diff --git a/.github/workflows/update-colcon.yaml b/.github/workflows/update-colcon.yaml
new file mode 100644
index 0000000000..e044a386cc
--- /dev/null
+++ b/.github/workflows/update-colcon.yaml
@@ -0,0 +1,31 @@
+name: Update colcon packages
+on:
+  schedule:
+    - cron: "0 12 * * FRI"
+  workflow_dispatch:
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v12
+        with:
+          name: ros
+          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+      - name: Configure git
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email 'github-actions[bot]@users.noreply.github.com'
+      - name: Update colcon
+        run: maintainers/scripts/update-colcon.sh --build --commit
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          branch: colcon-updates
+          delete-branch: true
+          title: 'Colcon updates'
+          body: |
+            Automated changes by `maintainers/scripts/update-colcon.sh`
diff --git a/maintainers/scripts/update-colcon.sh b/maintainers/scripts/update-colcon.sh
new file mode 100755
index 0000000000..980a2aa4f9
--- /dev/null
+++ b/maintainers/scripts/update-colcon.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash --pure
+#! nix-shell -p jq nix nix-update cacert git
+
+# Usage: update-colcon.sh [nix-update options]
+
+set -euo pipefail
+
+nix eval --json --impure --expr '
+let
+  pkgs = (import ./. {});
+  lib = pkgs.lib;
+  colconPkgs = lib.filterAttrs (n: v: builtins.substring 0 7 n == "colcon-") pkgs.python3Packages;
+in
+   lib.attrNames colconPkgs' \
+    | jq  --raw-output '.[]' \
+    | while read pkg; do nix-update "$@" python3Packages."$pkg"; done