diff --git a/.github/renovate.json b/.github/renovate.json
deleted file mode 100644
index 195bdc4..0000000
--- a/.github/renovate.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "dependencyDashboard": true,
-  "labels": ["dependencies", "renovate"],
-  "enabledManagers": ["nix"],
-  "nix": {
-    "enabled": true
-  }
-}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index d1c8181..5b6ded3 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -13,16 +13,14 @@ jobs:
       - uses: actions/checkout@v4
       - uses: dprint/check@v2.2
         with:
-          # Keep same version as used in *.nix
-          dprint-version: '0.40.2'
+          dprint-version: '0.40.2' # selfup { "regex": "\\d[^']+", "script": "dprint --version | cut -d ' ' -f 2" }
 
   typos:
     timeout-minutes: 15
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      # Keep same version as used in *.nix
-      - uses: crate-ci/typos@v1.16.8
+      - uses: crate-ci/typos@v1.16.8 # selfup { "regex": "\\d\\.\\d+\\.\\d+", "script": "typos --version | cut -d ' ' -f 2" }
         with:
           files: |
             .
diff --git a/.github/workflows/update-nixpkgs.yml b/.github/workflows/update-nixpkgs.yml
new file mode 100644
index 0000000..f48890e
--- /dev/null
+++ b/.github/workflows/update-nixpkgs.yml
@@ -0,0 +1,55 @@
+name: CI - Update nixpkgs and sync CI dependencies
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/update-nixpkgs.yml'
+  schedule:
+    # Every 10:17 JST
+    # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
+    - cron: '17 1 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  tasks:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      PR_BRANCH: update-nixpkgs-${{ github.run_id }}
+    steps:
+      # To push workflow changes and trigger CIs
+      - name: Generate GitHub Apps token
+        if: (github.event.sender.login == 'kachick') || (github.event_name != 'pull_request')
+        id: publish-token
+        uses: tibdex/github-app-token@v2
+        with:
+          # Required to set workflow permission for the APP
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+      - uses: actions/checkout@v4
+        with:
+          # Needed to specify token for checkout phase, only in pushing phase is too late
+          # https://github.com/orgs/community/discussions/27072#discussioncomment-3254515
+          token: ${{ steps.publish-token.outputs.token }}
+      - uses: DeterminateSystems/nix-installer-action@v4
+      - uses: DeterminateSystems/magic-nix-cache-action@v2
+      - name: Prepare Git
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git switch -c "${PR_BRANCH}"
+      - run: nix flake update --commit-lock-file
+      - name: Update related CI dependencies
+        run: |
+          nix develop --command nix run github:kachick/selfup -- --prefix='# selfup ' --skip-by='nix run' .github/workflows/*.yml
+          git diff-index --quiet HEAD || git commit -m 'Update CI dependencies with adjusting to nixpkgs' .github
+      - run: git push origin "${PR_BRANCH}"
+        if: github.event_name != 'pull_request'
+      - name: Create PR
+        if: github.event_name != 'pull_request'
+        env:
+          GITHUB_TOKEN: ${{ steps.publish-token.outputs.token }}
+        run: |
+          gh pr create --base 'main' --title 'Update nixpkgs and related CI dependencies' --body 'This PR is based on https://github.com/kachick/selfup'