From 31ee2bce5347cd342c82fd6bbffe994ef84be369 Mon Sep 17 00:00:00 2001
From: Chun-Heng Tai <chtai@google.com>
Date: Mon, 16 Mar 2026 13:31:30 -0700
Subject: [PATCH 1/2] [ci] grants write permission to create branch in remote

---
 .github/workflows/batch_release_pr.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/batch_release_pr.yml b/.github/workflows/batch_release_pr.yml
index 12e0278fb96c..076c9de69ee7 100644
--- a/.github/workflows/batch_release_pr.yml
+++ b/.github/workflows/batch_release_pr.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   create_release_pr:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Grants write permission to create a branch and PR.
     env:
       BRANCH_NAME: ${{ github.event.client_payload.package }}-${{ github.run_id }}-${{ github.run_attempt }}
     steps:

From a05cd4eb0bcbd3f02fa24b94e994689b32af1fc8 Mon Sep 17 00:00:00 2001
From: Chun-Heng Tai <chtai@google.com>
Date: Tue, 17 Mar 2026 13:39:02 -0700
Subject: [PATCH 2/2] separate out branch and pull requests

---
 .github/workflows/batch_release_pr.yml | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/batch_release_pr.yml b/.github/workflows/batch_release_pr.yml
index 076c9de69ee7..43d84564242c 100644
--- a/.github/workflows/batch_release_pr.yml
+++ b/.github/workflows/batch_release_pr.yml
@@ -5,12 +5,14 @@ on:
     types: [batch-release-pr]
 
 jobs:
-  create_release_pr:
+  create_batch_release_branch:
     runs-on: ubuntu-latest
     permissions:
-      contents: write # Grants write permission to create a branch and PR.
+      contents: write # Grants write permission to create a branch.
     env:
       BRANCH_NAME: ${{ github.event.client_payload.package }}-${{ github.run_id }}-${{ github.run_attempt }}
+    outputs:
+      branch_created: ${{ steps.check-branch-exists.outputs.exists }}
     steps:
       - name: checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
@@ -38,8 +40,20 @@ jobs:
             echo "exists=false" >> $GITHUB_OUTPUT
           fi
 
+  create_release_pr:
+    needs: create_batch_release_branch
+    if: needs.create_batch_release_branch.outputs.branch_created == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # Grants write permission to create a PR.
+    env:
+      BRANCH_NAME: ${{ github.event.client_payload.package }}-${{ github.run_id }}-${{ github.run_attempt }}
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: ${{ env.BRANCH_NAME }}
       - name: Create batch release PR
-        if: steps.check-branch-exists.outputs.exists == 'true'
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}