From e871a500aceb10a67abca3946f3bc805216202b6 Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <tom.p@posthog.com>
Date: Tue, 17 Mar 2026 14:26:55 -0700
Subject: [PATCH 1/2] Sign commits during release process

The tag will be auto-created during the `gh release create` process, and will be automatically signed, so we don't need these manual steps.
---
 .github/workflows/release.yml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bfa3bbb..628690d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -120,14 +120,6 @@ jobs:
       - name: Wait for posthog-rails to be available
         run: gem exec rubygems-await posthog-rails/posthog-rails-*.gem
 
-      # Create and push git tag
-      - name: Create git tag
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git tag -a "v${{ needs.check-release-label.outputs.version }}" -m "Release v${{ needs.check-release-label.outputs.version }}"
-          git push origin "v${{ needs.check-release-label.outputs.version }}"
-
       - name: Create GitHub Release
         env:
           GH_TOKEN: ${{ github.token }}

From df8af3a0d0dfb066a7045f9ff7011e43b27afad0 Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <tom.p@posthog.com>
Date: Tue, 17 Mar 2026 14:29:48 -0700
Subject: [PATCH 2/2] Pin actions to hash

---
 .github/workflows/release.yml    | 4 ++--
 .github/workflows/unit-tests.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 628690d..56d78b4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -91,13 +91,13 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
         with:
           bundler-cache: true
           ruby-version: ruby
 
       - name: Configure trusted publishing credentials
-        uses: rubygems/configure-rubygems-credentials@v1.0.0
+        uses: rubygems/configure-rubygems-credentials@bc6dd217f8a4f919d6835fcfefd470ef821f5c44 # v1.0.0
 
       # Build and publish posthog-ruby first (posthog-rails depends on it)
       - name: Build posthog-ruby
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index e5caf90..5b142d7 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Use Ruby ${{ matrix.ruby-version }}
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
         with:
           ruby-version: ${{ matrix.ruby-version }}
           # runs 'bundle install' and caches installed gems automatically