diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 3f60e4b..48d41fc 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -1,9 +1,10 @@
-name: "Build Nix packages"
+name: "build Nix packages"
 on:
   pull_request:
   push:
   schedule:
-  - cron: '53 21 * * *'  # AEST 7:53 am
+  - cron: '53 20 * * *'  # AEST 6:53 am
+  workflow_dispatch:
 jobs:
   nix:
     strategy:
@@ -11,30 +12,8 @@ jobs:
         pkg: [aslp, bap-aslp, basil, bap-uq-pac]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v20
+    - uses: ./github/workflows/upgrade.yml
       with:
-        nix_path: nixpkgs=channel:nixos-unstable
-    - uses: cachix/cachix-action@v12
-      with:
-        name: pac-nix
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-    - run: nix-build -A ${{matrix.pkg}}
-    - name: nix-build -A ${{matrix.pkg}}.tests -o result-tests
-      run: |
-        if nix-instantiate --eval -A ${{matrix.pkg}}.tests; then
-          nix-build -A ${{matrix.pkg}}.tests -o result-tests
-        fi
-    - run: ls -l
-  update-check:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v20
-      with:
-        nix_path: nixpkgs=channel:nixos-unstable
-    - uses: cachix/cachix-action@v12
-      with:
-        name: pac-nix
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-    - run: ./update.sh check
+        pkg: ${{matrix.pkg}}
+      secrets: inherit
+
diff --git a/.github/workflows/setup.yml b/.github/workflows/setup.yml
new file mode 100644
index 0000000..f6b1bb4
--- /dev/null
+++ b/.github/workflows/setup.yml
@@ -0,0 +1,18 @@
+name: "common runner setup"
+on:
+  workflow_call:
+    secrets:
+      CACHIX_AUTH_TOKEN:
+        required: true
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v20
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+    - uses: cachix/cachix-action@v12
+      with:
+        name: pac-nix
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
diff --git a/.github/workflows/upgrade.yml b/.github/workflows/upgrade.yml
new file mode 100644
index 0000000..a2bffa3
--- /dev/null
+++ b/.github/workflows/upgrade.yml
@@ -0,0 +1,48 @@
+name: "update and check Nix packages"
+on:
+  workflow_call:
+    inputs:
+      pkg: { required: true, type: string }
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: ./.github/workflows/setup.yml
+      secrets: inherit
+    - run: nix-build ./update-shell.nix
+    - run: |
+        nix-shell ./update-shell.nix --pure \
+          --run './update.py check -A ${{inputs.pkg}}'
+
+  do-upgrade:
+    if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
+    concurrency: do-upgrade  # one package upgrade in-flight at a time
+    runs-on: ubuntu-latest
+    needs: check
+    steps:
+    - uses: ./.github/workflows/setup.yml
+      secrets: inherit
+    - run: nix-build ./update-shell.nix
+    - run: |
+        git config user.name 'github-actions[bot]'
+        git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+    - run: |
+        nix-shell ./update-shell.nix --pure \
+          --run './update.py do-upgrade -A ${{inputs.pkg}}'
+    - run: git push
+
+  build:
+    runs-on: ubuntu-latest
+    needs: do-upgrade
+    steps:
+    - uses: ./.github/workflows/setup.yml
+      secrets: inherit
+    - run: nix-build -A ${{inputs.pkg}}
+    - name: nix-build -A ${{inputs.pkg}}.tests -o result-tests
+      run: |
+        if nix-instantiate --eval -A ${{inputs.pkg}}.tests; then
+          nix-build -A ${{inputs.pkg}}.tests -o result-tests
+        fi
+    - run: ls -l
+
+