Permify · omer-topal · Mar 26, 2026 · Mar 26, 2026
diff --git a/.github/workflows/protos.yml b/.github/workflows/protos.yml
@@ -18,7 +18,7 @@ jobs:
     steps:
        # Security hardening for GitHub Actions runner
        - name: Harden Runner
-         uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+         uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
          with:
            egress-policy: audit
 
@@ -36,44 +36,45 @@ jobs:
 
        # Install dependencies (needed for ts-proto plugin)
        - name: Install Dependencies
-         uses: bahmutov/npm-install@3e063b974f0d209807684aa23e534b3dde517fd9 # v1.11.2
-         with:
-           useLockFile: false
+         run: yarn install --frozen-lockfile --non-interactive
 
        # Setup Buf CLI - will pull proto from buf.build/permifyco/permify
        - name: Setup Buf
-         uses: bufbuild/buf-action@8f4a1456a0ab6a1eb80ba68e53832e6fcfacc16c # v1.3.0
-         with:
-           setup_only: true
-           github_token: ${{ secrets.GITHUB_TOKEN }}
+         run: |
+           BUF_VERSION="1.57.0"
+           curl -sSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" -o "${RUNNER_TEMP}/buf"
+           chmod +x "${RUNNER_TEMP}/buf"
+           echo "${RUNNER_TEMP}" >> "${GITHUB_PATH}"
 
        # Generate TypeScript code from Buf Schema Registry
        - name: Generate Code with Buf
          run: yarn buf:generate
 
-       # Check if there are any changes
-       - name: Check for changes
-         id: verify-changes
+       - name: Commit changes
+         id: commitchanges
+         run: |
+           echo "commit changes"
+           scripts/commit-changes.sh "proto-update/permify-latest"
+         shell: bash
+
+       # Push branch and open or update the PR only if there are changes
+       - name: Push changes and open PR
+         if: steps.commitchanges.outputs.changes_made == '1'
+         env:
+           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          run: |
-           if git diff --quiet; then
-             echo "has_changes=false" >> $GITHUB_OUTPUT
-             echo "No changes detected"
+           BRANCH_NAME="${{ steps.commitchanges.outputs.branch_name }}"
+           PR_TITLE="chore(proto): update generated SDK with latest Permify definitions"
+           PR_BODY="Automatically created PR with the latest generated SDK from Permify proto definitions."
+
+           echo "${BRANCH_NAME}"
+           git push "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}" "${BRANCH_NAME}"
+
+           PR_NUMBER="$(gh pr list --head "${BRANCH_NAME}" --base main --state open --json number --jq '.[0].number')"
+
+           if [ -n "${PR_NUMBER}" ]; then
+             gh pr edit "${PR_NUMBER}" --title "${PR_TITLE}" --body "${PR_BODY}"
            else
-             echo "has_changes=true" >> $GITHUB_OUTPUT
-             echo "Changes detected, will create PR"
+             gh pr create --base main --head "${BRANCH_NAME}" --title "${PR_TITLE}" --body "${PR_BODY}" --label dependencies --label automated
            fi
-
-       # Create Pull Request only if there are changes
-       - name: Create Pull Request
-         if: steps.verify-changes.outputs.has_changes == 'true'
-         uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
-         with:
-           token: ${{ secrets.GITHUB_TOKEN }}
-           commit-message: "chore(proto): update generated SDK with latest Permify definitions"
-           title: "chore(proto): update generated SDK with latest Permify definitions"
-           branch: proto-update/permify-latest
-           delete-branch: true
-           base: main
-           labels: |
-             dependencies
-             automated
+         shell: bash
diff --git a/scripts/commit-changes.sh b/scripts/commit-changes.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+branch_name="${1:?branch name is required}"
+
+if git diff --quiet; then
+  echo "changes_made=0" >> "${GITHUB_OUTPUT}"
+  echo "No changes detected"
+  exit 0
+fi
+
+git config user.email "github-actions[bot]@users.noreply.github.com"
+git config user.name "github-actions[bot]"
+git checkout -B "${branch_name}"
+git add -A
+git commit -m "chore(proto): update generated SDK with latest Permify definitions"
+
+{
+  echo "changes_made=1"
+  echo "branch_name=${branch_name}"
+} >> "${GITHUB_OUTPUT}"