fix(browser): prevent silent identity switch during bootstrap and auto-identify anonymous users #960
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Release' | |
| permissions: | |
| contents: read | |
| on: | |
| pull_request: | |
| types: [closed] | |
| branches: [main] | |
| workflow_dispatch: | |
| # Concurrency control: only one release process can run at a time | |
| # This prevents race conditions if multiple PRs with 'release' label merge simultaneously | |
| concurrency: | |
| group: release | |
| cancel-in-progress: false | |
| jobs: | |
| check-changesets: | |
| name: Check for changesets | |
| runs-on: ubuntu-latest | |
| # Run when PR with 'release' label is merged to main, or when manually triggered | |
| if: | | |
| github.event_name == 'workflow_dispatch' || | |
| (github.event_name == 'pull_request' | |
| && github.event.pull_request.merged == true | |
| && contains(github.event.pull_request.labels.*.name, 'release')) | |
| outputs: | |
| has-changesets: ${{ steps.check.outputs.has-changesets }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| - name: Check for changesets | |
| id: check | |
| run: | | |
| if [ ! -d ".changeset" ] || [ -z "$(ls -A .changeset/*.md 2>/dev/null | grep -v README.md)" ]; then | |
| echo "❌ No changesets found. Cannot proceed with release." | |
| echo "Please ensure your PR includes a changeset file." | |
| echo "has-changesets=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "✓ Found changesets to process" | |
| echo "has-changesets=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| notify-approval-needed: | |
| name: Notify Slack - Approval Needed | |
| needs: check-changesets | |
| if: needs.check-changesets.outputs.has-changesets == 'true' | |
| uses: PostHog/.github/.github/workflows/notify-approval-needed.yml@main | |
| with: | |
| slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} | |
| slack_user_group_id: ${{ vars.GROUP_CLIENT_LIBRARIES_SLACK_GROUP_ID }} | |
| secrets: | |
| slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} | |
| posthog_project_api_key: ${{ secrets.POSTHOG_PROJECT_API_KEY }} | |
| version-bump: | |
| name: Bump versions and commit to main | |
| needs: [check-changesets, notify-approval-needed] | |
| runs-on: ubuntu-latest | |
| # Use `always()` to ensure the job runs even if the notify-approval-needed job fails | |
| # but still depend on it to be able to use `needs.notify-approval-needed.outputs.slack_ts` | |
| if: always() && needs.check-changesets.outputs.has-changesets == 'true' | |
| environment: 'NPM Release' # This will require an approval from a maintainer, they are notified in Slack above | |
| permissions: | |
| contents: read | |
| outputs: | |
| commit-hash: ${{ steps.commit-version-bump.outputs.commit-hash }} | |
| steps: | |
| - name: Notify Slack - Approved | |
| continue-on-error: true # Don't block release if Slack notification fails | |
| uses: PostHog/.github/.github/actions/slack-thread-reply@main | |
| with: | |
| slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} | |
| slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} | |
| thread_ts: ${{ needs.notify-approval-needed.outputs.slack_ts }} | |
| message: '✅ Release approved! Version bump in progress...' | |
| emoji_reaction: 'white_check_mark' | |
| - name: Get GitHub App token | |
| id: releaser | |
| uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 | |
| with: | |
| app-id: ${{ secrets.GH_APP_POSTHOG_JS_RELEASER_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_POSTHOG_JS_RELEASER_PRIVATE_KEY }} # Secrets available only inside the `NPM Release` environment, requires approval from a maintainer | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| token: ${{ steps.releaser.outputs.token }} | |
| - name: Setup environment | |
| uses: ./.github/actions/setup | |
| with: | |
| build: false | |
| - name: Build @posthog-tooling/changelog | |
| run: pnpm turbo --filter=@posthog-tooling/changelog build | |
| - name: Update versions and changelogs | |
| run: | | |
| pnpm bump && pnpm generate-references | |
| env: | |
| GITHUB_TOKEN: ${{ steps.releaser.outputs.token }} | |
| - name: Update lockfile | |
| run: pnpm install | |
| - name: Commit version bump and lockfile | |
| id: commit-version-bump | |
| uses: planetscale/ghcommit-action@25309d8005ac7c3bcd61d3fe19b69e0fe47dbdde # v0.2.20 | |
| with: | |
| commit_message: 'chore: update versions and lockfile [version bump]' | |
| repo: ${{ github.repository }} | |
| branch: main | |
| env: | |
| GITHUB_TOKEN: ${{ steps.releaser.outputs.token }} | |
| - name: Notify Slack - Failed | |
| continue-on-error: true | |
| if: ${{ failure() && needs.notify-approval-needed.outputs.slack_ts != '' }} | |
