docs(docs): sync post-PR security trackers (#3484) #2212
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PostHog release annotation | |
| # Owner: @Skords-01 (solo maintainer per .github/CODEOWNERS). | |
| # Triage: false-positive runs → close the auto-created issue з коментарем; reopen якщо повторюється > 2x за тиждень. | |
| # Schedule rationale: див. docs/90-work/initiatives/archive/_0009-agent-os-hardening.md § Phase 4 (PR 4.3 audit). | |
| # Постить release annotation у PostHog після кожного merge у `main` — | |
| # момент, коли Vercel (frontend) і Railway (backend) тригерять | |
| # production deploy. Анотація відмалюється вертикальною лінією поверх | |
| # усіх PostHog-дашбордів (DAU, retention, paywall, error-rate), щоб | |
| # дроп/спайк після релізу одразу мав підпис «Release abc1234 …». | |
| # | |
| # Якщо `POSTHOG_PERSONAL_API_KEY` / `POSTHOG_PROJECT_ID` секрети не | |
| # виставлені (наприклад, у форках) — скрипт завершиться з exit 0 | |
| # (graceful no-op), workflow не червонітиме. | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| dry_run: | |
| description: "Тільки логувати payload, без HTTP-виклику" | |
| required: false | |
| default: "false" | |
| type: choice | |
| options: | |
| - "true" | |
| - "false" | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: posthog-release-annotation-${{ github.ref }} | |
| cancel-in-progress: false | |
| jobs: | |
| annotate: | |
| name: Post release annotation | |
| runs-on: ubuntu-latest | |
| # Не блокуємо CI: workflow самостійний, не входить у required-checks. | |
| timeout-minutes: 5 | |
| steps: | |
| # actions/checkout v6.0.2 (SHA-pinned for supply-chain hardening) | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| # actions/setup-node v6.4.0 (SHA-pinned for supply-chain hardening) | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e | |
| with: | |
| node-version: "22" | |
| - name: Post release annotation to PostHog | |
| run: node scripts/ci/posthog-release-annotation.mjs | |
| env: | |
| POSTHOG_PERSONAL_API_KEY: ${{ secrets.POSTHOG_PERSONAL_API_KEY }} | |
| POSTHOG_PROJECT_ID: ${{ secrets.POSTHOG_PROJECT_ID }} | |
| POSTHOG_HOST: ${{ secrets.POSTHOG_HOST }} | |
| POSTHOG_DRY_RUN: ${{ github.event.inputs.dry_run == 'true' && '1' || '' }} |