diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml
index d1e00287..01525d47 100644
--- a/.github/workflows/flake-update.yml
+++ b/.github/workflows/flake-update.yml
@@ -99,7 +99,7 @@ jobs:
         CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
         NF_CONFIG_ROOT: ${{ github.workspace }}
         NF_UPDATE_CACHIX_PUSH: '1'
-        NF_UPDATE_GIT_COMMIT: '1'
+        NF_UPDATE_GIT_COMMIT: ''
       id: flake-update
       name: flake update build
       run: nix run .#nf-update
@@ -142,6 +142,13 @@ jobs:
         command: ci-build-cache
         quiet: false
         stdin: ${{ runner.temp }}/ci.build.cache
+    - env:
+        NF_CONFIG_ROOT: ${{ github.workspace }}
+        NF_UPDATE_GIT_COMMIT: '1'
+        NF_UPDATE_SKIP: '1'
+      id: flake-commit
+      name: git push
+      run: nix run .#nf-update
 name: flake-update
 'on':
   pull_request:
diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix
index f0453d3c..5d092387 100644
--- a/ci/flake-cron.nix
+++ b/ci/flake-cron.nix
@@ -34,18 +34,28 @@ in {
         workflow_dispatch = {};
       };
       jobs.flake-update = {
-        # TODO: split this up into two phases, then push at the end so other CI tests can run first
         step.flake-update = {
           name = "flake update build";
           order = 500;
           run = "nix run .#nf-update";
           env = {
             CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
-            NF_UPDATE_GIT_COMMIT = "1";
+            NF_UPDATE_GIT_COMMIT = "";
             NF_UPDATE_CACHIX_PUSH = "1";
             NF_CONFIG_ROOT = "\${{ github.workspace }}";
           };
         };
+        # we split this up into two phases so other CI tests can run in-between
+        step.flake-commit = {
+          name = "git push";
+          order = 1500;
+          run = "nix run .#nf-update";
+          env = {
+            NF_UPDATE_SKIP = "1";
+            NF_UPDATE_GIT_COMMIT = "1";
+            NF_CONFIG_ROOT = "\${{ github.workspace }}";
+          };
+        };
       };
     };
 
diff --git a/ci/update.sh b/ci/update.sh
index 0436dc42..f3daeebd 100644
--- a/ci/update.sh
+++ b/ci/update.sh
@@ -1,26 +1,32 @@
 #!/usr/bin/env bash
 set -eu
 
-if [[ -n ${CACHIX_SIGNING_KEY-} ]]; then
+if [[ -n ${CACHIX_SIGNING_KEY-} && ! -v NF_UPDATE_CACHIX_PUSH ]]; then
 	export NF_UPDATE_CACHIX_PUSH=1
 fi
 
 cd "$NF_CONFIG_ROOT"
 
-nix flake update "$@"
+if [[ -z ${NF_UPDATE_SKIP-} ]]; then
+	nix flake update "$@"
+fi
 
 if [[ -n $(git status --porcelain ./flake.lock) ]]; then
-	git -P diff ./flake.lock
+	if [[ -z ${NF_UPDATE_SKIP-} ]]; then
+		git -P diff ./flake.lock
+	fi
 else
 	echo "no source changes" >&2
 	exit
 fi
 
-echo "checking that nodes still build..." >&2
-if [[ -n ${NF_UPDATE_CACHIX_PUSH-} ]]; then
-	export NF_ACTIONS_TEST_OUTLINK=${NF_ACTIONS_TEST_OUTLINK-result}
+if [[ -z ${NF_UPDATE_SKIP-} ]]; then
+	echo "checking that nodes still build..." >&2
+	if [[ -n ${NF_UPDATE_CACHIX_PUSH-} ]]; then
+		export NF_ACTIONS_TEST_OUTLINK=${NF_ACTIONS_TEST_OUTLINK-result}
+	fi
+	nf-actions-test -L
 fi
-nf-actions-test -L
 
 if [[ -n ${NF_UPDATE_CACHIX_PUSH-} ]]; then
 	cachix push gensokyo-infrastructure "./${NF_ACTIONS_TEST_OUTLINK}"*/ &