From 0f53cfaeea947686760487079a69e48e19c535bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Houpert?=
 <10154151+lhoupert@users.noreply.github.com>
Date: Fri, 27 Mar 2026 15:04:25 +0000
Subject: [PATCH] fix: fix ci to pin update in readme

---
 .github/workflows/release-please.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 3fa91c6..c143c89 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -38,12 +38,20 @@ jobs:
       - name: Pin README to release SHA
         if: ${{ steps.release.outputs.release_created }}
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           sed -i -E \
             's|developmentseed/python-security-auditing@[^ ]+( # v[0-9][^ ]*)?|developmentseed/python-security-auditing@${{ steps.release.outputs.sha }} # ${{ steps.release.outputs.tag_name }}|g' \
             README.md
           git add README.md
           git diff --cached --quiet && echo "README unchanged, skipping commit" && exit 0
-          git commit -m "chore: pin README to ${{ steps.release.outputs.tag_name }} [skip ci]"
-          git push origin HEAD:main
+          BRANCH="chore/pin-readme-${{ steps.release.outputs.tag_name }}"
+          git checkout -b "$BRANCH"
+          git commit -m "chore: pin README to ${{ steps.release.outputs.tag_name }}"
+          git push origin "$BRANCH"
+          gh pr create \
+            --title "chore: pin README to ${{ steps.release.outputs.tag_name }}" \
+            --body "Automated: pin README SHA references to release ${{ steps.release.outputs.tag_name }}." \
+            --base main \
+            --head "$BRANCH"
+          gh pr merge --auto --squash "$BRANCH"