| uses: PostHog/.github/.github/actions/slack-thread-reply@main | |
| with: | |
| slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} | |
| slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} | |
| thread_ts: ${{ needs.notify-approval-needed.outputs.slack_ts }} | |
| message: '❌ Failed to bump versions for `posthog-js`! <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View logs>' | |
| emoji_reaction: 'x' | |
| notify-rejected: | |
| name: Notify Slack - Rejected | |
| needs: [version-bump, notify-approval-needed] | |
| runs-on: ubuntu-latest | |
| if: always() && needs.version-bump.result == 'failure' && needs.notify-approval-needed.outputs.slack_ts != '' | |
| steps: | |
| - name: Check for rejection | |
| id: check-rejection | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| RESPONSE=$(gh api /repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/approvals) | |
| REJECTED=$(echo "$RESPONSE" | jq '[.[] | select(.state == "rejected")] | length') | |
| if [ "$REJECTED" -gt 0 ]; then | |
| echo "was_rejected=true" >> "$GITHUB_OUTPUT" | |
| COMMENT=$(echo "$RESPONSE" | jq -r '.[] | select(.state == "rejected") | .comment // empty' | head -1) | |
| if [ -n "$COMMENT" ]; then | |
| { | |
| echo 'message<<EOF' | |
| echo "🚫 Release was rejected: $COMMENT" | |
| echo 'EOF' | |
| } >> "$GITHUB_OUTPUT" | |
| else | |
| echo "message=🚫 Release was rejected." >> "$GITHUB_OUTPUT" | |
| fi | |
| else | |
| echo "was_rejected=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Notify Slack - Rejected | |
| if: steps.check-rejection.outputs.was_rejected == 'true' | |
| continue-on-error: true | |
| uses: PostHog/.github/.github/actions/slack-thread-reply@main | |
| with: | |
| slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} | |
| slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} | |
| thread_ts: ${{ needs.notify-approval-needed.outputs.slack_ts }} | |
| message: '${{ steps.check-rejection.outputs.message }}' | |
| emoji_reaction: 'no_entry_sign' | |
| publish: | |
| name: Publish packages | |
| needs: [version-bump, notify-approval-needed] | |
| runs-on: ubuntu-latest | |
| # Use `always()` to ensure the job runs even if the check-release-label job fails | |
| # but still depend on it to be able to use `needs.notify-approval-needed.outputs.slack_ts` | |
| if: always() && needs.version-bump.outputs.commit-hash != '' | |
| permissions: | |
| contents: write | |
| actions: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| package: | |
| - name: posthog-react-native | |
| - name: posthog-node | |
| - name: posthog-js-lite | |
| - name: posthog-js | |
| - name: '@posthog/core' | |
| - name: '@posthog/react' | |
| - name: '@posthog/ai' | |
| - name: '@posthog/convex' | |
| - name: '@posthog/nextjs-config' | |
| - name: '@posthog/nuxt' | |
| - name: '@posthog/rollup-plugin' | |
| - name: '@posthog/types' | |
| - name: '@posthog/webpack-plugin' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.version-bump.outputs.commit-hash }} | |
| fetch-depth: 0 | |
| - name: Setup environment | |
| uses: ./.github/actions/setup | |
| with: | |
| install: false | |
| build: false | |
| - name: Get package path | |
| id: get-package-path | |
| run: | | |
| PACKAGE_PATH=$(pnpm list --filter=${{ matrix.package.name }} --json | jq -r '.[0].path') | |
| echo "path=$PACKAGE_PATH" >> "$GITHUB_OUTPUT" | |
| - name: Check ${{ matrix.package.name }} version and detect an update | |
| id: check-package-version | |
| uses: PostHog/check-package-version@v2.1.0 | |
| with: | |
| path: ${{ steps.get-package-path.outputs.path }} | |
| - name: Install and build dependencies | |
| if: steps.check-package-version.outputs.is-new-version == 'true' | |
| run: pnpm install --frozen-lockfile && pnpm build | |
| - name: Publish ${{ matrix.package.name }} to NPM | |
| if: steps.check-package-version.outputs.is-new-version == 'true' | |
| run: | | |
| pnpm publish --filter=${{ matrix.package.name }} --access public --no-git-checks | |
| env: | |
| NPM_CONFIG_PROVENANCE: true | |
| - name: Tag repository with package_name and package_version | |
| if: steps.check-package-version.outputs.is-new-version == 'true' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PACKAGE_NAME: ${{ matrix.package.name }} | |
| COMMITTED_VERSION: ${{ steps.check-package-version.outputs.committed-version }} | |
| run: | | |
| gh api "repos/${{ github.repository }}/git/refs" \ | |
| -f "ref=refs/tags/$PACKAGE_NAME@$COMMITTED_VERSION" \ | |
| -f "sha=$(git rev-parse HEAD)" | |
| - name: Create GitHub release | |
| if: steps.check-package-version.outputs.is-new-version == 'true' | |
