diff --git a/.github/workflows/update-devenv.yml b/.github/workflows/update-devenv.yml
new file mode 100644
index 000000000000..a8269572c9ab
--- /dev/null
+++ b/.github/workflows/update-devenv.yml
@@ -0,0 +1,61 @@
+name: Update devenv
+
+on:
+  schedule:
+    - cron: "0 3 * * 2" # Weekly on Tuesdays
+  pull_request:
+    paths:
+      - '.github/workflows/update-devenv.yml'
+  push:
+    paths:
+      - '.github/workflows/update-devenv.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-devenv:
+    if: github.repository == 'crystal-lang/crystal'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download source
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          ref: master
+          persist-credentials: false
+
+      - uses: cachix/install-nix-action@fd24c48048070c1be9acd18c9d369a83f0fe94d7 # v31
+
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          name: devenv
+
+      - name: Install devenv.sh
+        run: nix profile add nixpkgs#devenv
+
+      - name: Update devenv.lock
+        run: devenv update
+
+      - name: Check for changes
+        id: changes
+        run: |
+          git add devenv.lock
+          if git diff --cached --quiet; then
+            echo "changed=false" >>"$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >>"$GITHUB_OUTPUT"
+          fi
+
+      - name: Create PR
+        if: steps.changes.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        with:
+          commit-message: "Update `devenv.lock`"
+          title: "Update `devenv.lock`"
+          body: ""
+          labels: "topic:infrastructure"
+          branch: infra/update-devenv
+          delete-branch: true