diff --git a/.github/workflows/fix_hashes.yml b/.github/workflows/fix_hashes.yml
new file mode 100644
index 0000000..c1403cc
--- /dev/null
+++ b/.github/workflows/fix_hashes.yml
@@ -0,0 +1,38 @@
+on:
+  pull_request:
+ 
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: read
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+ 
+      - uses: DeterminateSystems/determinate-nix-action@v3
+ 
+      - uses: DeterminateSystems/flakehub-cache-action@main
+ 
+      - run: nix flake check -L
+ 
+      - name: Fix hash mismatches
+        if: failure() && github.event_name == 'pull_request'
+        id: fix-hashes
+        run: |
+          git stash --include-untracked
+          git fetch --depth=1 origin "$GITHUB_HEAD_REF"
+          git checkout -B "$GITHUB_HEAD_REF" "${{ github.event.pull_request.head.sha }}"
+ 
+          determinate-nixd fix hashes --auto-apply
+ 
+          if ! git diff --quiet; then
+            git config user.name "github-actions[bot]"
+            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git add --update --ignore-removal .
+            git commit -m "[dependabot skip] Automatically fix Nix hashes"
+            git push origin "$GITHUB_HEAD_REF"
+          fi
+ 
+          git checkout -
+          git stash pop || true