From 18a294357543a4c741219bec0a5f019fb4467154 Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <tom.p@posthog.com>
Date: Mon, 9 Mar 2026 13:06:55 -0700
Subject: [PATCH 1/5] Update release.yml to support commit signing

The `planetscale/ghcommit-action` action uses ghcommit which uses the GitHub API, which supports commit signing by default. This removes the need to configure a GPG key in our Action.
---
 .github/workflows/release.yml | 45 ++++++++++++++---------------------
 1 file changed, 18 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 552763b7..9fae0322 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -126,11 +126,6 @@ jobs:
       - name: Install dependencies
         run: uv sync --extra dev
 
-      - name: Configure Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
       - name: Prepare release with Sampo
         id: sampo-release
         env:
@@ -146,61 +141,57 @@ jobs:
 
       - name: Commit release changes
         id: commit-release
+        uses: planetscale/ghcommit-action@25309d8005ac7c3bcd61d3fe19b69e0fe47dbdde # v0.2.20
+        with:
+          commit_message: "chore: Release v${{ steps.sampo-release.outputs.new_version }}"
+          repo: ${{ github.repository }}
+          branch: master
         env:
           GITHUB_TOKEN: ${{ steps.releaser.outputs.token }}
-        run: |
-          git add -A
-          if git diff --staged --quiet; then
-            echo "No changes to commit"
-            echo "committed=false" >> "$GITHUB_OUTPUT"
-          else
-            git commit -m "chore: Release v${{ steps.sampo-release.outputs.new_version }}"
-            git push origin master
-            echo "committed=true" >> "$GITHUB_OUTPUT"
-          fi
 
       # Publishing is done manually (not via `sampo publish`) because we need to
       # publish both `posthog` and `posthoganalytics` packages to PyPI.
       # Sampo only knows about the `posthog` package, so we handle both here.
       # Both packages use PyPI OIDC trusted publishing (no API tokens needed).
       - name: Build posthog
-        if: steps.commit-release.outputs.committed == 'true'
+        if: steps.commit-release.outputs.commit-hash != ''
         run: uv run make build_release
 
       - name: Publish posthog to PyPI
-        if: steps.commit-release.outputs.committed == 'true'
+        if: steps.commit-release.outputs.commit-hash != ''
         uses: pypa/gh-action-pypi-publish@release/v1
 
       # The `posthoganalytics` package is a mirror of `posthog` published under
       # a different name for backwards compatibility. The make target handles
       # copying, renaming imports, and building the dist automatically.
       - name: Build posthoganalytics
-        if: steps.commit-release.outputs.committed == 'true'
+        if: steps.commit-release.outputs.commit-hash != ''
         run: uv run make build_release_analytics
 
       - name: Publish posthoganalytics to PyPI
-        if: steps.commit-release.outputs.committed == 'true'
+        if: steps.commit-release.outputs.commit-hash != ''
         uses: pypa/gh-action-pypi-publish@release/v1
 
       # We skip `sampo publish` (which normally creates the tag) because we
       # need to publish both posthog and posthoganalytics manually, so we
       # create the tag ourselves.
       - name: Tag release
-        if: steps.commit-release.outputs.committed == 'true'
-        run: git tag "v${{ steps.sampo-release.outputs.new_version }}"
-
-      - name: Push tags
-        if: steps.commit-release.outputs.committed == 'true'
-        run: git push origin --tags
+        if: steps.commit-release.outputs.commit-hash != ''
+        env:
+          GH_TOKEN: ${{ steps.releaser.outputs.token }}
+        run: |
+          gh api "repos/${{ github.repository }}/git/refs" \
+            -f "ref=refs/tags/v${{ steps.sampo-release.outputs.new_version }}" \
+            -f "sha=${{ steps.commit-release.outputs.commit-hash }}"
 
       - name: Create GitHub Release
-        if: steps.commit-release.outputs.committed == 'true'
+        if: steps.commit-release.outputs.commit-hash != ''
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh release create "v${{ steps.sampo-release.outputs.new_version }}" --generate-notes
 
       - name: Dispatch generate-references
-        if: steps.commit-release.outputs.committed == 'true'
+        if: steps.commit-release.outputs.commit-hash != ''
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh workflow run generate-references.yml --ref master

