From 393fbf0973f42949010f67297c1a3c7d834c1fc2 Mon Sep 17 00:00:00 2001
From: nadav <isr.nadav@gmail.com>
Date: Tue, 10 Mar 2026 14:44:45 +0200
Subject: [PATCH 1/7] ci: switch npm publish to OIDC trusted publisher (no
 token needed)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 10d3555..48e59d4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,5 +38,5 @@ jobs:
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: "true"
         run: npx semantic-release

From cf53db862a0f44efcad519565fd559f4f2d5c61a Mon Sep 17 00:00:00 2001
From: nadav <isr.nadav@gmail.com>
Date: Tue, 10 Mar 2026 14:47:07 +0200
Subject: [PATCH 2/7] chore: fix prettier formatting on release.yml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 48e59d4..60fa746 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,5 +38,5 @@ jobs:
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_CONFIG_PROVENANCE: "true"
+          NPM_CONFIG_PROVENANCE: 'true'
         run: npx semantic-release

From 1523e07835dcf82d3092ac7049ee45c7f3183701 Mon Sep 17 00:00:00 2001
From: nadav <isr.nadav@gmail.com>
Date: Tue, 10 Mar 2026 14:51:08 +0200
Subject: [PATCH 3/7] ci: auto-create PR from dev to main on every push

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/auto-pr.yml | 41 +++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 .github/workflows/auto-pr.yml

diff --git a/.github/workflows/auto-pr.yml b/.github/workflows/auto-pr.yml
new file mode 100644
index 0000000..23139c1
--- /dev/null
+++ b/.github/workflows/auto-pr.yml
@@ -0,0 +1,41 @@
+name: Auto PR dev → main
+
+on:
+  push:
+    branches: [dev]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  open-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create PR if not exists
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: prs } = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: `${context.repo.owner}:dev`,
+              base: 'main',
+              state: 'open',
+            });
+
+            if (prs.length === 0) {
+              await github.rest.pulls.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                head: 'dev',
+                base: 'main',
+                title: 'chore: merge dev into main',
+                body: '### Auto-generated PR\nMerge latest `dev` changes into `main` to trigger a release.\n\n> Squash and merge to keep a clean history.',
+              });
+              console.log('PR created.');
+            } else {
+              console.log('PR already open:', prs[0].html_url);
+            }

From 3073c449ce78c3f9798eec02cef19731c8e1daa6 Mon Sep 17 00:00:00 2001
From: nadav <isr.nadav@gmail.com>
Date: Tue, 10 Mar 2026 14:55:29 +0200
Subject: [PATCH 4/7] ci: use PAT_TOKEN for PR creation to bypass org
 restriction

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/auto-pr.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/auto-pr.yml b/.github/workflows/auto-pr.yml
index 23139c1..1bd941f 100644
--- a/.github/workflows/auto-pr.yml
+++ b/.github/workflows/auto-pr.yml
@@ -17,6 +17,7 @@ jobs:
       - name: Create PR if not exists
         uses: actions/github-script@v7
         with:
+          github-token: ${{ secrets.PAT_TOKEN }}
           script: |
             const { data: prs } = await github.rest.pulls.list({
               owner: context.repo.owner,

From 9871a65f999d1ed3c16a1e0879a7b3df658aeadd Mon Sep 17 00:00:00 2001
From: nadav <isr.nadav@gmail.com>
Date: Tue, 10 Mar 2026 15:01:40 +0200
Subject: [PATCH 5/7] chore: trigger auto-pr workflow test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

From d88e597016e918e3b9eafb12de0f0f54b67465fd Mon Sep 17 00:00:00 2001
From: nadav <isr.nadav@gmail.com>
Date: Tue, 10 Mar 2026 15:04:34 +0200
Subject: [PATCH 6/7] ci: switch to peter-evans/create-pull-request action

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/auto-pr.yml | 35 +++++++++++------------------------
 1 file changed, 11 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/auto-pr.yml b/.github/workflows/auto-pr.yml
index 1bd941f..e47c2cd 100644
--- a/.github/workflows/auto-pr.yml
+++ b/.github/workflows/auto-pr.yml
@@ -1,4 +1,4 @@
-name: Auto PR dev → main
+name: Auto PR dev -> main
 
 on:
   push:
@@ -15,28 +15,15 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Create PR if not exists
-        uses: actions/github-script@v7
+        uses: peter-evans/create-pull-request@v6
         with:
-          github-token: ${{ secrets.PAT_TOKEN }}
-          script: |
-            const { data: prs } = await github.rest.pulls.list({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              head: `${context.repo.owner}:dev`,
-              base: 'main',
-              state: 'open',
-            });
+          token: ${{ secrets.PAT_TOKEN }}
+          base: main
+          branch: dev
+          title: 'chore: merge dev into main'
+          body: |
+            ### Auto-generated PR
+            Merge latest `dev` changes into `main` to trigger a release.
 
-            if (prs.length === 0) {
-              await github.rest.pulls.create({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                head: 'dev',
-                base: 'main',
-                title: 'chore: merge dev into main',
-                body: '### Auto-generated PR\nMerge latest `dev` changes into `main` to trigger a release.\n\n> Squash and merge to keep a clean history.',
-              });
-              console.log('PR created.');
-            } else {
-              console.log('PR already open:', prs[0].html_url);
-            }
+            > Squash and merge to keep a clean history.
+          draft: false

From f8b675d25431882ef743b2f1727117f920fd6218 Mon Sep 17 00:00:00 2001
From: nadav <isr.nadav@gmail.com>
Date: Tue, 10 Mar 2026 15:10:46 +0200
Subject: [PATCH 7/7] ci: use gh CLI for auto PR creation

---
 .github/workflows/auto-pr.yml | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/auto-pr.yml b/.github/workflows/auto-pr.yml
index e47c2cd..c00532d 100644
--- a/.github/workflows/auto-pr.yml
+++ b/.github/workflows/auto-pr.yml
@@ -4,26 +4,27 @@ on:
   push:
     branches: [dev]
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
   open-pr:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      - name: Create PR if not exists
-        uses: peter-evans/create-pull-request@v6
-        with:
-          token: ${{ secrets.PAT_TOKEN }}
-          base: main
-          branch: dev
-          title: 'chore: merge dev into main'
-          body: |
-            ### Auto-generated PR
-            Merge latest `dev` changes into `main` to trigger a release.
+      - name: Open PR dev -> main if not exists
+        env:
+          GH_TOKEN: ${{ secrets.PAT_TOKEN }}
+        run: |
+          PR=$(gh pr list --base main --head dev --state open --json number -q '.[0].number')
+          if [ -z "$PR" ]; then
+            gh pr create \
+              --base main \
+              --head dev \
+              --title "chore: merge dev into main" \
+              --body "### Auto-generated PR
+          Merge latest \`dev\` changes into \`main\` to trigger a release.
 
-            > Squash and merge to keep a clean history.
-          draft: false
+          > Squash and merge to keep a clean history."
+            echo "PR created."
+          else
+            echo "PR #$PR already open, skipping."
+          fi