From 39488ed5a7d71ed3b7228600f95d91673e8ea947 Mon Sep 17 00:00:00 2001
From: "Victor M. Varela" <vmvarela@gmail.com>
Date: Sun, 15 Mar 2026 12:17:37 +0100
Subject: [PATCH] fix(ci): use PR instead of direct push for Nix version update

The update-nix job was pushing directly to master, which is blocked
by branch protection rules. Replace the direct push with a workflow
that creates a dedicated branch and opens a Pull Request.

Closes #63
---
 .github/workflows/release.yml | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c283c39..1675510 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -660,7 +660,7 @@ jobs:
 
   # ── Update Nix package versions ────────────────────────────────────
   # Updates packaging/nix/versions.json with the new release hashes and
-  # commits back to master so `nix run github:vmvarela/sql-pipe` always
+  # opens a Pull Request so `nix run github:vmvarela/sql-pipe` always
   # points to the latest version.
   update-nix:
     name: Update Nix package
@@ -668,6 +668,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
         with:
@@ -718,10 +719,21 @@ jobs:
           echo "==> Updated Nix versions.json for sql-pipe ${VERSION}:"
           cat packaging/nix/versions.json
 
-      - name: Commit and push
+      - name: Open Pull Request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          BRANCH="chore/nix-update-${{ github.ref_name }}"
           git config user.name  "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b "${BRANCH}"
           git add packaging/nix/versions.json
-          git diff --cached --quiet || git commit -m "chore(nix): update to ${{ github.ref_name }}"
-          git push
+          git diff --cached --quiet && echo "No changes to commit." && exit 0
+          git commit -m "chore(nix): update versions.json to ${{ github.ref_name }}"
+          git push origin "${BRANCH}"
+          gh pr create \
+            --base master \
+            --head "${BRANCH}" \
+            --title "chore(nix): update versions.json to ${{ github.ref_name }}" \
+            --body "Automated update of \`packaging/nix/versions.json\` hashes for release \`${{ github.ref_name }}\`." \
+            --label "type:chore"