From 3f360423d1bf9b7fa2aa2e74f436c62165fddd70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Kuty=C5=82a?= <daniel.kutyla@example.com>
Date: Thu, 18 Jun 2026 13:17:15 +0200
Subject: [PATCH] ci(publish): merge release bump via PR instead of pushing to
 protected main

git push origin main failed because main requires a pull request. The
release job now commits the version bump to a release/vX branch, pushes
the branch and tag, opens a PR to main, and enables auto-merge (squash,
delete branch) so it lands once required checks/approvals pass.

Adds pull-requests: write and uses GH_TOKEN for the gh CLI.
---
 .github/workflows/publish.yml | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6dcb97c..ddfe8d0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -20,6 +20,7 @@ concurrency:
 
 permissions:
   contents: write
+  pull-requests: write
 
 jobs:
   publish:
@@ -52,6 +53,10 @@ jobs:
           git config user.email "github-actions[bot]@users.noreply.github.com"
           npm version ${{ inputs.version }} --no-git-tag-version
           VERSION=$(node -p "require('./package.json').version")
+          echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
+          echo "RELEASE_BRANCH=release/v${VERSION}" >> "$GITHUB_ENV"
+          # main is protected (requires a PR), so commit to a release branch and merge via PR.
+          git switch -c "release/v${VERSION}"
           git add package.json
           git commit -m "release: v${VERSION}"
           git tag "v${VERSION}"
@@ -66,8 +71,17 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
-      - name: Push version commit and tag
+      - name: Push release branch and tag, open auto-merge PR
         if: ${{ inputs.dry-run != true }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          git push origin main
+          git push origin "${RELEASE_BRANCH}"
           git push origin --tags
+          gh pr create \
+            --base main \
+            --head "${RELEASE_BRANCH}" \
+            --title "release: v${VERSION}" \
+            --body "Automated version bump for v${VERSION}. Tag \`v${VERSION}\` already pushed; npm publish already completed. Merging this lands the bumped package.json on main."
+          # Land it through the protected branch's PR flow once required checks/approvals pass.
+          gh pr merge "${RELEASE_BRANCH}" --auto --squash --delete-branch