diff --git a/.github/workflows/upgrade-flakes.yml b/.github/workflows/upgrade-flakes.yml
index 6fac218..ed3d891 100644
--- a/.github/workflows/upgrade-flakes.yml
+++ b/.github/workflows/upgrade-flakes.yml
@@ -4,6 +4,10 @@ on:
   workflow_dispatch:
   schedule:
     - cron:  '51 2 * * 0'
+
+permissions:
+  pull-requests: write
+
 jobs:
   createPullRequest:
     runs-on: ubuntu-latest
@@ -14,9 +18,12 @@ jobs:
         with:
           extra_nix_config: |
             access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
-      - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@v24
-        with:
-          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
-          pr-labels: |
-            merge-queue
+      - name: Update flakes
+        run: |
+           nix flake update
+           pushd dev/private
+           nix flake update
+           popd
+           nix run .#update-dev-private-narHash
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
diff --git a/flake.nix b/flake.nix
index cb212ea..9e4da72 100644
--- a/flake.nix
+++ b/flake.nix
@@ -93,11 +93,24 @@
           tests // (suffix-stable tests-stable) // (suffix-stable packages-stable)
         );
 
+        apps = eachSystem (
+          { pkgs, ... }:
+          {
+            update-dev-private-narHash = {
+              type = "app";
+              program = "${pkgs.writeShellScript "update-dev-private-narHash" ''
+                nix --extra-experimental-features "nix-command flakes" flake lock ./dev/private
+                nix --extra-experimental-features "nix-command flakes" hash path ./dev/private | tr -d '\n' > ./dev/private.narHash
+              ''}";
+            };
+          }
+        );
+
         devShells = eachSystem (
           { pkgs, ... }:
           {
             unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix { };
-            default = pkgs.callPackage ./shell.nix { };
+            default = pkgs.callPackage ./shell.nix {};
           }
         );
       };
diff --git a/shell.nix b/shell.nix
index 02083a6..30505fe 100644
--- a/shell.nix
+++ b/shell.nix
@@ -10,11 +10,6 @@ pkgs.mkShell {
     util-linux
     nix
     golangci-lint
-
-    (pkgs.writeScriptBin "update-dev-private-narHash" ''
-      nix --extra-experimental-features "nix-command flakes" flake lock ./dev/private
-      nix --extra-experimental-features "nix-command flakes" hash path ./dev/private | tr -d '\n' > ./dev/private.narHash
-    '')
   ];
   # delve does not compile with hardening enabled
   hardeningDisable = [ "all" ];