diff --git a/.github/workflows/clang-format-check.yml b/.github/workflows/clang-format-check.yml
index c7dfd20e4..610c54087 100644
--- a/.github/workflows/clang-format-check.yml
+++ b/.github/workflows/clang-format-check.yml
@@ -10,7 +10,7 @@ jobs:
     name: Formatting Check
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Check that C and C++ code is correctly formatted
       uses: jidicula/clang-format-action@v4.11.0
       with:
@@ -21,7 +21,7 @@ jobs:
     name: Shell check
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - uses: ludeeus/action-shellcheck@1.1.0
       name: Check that shell scripts follow best practices
       with:
@@ -32,7 +32,7 @@ jobs:
     runs-on: [self-hosted, linux, normal]
     steps:
       - name: 'Check out code'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -60,7 +60,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Check out code'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: 'Set up Java 17'
         uses: actions/setup-java@v3
diff --git a/.github/workflows/test-flake.yml b/.github/workflows/test-flake.yml
index dccb2fbe4..bc4a62ec2 100644
--- a/.github/workflows/test-flake.yml
+++ b/.github/workflows/test-flake.yml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ${{ matrix.runner }}
     steps:
       - name: 'Check out code'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # Check out pull request HEAD instead of merge commit.
           ref: ${{ github.event.pull_request.head.sha }}
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
new file mode 100644
index 000000000..deaff499d
--- /dev/null
+++ b/.github/workflows/update.yml
@@ -0,0 +1,50 @@
+name: 'Update'
+on:
+  workflow_dispatch:
+  pull_request:
+      paths: '**/pom.xml'
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # Update the pinned Maven dependencies for Nix.
+  # This job only runs on push events because we cannot push changes back to a
+  # pull request branch from a fork.
+  nix-maven:
+    name: 'Nix: Maven'
+    runs-on: ubuntu-20.04
+    steps:
+      - name: 'Check out code'
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.JENKINS_GITHUB_PAT }}
+          submodules: recursive
+      - run: |
+          git config --global user.name rv-jenkins
+          git config --global user.email devops@runtimeverification.com
+
+      - name: 'Install Nix'
+        uses: cachix/install-nix-action@v22
+        with:
+          install_url: https://releases.nixos.org/nix/nix-2.13.3/install
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+      - name: 'Install Cachix'
+        uses: cachix/cachix-action@v12
+        with:
+          name: k-framework
+          authToken: '${{ secrets.CACHIX_PUBLIC_TOKEN }}'
+
+      - name: 'Update Maven dependencies'
+        run: |
+          set -x
+          if ! git diff --exit-code origin/${GITHUB_BASE_REF} origin/${GITHUB_HEAD_REF} \
+                -- $(find . -name pom.xml)                                              \
+                   $(find nix -name '*.nix'); then
+            ./nix/update-maven.sh
+          fi
+          if git add nix/ && git commit -m 'Update Maven dependencies'; then
+            git push --force origin HEAD:${{ github.head_ref }}
+          fi