ci: open PR instead of direct push in dependabot update workflow

[Copilot]

The scheduled dependency update workflow was pushing directly to gh-pages, which is a protected branch requiring PRs and status checks — causing the workflow to fail with GH006: Protected branch update failed.

Changes

• Replaced direct push with PR flow: instead of git push to gh-pages, the workflow now creates a timestamped branch (chore/update-dependencies-<YYYYMMDD-HHMMSS>) and opens a PR against gh-pages via gh pr create
• Unique branch names: uses %Y%m%d-%H%M%S to avoid collisions on repeated same-day runs

- name: Commit and open PR
  env:
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  run: |
    ...
    BRANCH="chore/update-dependencies-$(date +%Y%m%d-%H%M%S)"
    git checkout -b "$BRANCH"
    git add -A
    git commit -m "chore: update dependencies"
    git push origin "$BRANCH"
    gh pr create \
      --base gh-pages \
      --head "$BRANCH" \
      --title "chore: update dependencies" \
      --body "Automated dependency update via \`npm update\` and bundle rebuild."

The pull-requests: write permission was already present on the workflow, so no permissions changes were needed.

[Copilot]

Pull request overview

Updates the scheduled dependency update workflow to avoid direct pushes to the protected gh-pages branch by creating a dedicated update branch and opening a PR instead.

Changes:

• Replace git push to the protected branch with a timestamped branch push + gh pr create.
• Add GH_TOKEN so the GitHub CLI can authenticate when creating the PR.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.