diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 2e74f74..02fd83a 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -18,6 +18,8 @@ jobs:
         run: |
           nix-build repo -A autoPrUpdate
           result/bin/auto-pr-update repo > body
+        env:
+          GH_TOKEN: ${{ github.token }}
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v6
diff --git a/default.nix b/default.nix
index 1bb67eb..c03808c 100644
--- a/default.nix
+++ b/default.nix
@@ -78,6 +78,15 @@ let
               echo -e '```\n</details>'
             '';
           };
+          githubActions = pkgs.writeShellApplication {
+            name = "update-github-actions";
+            runtimeInputs = with pkgs; [
+              dependabot-cli
+              jq
+              github-cli
+            ];
+            text = builtins.readFile ./scripts/update-github-actions.sh;
+          };
         };
       in
       pkgs.writeShellApplication {
diff --git a/scripts/update-github-actions.sh b/scripts/update-github-actions.sh
new file mode 100755
index 0000000..54516d9
--- /dev/null
+++ b/scripts/update-github-actions.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# This script calls the dependabot CLI (https://github.com/dependabot/cli)
+# to determine updates to GitHub Action dependencies in the local repository.
+# It then also applies the updates and outputs the results to standard output.
+
+set -euo pipefail
+
+REPO_ROOT=$1
+
+echo -e "<details><summary>GitHub Action updates</summary>\n\n"
+
+# Each dependabot update call tries to update all dependencies,
+# but the resulting files are output individually for each (with the intention of creating a PR for each).
+# We want to have all changes together though, so we just repeatedly take the first one
+# until there's none anymore (-e jq flag)
+while
+  # Unused argument would be the remote GitHub repo, which is not used if we pass --local
+  create_pull_request=$(LOCAL_GITHUB_ACCESS_TOKEN=$(gh auth token) \
+    dependabot update github_actions this-argument-is-unused --local "$REPO_ROOT" \
+    | jq -ecs 'map(select(.type == "create_pull_request")) | .[0].data')
+do
+  title=$(jq -er '."pr-title"' <<< "$create_pull_request")
+  echo "<details><summary>$title</summary>"
+
+  # Needed because GitHub's rendering of the first body line breaks down otherwise
+  echo ""
+
+  jq -er '."pr-body"' <<< "$create_pull_request"
+  echo '</details>'
+
+  jq -c '."updated-dependency-files"[]' <<< "$create_pull_request" \
+    | while read -r fileUpdate; do
+      file=$(jq -er '.name' <<< "$fileUpdate")
+      # -j makes sure to not output a trailing newline
+      jq -ejr '.content' <<< "$fileUpdate" > "$REPO_ROOT/$file"
+    done
+done
+
+echo -e "</details>"