diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 3fa91c6..c143c89 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -38,12 +38,20 @@ jobs:
       - name: Pin README to release SHA
         if: ${{ steps.release.outputs.release_created }}
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           sed -i -E \
             's|developmentseed/python-security-auditing@[^ ]+( # v[0-9][^ ]*)?|developmentseed/python-security-auditing@${{ steps.release.outputs.sha }} # ${{ steps.release.outputs.tag_name }}|g' \
             README.md
           git add README.md
           git diff --cached --quiet && echo "README unchanged, skipping commit" && exit 0
-          git commit -m "chore: pin README to ${{ steps.release.outputs.tag_name }} [skip ci]"
-          git push origin HEAD:main
+          BRANCH="chore/pin-readme-${{ steps.release.outputs.tag_name }}"
+          git checkout -b "$BRANCH"
+          git commit -m "chore: pin README to ${{ steps.release.outputs.tag_name }}"
+          git push origin "$BRANCH"
+          gh pr create \
+            --title "chore: pin README to ${{ steps.release.outputs.tag_name }}" \
+            --body "Automated: pin README SHA references to release ${{ steps.release.outputs.tag_name }}." \
+            --base main \
+            --head "$BRANCH"
+          gh pr merge --auto --squash "$BRANCH"