From 0178c502858bf319dcd18b78ec5aec0bc7a656e0 Mon Sep 17 00:00:00 2001
From: Tom Piccirello <8296030+Piccirello@users.noreply.github.com>
Date: Mon, 9 Mar 2026 13:28:18 -0700
Subject: [PATCH 2/5] Pin uv action

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9fae0322..b7b1b0d8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -101,7 +101,7 @@ jobs:
           python-version: 3.11.11
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
         with:
           enable-cache: true
           pyproject-file: "pyproject.toml"

From 5745715c3e1880cccab90b505ea11eac94fbddb3 Mon Sep 17 00:00:00 2001
From: Tom Piccirello <8296030+Piccirello@users.noreply.github.com>
Date: Mon, 9 Mar 2026 13:36:22 -0700
Subject: [PATCH 3/5] Pin pypa/gh-action-pypi-publish action

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b7b1b0d8..f388729f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -159,7 +159,7 @@ jobs:
 
       - name: Publish posthog to PyPI
         if: steps.commit-release.outputs.commit-hash != ''
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
 
       # The `posthoganalytics` package is a mirror of `posthog` published under
       # a different name for backwards compatibility. The make target handles
@@ -170,7 +170,7 @@ jobs:
 
       - name: Publish posthoganalytics to PyPI
         if: steps.commit-release.outputs.commit-hash != ''
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
 
       # We skip `sampo publish` (which normally creates the tag) because we
       # need to publish both posthog and posthoganalytics manually, so we

From 8d6e98c5036d202d519ad8e59bf8f2bc9c94d04a Mon Sep 17 00:00:00 2001
From: Tom Piccirello <8296030+Piccirello@users.noreply.github.com>
Date: Mon, 9 Mar 2026 14:05:55 -0700
Subject: [PATCH 4/5] Add note about commit signing to readme

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 1671c4cf..2abae481 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,8 @@ Please see the [Python integration docs](https://posthog.com/docs/integrations/p
 
 ## Development
 
+This repo requires all commits to be signed. To configure commit signing, see the [PostHog handbook](https://posthog.com/handbook/engineering/security#commit-signing).
+
 ### Testing Locally
 
 We recommend using [uv](https://docs.astral.sh/uv/). It's super fast.

From 9fa45e8173fab731519177e0cbcb7dbcd7796850 Mon Sep 17 00:00:00 2001
From: Tom Piccirello <8296030+Piccirello@users.noreply.github.com>
Date: Mon, 9 Mar 2026 19:45:22 -0700
Subject: [PATCH 5/5] Fix semgrep findings

---
 .github/workflows/release.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f388729f..2d71a0e5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -136,8 +136,10 @@ jobs:
           echo "new_version=$new_version" >> "$GITHUB_OUTPUT"
 
       - name: Sync version to posthog/version.py
+        env:
+          NEW_VERSION: ${{ steps.sampo-release.outputs.new_version }}
         run: |
-          echo 'VERSION = "${{ steps.sampo-release.outputs.new_version }}"' > posthog/version.py
+          echo "VERSION = \"$NEW_VERSION\"" > posthog/version.py
 
       - name: Commit release changes
         id: commit-release
@@ -179,16 +181,19 @@ jobs:
         if: steps.commit-release.outputs.commit-hash != ''
         env:
           GH_TOKEN: ${{ steps.releaser.outputs.token }}
+          NEW_VERSION: ${{ steps.sampo-release.outputs.new_version }}
+          COMMIT_HASH: ${{ steps.commit-release.outputs.commit-hash }}
         run: |
           gh api "repos/${{ github.repository }}/git/refs" \
-            -f "ref=refs/tags/v${{ steps.sampo-release.outputs.new_version }}" \
-            -f "sha=${{ steps.commit-release.outputs.commit-hash }}"
+            -f "ref=refs/tags/v$NEW_VERSION" \
+            -f "sha=$COMMIT_HASH"
 
       - name: Create GitHub Release
         if: steps.commit-release.outputs.commit-hash != ''
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh release create "v${{ steps.sampo-release.outputs.new_version }}" --generate-notes
+          NEW_VERSION: ${{ steps.sampo-release.outputs.new_version }}
+        run: gh release create "v$NEW_VERSION" --generate-notes
 
       - name: Dispatch generate-references
         if: steps.commit-release.outputs.commit-hash != ''