diff --git a/.github/workflows/check-dependabot-config.yml b/.github/workflows/check-dependabot-config.yml
index b0ee081e..3a5dc39f 100644
--- a/.github/workflows/check-dependabot-config.yml
+++ b/.github/workflows/check-dependabot-config.yml
@@ -20,9 +20,40 @@ jobs:
     timeout-minutes: 5
 
     steps:
-    - name: Checkout Code
-      uses: actions/checkout@v4
+      - uses: Chia-Network/actions/git-mark-workspace-safe@main
 
-    - name: Check dependabot config generation is up to date
-      run: |
-        ./update-dependabot-config.sh
+      - name: Test for secrets access
+        id: check_secrets
+        shell: bash
+        run: |
+          unset HAS_SECRET
+
+          if [ -n "$REPO_COMMIT" ]; then HAS_SECRET='true' ; fi
+          echo HAS_SECRET=${HAS_SECRET} >> "$GITHUB_OUTPUT"
+        env:
+          REPO_COMMIT: "${{ secrets.REPO_COMMIT }}"
+
+      - name: Set token based on HAS_SECRET
+        run: echo "TOKEN=$([[ '${{ env.HAS_SECRET }}' == 'true' ]] && echo '${{ secrets.REPO_COMMIT }}' || echo '${{ github.token }}')" >> "$GITHUB_ENV"
+
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ env.TOKEN }}
+
+      - uses: Chia-Network/actions/commit-sign/gpg@main
+        if: steps.check_secrets.outputs.HAS_SECRET
+        with:
+          gpg_private_key: ${{ secrets.CHIA_AUTOMATION_PRIVATE_GPG_KEY }}
+          passphrase: ${{ secrets.CHIA_AUTOMATION_PRIVATE_GPG_PASSPHRASE }}
+
+      - name: Check dependabot config generation is up to date
+        run: |
+          ./update-dependabot-config.sh
+
+      - name: Commit any changes back to the repo
+        if: always() && steps.check_secrets.outputs.HAS_SECRET
+        env:
+          BRANCH: ${{ github.head_ref }}
+        run: |
+          ( git fetch origin && git checkout "$BRANCH" && git commit -am "Updating dependabot configuration" && git push origin "$BRANCH" ) || true
diff --git a/commit-sign/gpg/action.yml b/commit-sign/gpg/action.yml
index af42def6..61787723 100644
--- a/commit-sign/gpg/action.yml
+++ b/commit-sign/gpg/action.yml
@@ -12,8 +12,15 @@ runs:
   steps:
     - name: Install dependencies
       run: |
-        ( command -v apk && apk add git gpg gpg-agent ) || true
-        ( command -v apt-get && apt-get update && apt-get install -y git gpg gpg-agent ) || true
+        # If running as root, then dont use sudo
+        if [ "$(id -u)" -eq 0 ]; then
+            SUDO=""
+        else
+            SUDO=$(command -v sudo || echo "")
+        fi
+
+        ( command -v apk && ${SUDO} apk add git gpg gpg-agent ) || true
+        ( command -v apt-get && ${SUDO} apt-get update && ${SUDO} apt-get install -y git gpg gpg-agent ) || true
       shell: sh
     - name: Call upstream import gpg action
       uses: crazy-max/ghaction-import-gpg@v6