fix(ci): use PR instead of direct push for Nix version update (#71)

vmvarela · web-flow · commit f40f31d439f4 · 2026-03-15T12:23:29.000+01:00
The update-nix job was pushing directly to master, which is blocked by branch protection rules. Replace the direct push with a workflow that creates a dedicated branch and opens a Pull Request. Closes #63
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -660,14 +660,15 @@ jobs:
 
   # ── Update Nix package versions ────────────────────────────────────
   # Updates packaging/nix/versions.json with the new release hashes and
-  # commits back to master so `nix run github:vmvarela/sql-pipe` always
+  # opens a Pull Request so `nix run github:vmvarela/sql-pipe` always
   # points to the latest version.
   update-nix:
     name: Update Nix package
     needs: checksums
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
         with:
@@ -718,10 +719,21 @@ jobs:
           echo "==> Updated Nix versions.json for sql-pipe ${VERSION}:"
           cat packaging/nix/versions.json
 
-      - name: Commit and push
+      - name: Open Pull Request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          BRANCH="chore/nix-update-${{ github.ref_name }}"
           git config user.name  "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b "${BRANCH}"
           git add packaging/nix/versions.json
-          git diff --cached --quiet || git commit -m "chore(nix): update to ${{ github.ref_name }}"
-          git push
+          git diff --cached --quiet && echo "No changes to commit." && exit 0
+          git commit -m "chore(nix): update versions.json to ${{ github.ref_name }}"
+          git push origin "${BRANCH}"
+          gh pr create \
+            --base master \
+            --head "${BRANCH}" \
+            --title "chore(nix): update versions.json to ${{ github.ref_name }}" \
+            --body "Automated update of \`packaging/nix/versions.json\` hashes for release \`${{ github.ref_name }}\`." \
+            --label "type:chore"
