diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
new file mode 100644
index 0000000..d50182a
--- /dev/null
+++ b/.github/workflows/dependabot.yml
@@ -0,0 +1,28 @@
+name: Update vendorSha256
+on: pull_request
+
+permissions:
+  contents: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Install Nix
+        uses: cachix/install-nix-action@v22
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+          nix_path: nixpkgs=channel:nixos-unstable
+      - name: Update checksum
+        run: |
+          ./scripts/update-vendor-hash.sh
+          # git push if we have a diff
+          if [[ -n $(git diff) ]]; then
+            git add default.nix
+            git commit -m "update vendorHash"
+            git push
+          fi
diff --git a/scripts/update-vendor-hash.sh b/scripts/update-vendor-hash.sh
new file mode 100755
index 0000000..e5369b9
--- /dev/null
+++ b/scripts/update-vendor-hash.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p nix -p coreutils -p gnused -p gawk
+
+set -exuo pipefail
+
+failedbuild=$(nix build --impure --expr '(with import <nixpkgs> {}; pkgs.callPackage ./. { vendorHash = ""; }).sops-install-secrets' 2>&1 || true)
+echo "$failedbuild"
+checksum=$(echo "$failedbuild" | awk '/got:.*sha256/ { print $2 }')
+sed -i -e "s|vendorHash ? \".*\"|vendorHash ? \"$checksum\"|" default.nix
+
+# git push if we have a diff
+if [[ -n $(git diff) ]]; then
+  git add default.nix
+  git commit -m "sops-install-secrets: update checksum to $checksum"
+  git push
+fi
+