From 6aa311629bd9ddb2f52f476389467002bf3eab3c Mon Sep 17 00:00:00 2001
From: Patrick Lewis <4015312+locus313@users.noreply.github.com>
Date: Sun, 21 Jun 2026 13:50:19 -0700
Subject: [PATCH] fix: open PR instead of pushing directly to protected main
 branch

The update-readme-sha workflow was pushing directly to main, which is
blocked by branch protection (requires PR + Shellcheck status check).

Now creates a branch and opens a PR via gh CLI instead.
Also adds pull-requests: write permission.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/update-readme-sha.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update-readme-sha.yml b/.github/workflows/update-readme-sha.yml
index 0612720..62bf328 100644
--- a/.github/workflows/update-readme-sha.yml
+++ b/.github/workflows/update-readme-sha.yml
@@ -16,6 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      pull-requests: write
     steps:
       - name: Checkout code
         uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
@@ -35,7 +36,16 @@ jobs:
           if git diff --quiet README.md; then
             echo "No SHA change detected, skipping commit."
           else
+            BRANCH="chore/update-readme-sha-${{ github.sha }}"
+            git checkout -b "${BRANCH}"
             git add README.md
             git commit -m "chore: update pinned SHA in README to ${{ github.sha }}"
-            git push
+            git push origin "${BRANCH}"
+            gh pr create \
+              --title "chore: update pinned SHA in README to ${{ github.sha }}" \
+              --body "Automated update of the pinned commit SHA in the GitHub Actions usage example in README.md." \
+              --base main \
+              --head "${BRANCH}"
           fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}