diff --git a/.github/workflows/update-readme-deps.yml b/.github/workflows/update-readme-deps.yml
index 8d82f4c..26e6333 100644
--- a/.github/workflows/update-readme-deps.yml
+++ b/.github/workflows/update-readme-deps.yml
@@ -18,6 +18,7 @@ on:
 
 permissions:
   contents: write
+  pull-requests: write
 
 concurrency:
   group: update-readme-deps
@@ -41,14 +42,45 @@ jobs:
           APPODEAL_API_URL: ${{ vars.APPODEAL_API_URL }}
         run: node scripts/update-readme-deps.mjs
 
-      - name: Commit changes if any
+      - name: Create PR if README changed
+        # master is protected (changes must go through a PR), so the bot opens a PR as
+        # github-actions[bot]. A different identity (the App below) approves and merges it.
+        id: pr
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           if git diff --quiet -- README.md; then
             echo "README dependencies already up to date."
+            echo "created=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
+          BRANCH="chore/update-readme-deps-${{ github.run_id }}-${{ github.run_attempt }}"
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git switch -c "$BRANCH"
           git add README.md
           git commit -m "chore: sync README dependency lists from Wizard API"
-          git push
+          git push origin "$BRANCH"
+          gh pr create --base master --head "$BRANCH" \
+            --title "chore: sync README dependency lists from Wizard API" \
+            --body "Automated update from the Appodeal Dependencies Wizard API."
+          echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"
+          echo "created=true" >> "$GITHUB_OUTPUT"
+
+      - name: Generate App token for approval
+        # A second identity is required: github-actions[bot] (the PR author) cannot approve
+        # its own PR. The GitHub App acts as the reviewer whose approval branch protection counts.
+        if: steps.pr.outputs.created == 'true'
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Approve and merge PR
+        if: steps.pr.outputs.created == 'true'
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          gh pr review "${{ steps.pr.outputs.branch }}" --approve
+          gh pr merge "${{ steps.pr.outputs.branch }}" --squash --delete-branch