diff --git a/jenkins/config/github-coreosbot.yaml b/jenkins/config/github-coreosbot.yaml
new file mode 100644
index 000000000..7f55f4bd3
--- /dev/null
+++ b/jenkins/config/github-coreosbot.yaml
@@ -0,0 +1,15 @@
+credentials:
+  system:
+    domainCredentials:
+      - credentials:
+        - usernamePassword:
+            scope: GLOBAL
+            id: github-coreosbot-token
+            username: coreosbot
+            password: ${github-coreosbot-token/token}
+            description: GitHub coreosbot token
+        - string:
+            scope: GLOBAL
+            id: github-coreosbot-token-string
+            secret: ${github-coreosbot-token/token}
+            description: GitHub coreosbot token as a string
diff --git a/jobs/bump-lockfile.Jenkinsfile b/jobs/bump-lockfile.Jenkinsfile
new file mode 100644
index 000000000..ada5f9bdd
--- /dev/null
+++ b/jobs/bump-lockfile.Jenkinsfile
@@ -0,0 +1,63 @@
+@Library('github.com/coreos/coreos-ci-lib@master') _
+
+repo = "coreos/fedora-coreos-config"
+branches = [
+    "testing-devel",
+    "next-devel"
+]
+botCreds = "github-coreosbot-token"
+
+properties([
+    pipelineTriggers([
+        // we don't need to bump lockfiles any more often than daily
+        cron("H H * * *")
+    ])
+])
+
+cosaPod {
+    parallel branches.collectEntries { branch -> [branch, {
+        shwrap("mkdir ${branch}")
+        dir(branch) {
+            stage("Fetch") {
+                shwrap("cosa init --branch ${branch} https://github.com/${repo}")
+                shwrap("cosa fetch --update-lockfile")
+            }
+
+            if (shwrapRc("git -C src/config diff --exit-code") == 0) {
+                println("No changes")
+                return
+            }
+
+            // sanity-check only base lockfiles were changed
+            shwrap("""
+              # do this separately so set -e kicks in if it fails
+              files=\$(git -C src/config ls-files --modified --deleted)
+              for f in \${files}; do
+                if ! [[ \${f} =~ ^manifest-lock\\.[0-9a-z_]+\\.json ]]; then
+                  echo "Unexpected modified file \${f}"
+                  exit 1
+                fi
+              done
+            """)
+
+            stage("Build") {
+                shwrap("cosa build --strict")
+            }
+
+            fcosKola(cosaDir: ".")
+
+            // OK, it passed kola: just push to the branch. In the future, we might be
+            // fancier here; e.g. if tests fail, just open a PR, or if tests passed but a
+            // package was added or removed.
+            stage("Push") {
+                shwrap("git -C src/config commit -am 'lockfiles: bump to latest'")
+                withCredentials([usernamePassword(credentialsId: botCreds,
+                                                  usernameVariable: 'GHUSER',
+                                                  passwordVariable: 'GHTOKEN')]) {
+                  // should gracefully handle race conditions here
+                  sh("git -C src/config push https://${GHUSER}:${GHTOKEN}@github.com/${repo} ${branch}")
+                }
+            }
+        }
+    }] }
+}