From eaa555c214b404a9a15db708b7aad704cc56bcf8 Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <tom.p@posthog.com>
Date: Tue, 17 Mar 2026 15:17:03 -0700
Subject: [PATCH 1/2] Sign commits during release process

---
 .github/workflows/php.yml     |  4 +--
 .github/workflows/release.yml | 54 ++++++++++++-----------------------
 2 files changed, 20 insertions(+), 38 deletions(-)

diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
index e2e643c..658002d 100644
--- a/.github/workflows/php.yml
+++ b/.github/workflows/php.yml
@@ -19,7 +19,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Set up PHP ${{ matrix.php-version }}
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
         with:
           php-version: ${{ matrix.php-version }}
           extensions: xdebug
@@ -45,7 +45,7 @@ jobs:
           curl -OL https://squizlabs.github.io/PHP_CodeSniffer/phpcs.phar
           php phpcs.phar --version
 
-      - uses: tinovyatkin/action-php-codesniffer@v1
+      - uses: tinovyatkin/action-php-codesniffer@0043b33b3629611c37e8bc7ee8a4e061dc9a7ea2 # v1
         with:
           files: "**.php" # you may customize glob as needed
           phpcs_path: php phpcs.phar
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 070b07a..042c1c3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -97,11 +97,6 @@ jobs:
           fetch-depth: 0
           token: ${{ steps.releaser.outputs.token }}
 
-      - name: Configure Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
       - name: Bump version
         id: bump-version
         run: |
@@ -125,6 +120,12 @@ jobs:
           echo "current_version=$current_version" >> $GITHUB_OUTPUT
           echo "new_version=$new_version" >> $GITHUB_OUTPUT
 
+          if ! git diff --quiet lib/PostHog.php composer.json; then
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Update CHANGELOG.md
         run: |
           current_version="${{ steps.bump-version.outputs.current_version }}"
@@ -133,45 +134,26 @@ jobs:
           echo -e "## $new_version - $release_date\n\n* [Full Changelog](https://github.com/PostHog/posthog-php/compare/${current_version}...${new_version})\n\n$(cat CHANGELOG.md)" > CHANGELOG.md
 
       - name: Commit version bump
-        id: commit-version-bump
-        run: |
-          git add lib/PostHog.php composer.json CHANGELOG.md
-          if git diff --staged --quiet; then
-            echo "No changes to commit"
-            echo "committed=false" >> "$GITHUB_OUTPUT"
-          else
-            git commit -m "chore: bump version to ${{ steps.bump-version.outputs.new_version }} [version bump]"
-            git push origin master
-            echo "committed=true" >> "$GITHUB_OUTPUT"
-          fi
+        if: steps.bump-version.outputs.has_changes == 'true'
+        uses: planetscale/ghcommit-action@25309d8005ac7c3bcd61d3fe19b69e0fe47dbdde # v0.2.20
+        with:
+          commit_message: "chore: bump version to ${{ steps.bump-version.outputs.new_version }} [version bump]"
+          repo: ${{ github.repository }}
+          branch: master
+          file_pattern: "lib/PostHog.php composer.json CHANGELOG.md"
         env:
           GITHUB_TOKEN: ${{ steps.releaser.outputs.token }}
 
-      - name: Create and push tag
-        if: steps.commit-version-bump.outputs.committed == 'true'
-        run: |
-          git tag -a "${{ steps.bump-version.outputs.new_version }}" -m "${{ steps.bump-version.outputs.new_version }}"
-          git push origin "${{ steps.bump-version.outputs.new_version }}"
-
       - name: Create GitHub release
-        if: steps.commit-version-bump.outputs.committed == 'true'
+        if: steps.bump-version.outputs.has_changes == 'true'
         env:
           GH_TOKEN: ${{ steps.releaser.outputs.token }}
         run: |
-          # Extract the latest changelog entry
           LAST_CHANGELOG_ENTRY=$(awk -v defText="see CHANGELOG.md" '/^## /{if (flag) exit; flag=1} flag && /^##$/{exit} flag; END{if (!flag) print defText}' CHANGELOG.md)
-          gh api \
-            --method POST \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/PostHog/posthog-php/releases \
-            -f tag_name="${{ steps.bump-version.outputs.new_version }}" \
-            -f target_commitish='master' \
-            -f name="${{ steps.bump-version.outputs.new_version }}" \
-            -f body="$LAST_CHANGELOG_ENTRY" \
-            -F draft=false \
-            -F prerelease=false \
-            -F generate_release_notes=false
+          gh release create "${{ steps.bump-version.outputs.new_version }}" \
+            --target master \
+            --title "${{ steps.bump-version.outputs.new_version }}" \
+            --notes "$LAST_CHANGELOG_ENTRY"
 
       # Notify in case of a failure
       - name: Send failure event to PostHog

From a599f0dccb4d267f646b69f7ccfcefcf9462b25d Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <tom.p@posthog.com>
Date: Tue, 17 Mar 2026 15:21:02 -0700
Subject: [PATCH 2/2] Fix semgrep findings

---
 .github/workflows/release.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 042c1c3..00b3e7c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -127,11 +127,12 @@ jobs:
           fi
 
       - name: Update CHANGELOG.md
+        env:
+          CURRENT_VERSION: ${{ steps.bump-version.outputs.current_version }}
+          NEW_VERSION: ${{ steps.bump-version.outputs.new_version }}
         run: |
-          current_version="${{ steps.bump-version.outputs.current_version }}"
-          new_version="${{ steps.bump-version.outputs.new_version }}"
           release_date=$(date +%Y-%m-%d)
-          echo -e "## $new_version - $release_date\n\n* [Full Changelog](https://github.com/PostHog/posthog-php/compare/${current_version}...${new_version})\n\n$(cat CHANGELOG.md)" > CHANGELOG.md
+          echo -e "## $NEW_VERSION - $release_date\n\n* [Full Changelog](https://github.com/PostHog/posthog-php/compare/${CURRENT_VERSION}...${NEW_VERSION})\n\n$(cat CHANGELOG.md)" > CHANGELOG.md
 
       - name: Commit version bump
         if: steps.bump-version.outputs.has_changes == 'true'
@@ -148,11 +149,12 @@ jobs:
         if: steps.bump-version.outputs.has_changes == 'true'
         env:
           GH_TOKEN: ${{ steps.releaser.outputs.token }}
+          NEW_VERSION: ${{ steps.bump-version.outputs.new_version }}
         run: |
           LAST_CHANGELOG_ENTRY=$(awk -v defText="see CHANGELOG.md" '/^## /{if (flag) exit; flag=1} flag && /^##$/{exit} flag; END{if (!flag) print defText}' CHANGELOG.md)
-          gh release create "${{ steps.bump-version.outputs.new_version }}" \
+          gh release create "$NEW_VERSION" \
             --target master \
-            --title "${{ steps.bump-version.outputs.new_version }}" \
+            --title "$NEW_VERSION" \
             --notes "$LAST_CHANGELOG_ENTRY"
 
       # Notify in case of a failure