diff --git a/.github/workflows/update-changelog.yml b/.github/workflows/update-changelog.yml
index 7f9a7ab..6b3972f 100644
--- a/.github/workflows/update-changelog.yml
+++ b/.github/workflows/update-changelog.yml
@@ -14,6 +14,7 @@ on:
 
 permissions:
   contents: write
+  pull-requests: write
 
 jobs:
   update:
@@ -64,14 +65,32 @@ jobs:
           fi
           mv CHANGELOG.md.new CHANGELOG.md
 
-      - name: Commit and push
+      - name: Open a PR (main is branch-protected)
+        env:
+          TAG: ${{ github.event.release.tag_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          set -euo pipefail
           if git diff --quiet -- CHANGELOG.md; then
             echo "No changes to CHANGELOG.md — release body was empty?"
             exit 0
           fi
+
+          BRANCH="chore/changelog-${TAG}"
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH"
           git add CHANGELOG.md
-          git commit -m "docs(changelog): record ${{ github.event.release.tag_name }} [skip ci]"
-          git push
+          git commit -m "docs(changelog): record ${TAG}"
+          git push -u origin "$BRANCH"
+
+          # `gh pr create` returns the URL; capture it so we can enable auto-merge.
+          PR_URL=$(gh pr create \
+            --base main \
+            --head "$BRANCH" \
+            --title "docs(changelog): record ${TAG}" \
+            --body "Auto-generated by \`update-changelog.yml\` after the ${TAG} release. CI gates this merge like any other PR.")
+
+          # Auto-merge after CI green — same UX as the old direct-push, but
+          # routed through branch protection's required checks.
+          gh pr merge --squash --auto --delete-branch "$PR_URL"