Nix update job fails: direct push to master blocked by branch protection

[vmvarela]

Description

The update-nix job in the release workflow pushes directly to master:

# .github/workflows/release.yml:721-727
- name: Commit and push
  run: |
    git config user.name  "github-actions[bot]"
    git config user.email "github-actions[bot]@users.noreply.github.com"
    git add packaging/nix/versions.json
    git diff --cached --quiet || git commit -m "chore(nix): update to ${{ github.ref_name }}"
    git push

This violates branch protection rules:

• Changes must be made through a pull request
• Commits must have verified signatures

The error from the v0.3.0 release run:

remote: error: GH013: Repository rule violations found for refs/heads/master.
remote: - Changes must be made through a pull request.
remote: - Commits must have verified signatures.

Run: https://github.com/vmvarela/sql-pipe/actions/runs/23097013343

Acceptance Criteria

• Nix versions.json is updated automatically on release without violating branch protection
• The approach is consistent with how Homebrew/Scoop updates work (they push to separate repos)

Options

1. Create a PR instead of direct push — use peter-evans/create-pull-request action or similar
2. Move versions.json to a separate repo (like Homebrew/Scoop) — e.g. vmvarela/nix-sql-pipe
3. Add branch protection bypass for the workflow — less desirable from a security standpoint

Notes

• This is a newly-discovered issue from the first successful v0.3.0 release run (previous runs had the Nix job skipped due to upstream failures)
• The Homebrew and Scoop jobs work because they push to separate repos (vmvarela/homebrew-sql-pipe, vmvarela/scoop-sql-pipe)