diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
new file mode 100644
index 00000000..daef842d
--- /dev/null
+++ b/.github/workflows/update-flake-lock.yml
@@ -0,0 +1,26 @@
+name: Update flake.lock
+
+on:
+  schedule:
+    # Weekly on Thursday at 06:00 UTC — keeps inputs fresh without noise
+    - cron: "0 6 * * 4"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: bump flake.lock
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: DeterminateSystems/nix-installer-action@v22
+      - uses: DeterminateSystems/magic-nix-cache-action@v14
+      - uses: DeterminateSystems/update-flake-lock@v28
+        with:
+          pr-title: "chore: update flake.lock"
+          pr-labels: "dependencies,nix"
+          commit-msg: "chore: update flake.lock"
+          # Sign commits so they pass any branch-protection signature requirements
+          sign-commits: true
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index aca0e80d..bb9e16d8 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -7,21 +7,15 @@ jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-
-      - uses: cachix/install-nix-action@v26
-        with:
-          extra_nix_config: |
-            trusted-users = root @runner
-
-      - name: Validate flake
-        run: nix flake show
+      - uses: actions/checkout@v6
+      - uses: DeterminateSystems/nix-installer-action@v22
+      - uses: DeterminateSystems/magic-nix-cache-action@v14
 
       - name: Check formatting
         run: nix fmt -- --ci .
 
       - name: Run deadnix
-        run: nix run nixpkgs#deadnix ./modules ./lib
+        run: nix run nixpkgs#deadnix -- ./modules ./lib
 
       - name: Run statix
-        run: nix run nixpkgs#statix check -- .
+        run: nix run nixpkgs#statix -- check .