diff --git a/.github/workflows/reusable-flake-checks-ci-matrix.yml b/.github/workflows/reusable-flake-checks-ci-matrix.yml
index b4d147cb..fec68d87 100644
--- a/.github/workflows/reusable-flake-checks-ci-matrix.yml
+++ b/.github/workflows/reusable-flake-checks-ci-matrix.yml
@@ -33,7 +33,7 @@ jobs:
     runs-on: ${{ fromJSON(inputs.runner) }}
     steps:
       - name: 'Post initial package status comment'
-        uses: marocchino/sticky-pull-request-comment@v2.9.3
+        uses: marocchino/sticky-pull-request-comment@v2.9.4
         with:
           recreate: true
           message: |
diff --git a/.github/workflows/reusable-update-flake-lock.yml b/.github/workflows/reusable-update-flake-lock.yml
index 0dffeea8..51b74845 100644
--- a/.github/workflows/reusable-update-flake-lock.yml
+++ b/.github/workflows/reusable-update-flake-lock.yml
@@ -14,6 +14,11 @@ on:
         default: ''
         required: false
         type: string
+      sign-commits:
+        description: 'Enable GPG commit signing'
+        default: false
+        required: false
+        type: boolean
 
     secrets:
       NIX_GITHUB_TOKEN:
@@ -31,6 +36,9 @@ on:
       CREATE_PR_APP_PRIVATE_KEY:
         description: Private key of the GitHub App used for opening pull requests.
         required: true
+      GPG_SIGNING_KEY:
+        description: GPG private key used to sign commits
+        required: false
 
     outputs:
       pr-url:
@@ -61,6 +69,12 @@ jobs:
           trusted-public-keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
           substituters: ${{ vars.SUBSTITUTERS }}
 
+      - name: Configure GPG Key
+        env:
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+        run: |
+          echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
+
       - name: Run `nix flake update`
         id: update-lockfile
         run: |