diff --git a/.github/workflows/update-nix-hash.yml b/.github/workflows/update-nix-hash.yml
new file mode 100644
index 0000000..af09980
--- /dev/null
+++ b/.github/workflows/update-nix-hash.yml
@@ -0,0 +1,91 @@
+name: Update Nix Vendor Hash
+
+on:
+  pull_request:
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+
+permissions:
+  contents: write
+
+jobs:
+  update-nix-hash:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+
+      - uses: cachix/install-nix-action@v27
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update vendorHash
+        id: update
+        run: |
+          echo "Attempting to build and check for hash mismatch..."
+
+          # Try to build. If it fails, capture the output.
+          set +e
+          OUTPUT=$(nix build --no-link 2>&1)
+          EXIT_CODE=$?
+          set -e
+
+          if [ $EXIT_CODE -eq 0 ]; then
+            echo "Build successful, no hash update needed."
+            exit 0
+          fi
+
+          # Check if failure is due to hash mismatch
+          if echo "$OUTPUT" | grep -q "hash mismatch"; then
+            echo "Detected hash mismatch. Extracting new hash..."
+
+            # Extract the 'got:' hash.
+            # The output format usually contains:
+            #          got:    sha256-...........................................=
+            # or
+            #         got: sha256-...........................................=
+            # Handle variable whitespace before and after "got:"
+            NEW_HASH=$(echo "$OUTPUT" | grep -E "^\s*got:" | head -n1 | sed 's/.*got:\s*//' | xargs)
+
+            if [ -n "$NEW_HASH" ]; then
+              echo "Found new hash: $NEW_HASH"
+
+              # Read current hash for comparison log
+              CURRENT_HASH=$(grep "vendorHash =" flake.nix | cut -d'"' -f2)
+              echo "Current hash: $CURRENT_HASH"
+
+              if [ "$NEW_HASH" != "$CURRENT_HASH" ]; then
+                # Update flake.nix
+                # Only match lines starting with optional whitespace followed by "vendorHash ="
+                # This prevents accidentally matching comments or other occurrences
+                sed -i '/^\s*vendorHash = /s|vendorHash = ".*"|vendorHash = "'$NEW_HASH'"|' flake.nix
+                echo "flake.nix updated."
+                echo "updated=true" >> $GITHUB_OUTPUT
+              else
+                echo "Hash extracted matches current hash. Weird."
+                exit 1
+              fi
+            else
+              echo "Could not extract new hash from output."
+              echo "Full output:"
+              echo "$OUTPUT"
+              exit 1
+            fi
+          else
+            echo "Build failed for reason other than hash mismatch."
+            echo "Full output:"
+            echo "$OUTPUT"
+            # Don't fail the workflow if it's a legitimate build error,
+            # as this workflow's sole purpose is updating hashes.
+            # Real CI will catch actual build errors.
+            exit 0
+          fi
+
+      - name: Commit changes
+        if: steps.update.outputs.updated == 'true'
+        uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: "chore(nix): update vendorHash"
+          file_pattern: flake.nix
diff --git a/flake.nix b/flake.nix
index 8e60a9c..419f6ad 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,7 +17,7 @@
 
           src = ./.;
 
-          vendorHash = "sha256-quGKUBmX4ebrykhWRnp71yYt/cUeISN0wPu13m8lNsM=";
+          vendorHash = "sha256-uPEnAmEQ+LTqAMrtMM/6Yh/H7CO+dbZvbKA+jsLCZU8=";
 
           subPackages = [ "cmd/pvetui" ];