account key and live Google
+# Drive access. Skip it when the key is absent (e.g. CI, where fork PRs cannot
+# access secrets) so it doesn't fail the suite.
+_SERVICE_ACCOUNT_KEY = Path(__file__).resolve().parent / "service_account_key.json"
+pytestmark = pytest.mark.skipif(
+    not _SERVICE_ACCOUNT_KEY.exists(),
+    reason="requires service_account_key.json and live Google Drive access",
+)
+
+@pytest.mark.parametrize(
+    "example_image", 
+    [
+        "https://drive.google.com/open?id=1o4byZahHg6KpqvKlJU_IJ0RKZ-nmcMnw",
+        "https://drive.google.com/file/d/1o4byZahHg6KpqvKlJU_IJ0RKZ-nmcMnw/view",
+        "https://drive.google.com/open?id=1DF08PAjvFPBv8ZGigjwiaFn1JP8TUHg7"
+    ]
+)
+def test_download_image_and_copy_to_repo(example_image):
+    blog_filename = "test_blog_image"
+    blog_assets_dir = Path(__file__).resolve().parent.parent.parent / 'assets' / 'images' / 'blog'
+    # if ../assets/images/blog/{blog_filename}.png exists, then remove it
+    if os.path.exists(blog_assets_dir / f'{blog_filename}.png'):
+        os.remove(blog_assets_dir / f'{blog_filename}.png')
+
+    drive = drive_connection()
+
+    image_path_relative = download_image_and_copy_to_repo(
+        image_link=example_image, blog_filename=blog_filename, drive=drive)
+    
+    assert image_path_relative == f"/assets/images/blog/{blog_filename}.png"
+    
+    # assert that blog_filename exists
+    os.remove(blog_assets_dir / f'{blog_filename}.png')
\ No newline at end of file