| working-directory: ${{ steps.get-package-path.outputs.path }} | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PACKAGE_NAME: ${{ matrix.package.name }} | |
| COMMITTED_VERSION: ${{ steps.check-package-version.outputs.committed-version }} | |
| run: | | |
| # read from the first until the second header in the changelog file | |
| # this assumes the formatting of the file | |
| # and that this workflow is always running for the most recent entry in the file | |
| LAST_CHANGELOG_ENTRY=$(awk -v defText="see CHANGELOG.md" '/^## /{if (flag) exit; flag=1} flag && /^##$/{exit} flag; END{if (!flag) print defText}' CHANGELOG.md) | |
| gh release create "$PACKAGE_NAME@$COMMITTED_VERSION" \ | |
| --target main \ | |
| --title "$PACKAGE_NAME@$COMMITTED_VERSION" \ | |
| --notes "$LAST_CHANGELOG_ENTRY" | |
| ######################################################## | |
| ############## posthog-js auto-update ################## | |
| - name: Dispatch posthog upgrade for posthog-js | |
| if: matrix.package.name == 'posthog-js' && steps.check-package-version.outputs.is-new-version == 'true' | |
| env: | |
| PACKAGE_NAME: ${{ matrix.package.name }} | |
| PACKAGE_VERSION: ${{ steps.check-package-version.outputs.committed-version }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| curl -f -sS -X POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "Authorization: Bearer $GITHUB_TOKEN" \ | |
| https://api.github.com/repos/posthog/posthog-js/actions/workflows/posthog-upgrade.yml/dispatches \ | |
| -d "$(jq -n \ | |
| --arg ref "main" \ | |
| --arg package_name "$PACKAGE_NAME" \ | |
| --arg package_version "$PACKAGE_VERSION" \ | |
| '{ref: $ref, inputs: {package_name: $package_name, package_version: $package_version}}' \ | |
| )" | |
| - name: Dispatch posthog.com upgrade for ${{ matrix.package.name }} | |
| if: matrix.package.name == '@posthog/types' && steps.check-package-version.outputs.is-new-version == 'true' | |
| env: | |
| PACKAGE_NAME: ${{ matrix.package.name }} | |
| PACKAGE_VERSION: ${{ steps.check-package-version.outputs.committed-version }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| curl -f -sS -X POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "Authorization: Bearer $GITHUB_TOKEN" \ | |
| https://api.github.com/repos/posthog/posthog-js/actions/workflows/posthog-com-upgrade.yml/dispatches \ | |
| -d "$(jq -n \ | |
| --arg ref "main" \ | |
| --arg package_name "$PACKAGE_NAME" \ | |
| --arg package_version "$PACKAGE_VERSION" \ | |
| '{ref: $ref, inputs: {package_name: $package_name, package_version: $package_version}}' \ | |
| )" | |
| #################################################### | |
| # Notify ourselves in case of a failure here | |
| # https://us.posthog.com/project/11213/functions/019ae9c0-03ee-0000-2f32-971f64be8ffe | |
| - name: Send failure event to PostHog | |
| if: ${{ failure() }} | |
| uses: PostHog/posthog-github-action@v0.1 | |
| with: | |
| posthog-token: '${{ secrets.POSTHOG_PROJECT_API_KEY }}' | |
| event: 'posthog-js-github-release-workflow-failure' | |
| properties: >- | |
| { | |
| "commitSha": "${{ github.sha }}", | |
| "jobStatus": "${{ job.status }}", | |
| "ref": "${{ github.ref }}", | |
| "packageName": "${{ matrix.package.name }}", | |
| "packageVersion": "${{ steps.check-package-version.outputs.committed-version }}" | |
| } | |
| - name: Notify Slack - Failed | |
| continue-on-error: true # Slack failure shouldn't mark release as failed | |
| if: ${{ failure() && needs.notify-approval-needed.outputs.slack_ts != '' }} | |
| uses: PostHog/.github/.github/actions/slack-thread-reply@main | |
| with: | |
| slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} | |
| slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} | |
| thread_ts: ${{ needs.notify-approval-needed.outputs.slack_ts }} | |
| message: '❌ Failed to release `${{ matrix.package.name }}@v${{ steps.check-package-version.outputs.committed-version }}`! <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View logs>' | |
| emoji_reaction: 'x' | |
| notify-released: | |
| name: Notify Slack - Released | |
| needs: [notify-approval-needed, publish] | |
| runs-on: ubuntu-latest | |
| if: always() && needs.publish.result == 'success' && needs.notify-approval-needed.outputs.slack_ts != '' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Notify Slack - Released | |
| continue-on-error: true # Slack failure shouldn't mark release as failed | |
| uses: PostHog/.github/.github/actions/slack-thread-reply@main | |
| with: | |
| slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} | |
| slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} | |
| thread_ts: ${{ needs.notify-approval-needed.outputs.slack_ts }} | |
| message: '🚀 All packages released successfully!' | |
| emoji_reaction: 'rocket' |