diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml
index eaa4a37cf..13e20a3db 100644
--- a/.github/workflows/R-CMD-check.yaml
+++ b/.github/workflows/R-CMD-check.yaml
@@ -183,7 +183,7 @@ jobs:
           echo -n "${{ steps.commit.outputs.sha }}" > rcc-smoke-sha.txt
         shell: bash
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         with:
           name: rcc-smoke-sha
           path: rcc-smoke-sha.txt
diff --git a/.github/workflows/commit/action.yml b/.github/workflows/commit/action.yml
index 8468121b3..94ccfad61 100644
--- a/.github/workflows/commit/action.yml
+++ b/.github/workflows/commit/action.yml
@@ -27,53 +27,116 @@ runs:
       id: repo-state
       uses: ./.github/workflows/repo-state
 
-    - name: Commit if changed, create a PR if protected
-      id: commit
-      if: steps.check.outputs.has_changes == 'true'
+    - name: Commit and create PR on protected branch
+      if: steps.check.outputs.has_changes == 'true' && steps.repo-state.outputs.foreign == 'false' && steps.repo-state.outputs.protected == 'true'
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
       run: |
         set -x
-        protected=${{ steps.repo-state.outputs.protected }}
-        foreign=${{ steps.repo-state.outputs.foreign }}
-        is_pr=${{ steps.repo-state.outputs.is_pr }}
-        if [ "${foreign}" = "true" ]; then
-          # https://github.com/krlmlr/actions-sync/issues/44
-          echo "Can't push to foreign branch"
-          exit 1
-        elif [ "${protected}" = "true" ]; then
-          current_branch=$(git branch --show-current)
-          new_branch=gha-commit-$(git rev-parse --short HEAD)
-          git checkout -b ${new_branch}
-          git add .
-          git commit -m "chore: Auto-update from GitHub Actions"$'\n'$'\n'"Run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-          # Force-push, used in only one place
-          # Alternative: separate branch names for each usage
-          git push -u origin HEAD -f
-
-          existing_pr=$(gh pr list --state open --base main --head ${new_branch} --json number --jq '.[] | .number')
-          if [ -n "${existing_pr}" ]; then
-            echo "Existing PR: ${existing_pr}"
-          else
-            gh pr create --base main --head ${new_branch} --title "chore: Auto-update from GitHub Actions" --body "Run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-          fi
-
-          gh workflow run rcc -f ref=$(git rev-parse HEAD)
-          gh pr merge --merge --auto
+        current_branch=$(git branch --show-current)
+        new_branch=gha-commit-$(git rev-parse --short HEAD)
+        git checkout -b ${new_branch}
+        git add .
+        git commit -m "chore: Auto-update from GitHub Actions"$'\n'$'\n'"Run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+        # Force-push, used in only one place
+        # Alternative: separate branch names for each usage
+        git push -u origin HEAD -f
+
+        existing_pr=$(gh pr list --state open --base main --head ${new_branch} --json number --jq '.[] | .number')
+        if [ -n "${existing_pr}" ]; then
+          echo "Existing PR: ${existing_pr}"
         else
-          git fetch
-          if [ -n "${GITHUB_HEAD_REF}" ]; then
-            git add .
-            git stash save
-            git switch ${GITHUB_HEAD_REF}
-            git merge origin/${GITHUB_BASE_REF} --no-edit
-            git stash pop
-          fi
-          git add .
-          git commit -m "chore: Auto-update from GitHub Actions"$'\n'$'\n'"Run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-          git push -u origin HEAD
+          gh pr create --base main --head ${new_branch} --title "chore: Auto-update from GitHub Actions" --body "Run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+        fi
+
+        gh workflow run rcc -f ref=$(git rev-parse HEAD)
+        gh pr merge --merge --auto
+      shell: bash
 
-          # Only set output if changed
-          echo sha=$(git rev-parse HEAD) >> $GITHUB_OUTPUT
+    - name: Commit and push on unprotected branch
+      id: commit
+      if: steps.check.outputs.has_changes == 'true' && steps.repo-state.outputs.foreign == 'false' && steps.repo-state.outputs.protected == 'false'
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      run: |
+        set -x
+        git fetch
+        if [ -n "${GITHUB_HEAD_REF}" ]; then
+          git add .
+          git stash save
+          git switch ${GITHUB_HEAD_REF}
+          git merge origin/${GITHUB_BASE_REF} --no-edit
+          git stash pop
         fi
+        git add .
+        git commit -m "chore: Auto-update from GitHub Actions"$'\n'$'\n'"Run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+        git push -u origin HEAD
+
+        # Only set output if changed
+        echo sha=$(git rev-parse HEAD) >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Create patch file for foreign branch
+      if: steps.check.outputs.has_changes == 'true' && steps.repo-state.outputs.foreign == 'true'
+      run: |
+        set -x
+        git diff > changes.patch
+        echo "Patch file created with uncommitted changes"
+        cat changes.patch
+      shell: bash
+
+    - name: Upload patch artifact
+      if: steps.check.outputs.has_changes == 'true' && steps.repo-state.outputs.foreign == 'true'
+      uses: actions/upload-artifact@v5
+      with:
+        name: changes-patch
+        path: changes.patch
+
+    - name: Add patch summary on foreign branch
+      if: steps.check.outputs.has_changes == 'true' && steps.repo-state.outputs.foreign == 'true'
+      run: |
+        cat << 'EOF' >> $GITHUB_STEP_SUMMARY
+        ## Formatting suggestions available
+
+        A patch file with formatting suggestions has been generated. Since this PR is from a forked repository, the changes cannot be pushed automatically.
+
+        You can apply the patch using one of these methods:
+
+        ### Method 1: Apply via gh CLI
+
+        ```bash
+        # Download and apply the patch directly
+        gh run download ${{ github.run_id }} --repo ${{ github.repository }} --name changes-patch && git apply changes.patch && rm changes.patch
+        ```
+
+        ### Method 2: Download from workflow artifacts
+
+        1. Download the `changes-patch` artifact from this workflow run
+        2. Extract and apply it:
+           ```bash
+           git apply changes.patch
+           ```
+
+        ### Method 3: View the patch
+
+        <details>
+        <summary>Click to see the patch contents</summary>
+
+        ```diff
+        EOF
+
+        cat changes.patch >> $GITHUB_STEP_SUMMARY
+
+        cat << 'EOF' >> $GITHUB_STEP_SUMMARY
+        ```
+
+        </details>
+        EOF
+      shell: bash
+
+    - name: Fail on foreign branch
+      if: steps.check.outputs.has_changes == 'true' && steps.repo-state.outputs.foreign == 'true'
+      run: |
+        echo "Exiting with failure due to foreign branch. Please apply the patch suggested in the action or PR comment."
+        exit 1
       shell: bash
diff --git a/.github/workflows/covr/action.yml b/.github/workflows/covr/action.yml
index 76f593a91..a35327f21 100644
--- a/.github/workflows/covr/action.yml
+++ b/.github/workflows/covr/action.yml
@@ -40,7 +40,7 @@ runs:
 
     - name: Upload test results
       if: failure()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: coverage-test-failures
         path: ${{ runner.temp }}/package
diff --git a/.github/workflows/update-snapshots/action.yml b/.github/workflows/update-snapshots/action.yml
index 6a54cb053..f4a84b505 100644
--- a/.github/workflows/update-snapshots/action.yml
+++ b/.github/workflows/update-snapshots/action.yml
@@ -92,3 +92,8 @@ runs:
       run: |
         false
       shell: bash
+
+    - name: Reset Git changes
+      run: |
+        git reset -- tests/testthat/_snaps
+      shell: bash