diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6dcb97c..ddfe8d0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -20,6 +20,7 @@ concurrency:
 
 permissions:
   contents: write
+  pull-requests: write
 
 jobs:
   publish:
@@ -52,6 +53,10 @@ jobs:
           git config user.email "github-actions[bot]@users.noreply.github.com"
           npm version ${{ inputs.version }} --no-git-tag-version
           VERSION=$(node -p "require('./package.json').version")
+          echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
+          echo "RELEASE_BRANCH=release/v${VERSION}" >> "$GITHUB_ENV"
+          # main is protected (requires a PR), so commit to a release branch and merge via PR.
+          git switch -c "release/v${VERSION}"
           git add package.json
           git commit -m "release: v${VERSION}"
           git tag "v${VERSION}"
@@ -66,8 +71,17 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
-      - name: Push version commit and tag
+      - name: Push release branch and tag, open auto-merge PR
         if: ${{ inputs.dry-run != true }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          git push origin main
+          git push origin "${RELEASE_BRANCH}"
           git push origin --tags
+          gh pr create \
+            --base main \
+            --head "${RELEASE_BRANCH}" \
+            --title "release: v${VERSION}" \
+            --body "Automated version bump for v${VERSION}. Tag \`v${VERSION}\` already pushed; npm publish already completed. Merging this lands the bumped package.json on main."
+          # Land it through the protected branch's PR flow once required checks/approvals pass.
+          gh pr merge "${RELEASE_BRANCH}" --auto --squash --delete-branch