fix(ci): push nightly sha256 updates via PR instead of direct push

castrojo · Copilot · castrojo · commit 72d39dfca72d · 2026-03-14T23:39:05.000-04:00
main is protected by a merge queue; GITHUB_TOKEN cannot push directly.
Create a dated branch, open a PR, and enable auto-merge so it lands
once CI passes.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/update-mozilla-nightly.yml b/.github/workflows/update-mozilla-nightly.yml
@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: write
+  pull-requests: write
 
 jobs:
   update-sha256s:
@@ -63,11 +64,10 @@ jobs:
             echo "changed=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Commit and push if changed
+      - name: Commit and open PR if changed
         id: commit
         env:
-          FF_CHANGED: ${{ steps.ff-x86_64.outputs.changed == 'true' || steps.ff-aarch64.outputs.changed == 'true' }}
-          TB_CHANGED: ${{ steps.tb-x86_64.outputs.changed == 'true' }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
@@ -91,11 +91,20 @@ jobs:
           echo "ff_changed=$FF_MANIFEST_CHANGED" >> "$GITHUB_OUTPUT"
           echo "tb_changed=$TB_MANIFEST_CHANGED" >> "$GITHUB_OUTPUT"
 
+          BRANCH="chore/nightly-sha256-$(date +%Y%m%d)"
+          git checkout -b "$BRANCH"
           git add flatpaks/firefox-nightly/manifest.yaml flatpaks/thunderbird-nightly/manifest.yaml
           printf 'chore(nightly): update Mozilla nightly sha256s\n\nAuto-refresh sha256 for firefox-nightly and thunderbird-nightly.\nMozilla rebuilds nightly at the same URL daily; version string stays\n150.0a1 so Renovate cannot track this.\n\nCo-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>\n' > /tmp/nightly-commit-msg.txt
           git commit -F /tmp/nightly-commit-msg.txt
-          git pull --rebase
-          git push
+          git push origin "$BRANCH"
+
+          # Open PR and enable auto-merge so it lands once CI passes
+          gh pr create \
+            --title "chore(nightly): update Mozilla nightly sha256s $(date +%Y-%m-%d)" \
+            --body "Auto-refresh sha256 for firefox-nightly and thunderbird-nightly. Mozilla rebuilds nightly at the same URL daily; version string stays 150.0a1 so Renovate cannot track this." \
+            --base main \
+            --head "$BRANCH" || true
+          gh pr merge "$BRANCH" --auto --squash || true
 
       - name: Trigger firefox-nightly build
         if: steps.commit.outputs.ff_changed == 'true'
