From 01110a77aa6914f32b8a17bc4d7108850b1028eb Mon Sep 17 00:00:00 2001
From: Matthew Mellor <matthew@mellor.earth>
Date: Fri, 6 Mar 2026 10:48:50 -0600
Subject: [PATCH] fix(ci): use PR instead of direct push for tool versions
 update

Branch protection on main requires changes through a pull request.
Update the workflow to create a PR from an auto/ branch instead of
pushing directly to main.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/update-tool-versions.yml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/update-tool-versions.yml b/.github/workflows/update-tool-versions.yml
index c2e0fc6..3a414a9 100644
--- a/.github/workflows/update-tool-versions.yml
+++ b/.github/workflows/update-tool-versions.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: write
+  pull-requests: write
 
 jobs:
   update-versions:
@@ -32,11 +33,22 @@ jobs:
             echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Commit and push
+      - name: Create pull request
         if: steps.diff.outputs.changed == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          branch="auto/update-tool-versions"
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -B "$branch"
           git add content/docs/container/versions.md
           git commit -m "docs(container): update tool versions page"
-          git push
+          git push -f origin "$branch"
+          if ! gh pr list --head "$branch" --state open --json number -q '.[0].number' | grep -q .; then
+            gh pr create \
+              --title "docs(container): update tool versions page" \
+              --body "Automated daily update of tool versions from the latest dev-toolchain release." \
+              --head "$branch" \
+              --base main
+          fi