diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000000000000000000000000000000000..203f3c889b1613b7cedd82d99d70ee0ea7408144
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+      interval: "weekly"
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 52b45d9f0966e59af82ec774a6669d62f0e71168..f1fa616b2875fc16d48498e2a04df94306c6d8e4 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -2,6 +2,11 @@ name: "CI - Nix"
 
 on:
   push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
 
 jobs:
   nix:
diff --git a/.github/workflows/update-flake-lock.nix b/.github/workflows/update-flake-lock.nix
new file mode 100644
index 0000000000000000000000000000000000000000..31f4ada122645dd44c90bbb8f153d5af72493362
--- /dev/null
+++ b/.github/workflows/update-flake-lock.nix
@@ -0,0 +1,17 @@
+name: update-flake-lock
+
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@main
diff --git a/.mergify.yml b/.mergify.yml
index c513ddee85933840d112a779b637ea578721569b..1b1646ea6e139487bb79abdafa199c653e786112 100644
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -11,7 +11,8 @@ pull_request_rules:
       - check-success = "nix (ubuntu)"
       - check-success = "pre-commit.ci - pr"
       - or:
-        - author = pre-commit-ci[bot]
+        - author = github-actions[bot]
         - author = dependabot[bot]
+        - author = pre-commit-ci[bot]
     actions:
       merge: