Sign commits during release process (#108)

Piccirello · web-flow · commit bfe2e1678eb0 · 2026-03-18T10:26:52.000-07:00
* Sign commits during release process

* Fix semgrep findings
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -19,7 +19,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Set up PHP ${{ matrix.php-version }}
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
         with:
           php-version: ${{ matrix.php-version }}
           extensions: xdebug
@@ -45,7 +45,7 @@ jobs:
           curl -OL https://squizlabs.github.io/PHP_CodeSniffer/phpcs.phar
           php phpcs.phar --version
 
-      - uses: tinovyatkin/action-php-codesniffer@v1
+      - uses: tinovyatkin/action-php-codesniffer@0043b33b3629611c37e8bc7ee8a4e061dc9a7ea2 # v1
         with:
           files: "**.php" # you may customize glob as needed
           phpcs_path: php phpcs.phar
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -97,11 +97,6 @@ jobs:
           fetch-depth: 0
           token: ${{ steps.releaser.outputs.token }}
 
-      - name: Configure Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
       - name: Bump version
         id: bump-version
         run: |
@@ -125,53 +120,42 @@ jobs:
           echo "current_version=$current_version" >> $GITHUB_OUTPUT
           echo "new_version=$new_version" >> $GITHUB_OUTPUT
 
+          if ! git diff --quiet lib/PostHog.php composer.json; then
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Update CHANGELOG.md
+        env:
+          CURRENT_VERSION: ${{ steps.bump-version.outputs.current_version }}
+          NEW_VERSION: ${{ steps.bump-version.outputs.new_version }}
         run: |
-          current_version="${{ steps.bump-version.outputs.current_version }}"
-          new_version="${{ steps.bump-version.outputs.new_version }}"
           release_date=$(date +%Y-%m-%d)
-          echo -e "## $new_version - $release_date\n\n* [Full Changelog](https://github.com/PostHog/posthog-php/compare/${current_version}...${new_version})\n\n$(cat CHANGELOG.md)" > CHANGELOG.md
+          echo -e "## $NEW_VERSION - $release_date\n\n* [Full Changelog](https://github.com/PostHog/posthog-php/compare/${CURRENT_VERSION}...${NEW_VERSION})\n\n$(cat CHANGELOG.md)" > CHANGELOG.md
 
       - name: Commit version bump
-        id: commit-version-bump
-        run: |
-          git add lib/PostHog.php composer.json CHANGELOG.md
-          if git diff --staged --quiet; then
-            echo "No changes to commit"
-            echo "committed=false" >> "$GITHUB_OUTPUT"
-          else
-            git commit -m "chore: bump version to ${{ steps.bump-version.outputs.new_version }} [version bump]"
-            git push origin master
-            echo "committed=true" >> "$GITHUB_OUTPUT"
-          fi
+        if: steps.bump-version.outputs.has_changes == 'true'
+        uses: planetscale/ghcommit-action@25309d8005ac7c3bcd61d3fe19b69e0fe47dbdde # v0.2.20
+        with:
+          commit_message: "chore: bump version to ${{ steps.bump-version.outputs.new_version }} [version bump]"
+          repo: ${{ github.repository }}
+          branch: master
+          file_pattern: "lib/PostHog.php composer.json CHANGELOG.md"
         env:
           GITHUB_TOKEN: ${{ steps.releaser.outputs.token }}
 
-      - name: Create and push tag
-        if: steps.commit-version-bump.outputs.committed == 'true'
-        run: |
-          git tag -a "${{ steps.bump-version.outputs.new_version }}" -m "${{ steps.bump-version.outputs.new_version }}"
-          git push origin "${{ steps.bump-version.outputs.new_version }}"
-
       - name: Create GitHub release
-        if: steps.commit-version-bump.outputs.committed == 'true'
+        if: steps.bump-version.outputs.has_changes == 'true'
         env:
           GH_TOKEN: ${{ steps.releaser.outputs.token }}
+          NEW_VERSION: ${{ steps.bump-version.outputs.new_version }}
         run: |
-          # Extract the latest changelog entry
           LAST_CHANGELOG_ENTRY=$(awk -v defText="see CHANGELOG.md" '/^## /{if (flag) exit; flag=1} flag && /^##$/{exit} flag; END{if (!flag) print defText}' CHANGELOG.md)
-          gh api \
-            --method POST \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/PostHog/posthog-php/releases \
-            -f tag_name="${{ steps.bump-version.outputs.new_version }}" \
-            -f target_commitish='master' \
-            -f name="${{ steps.bump-version.outputs.new_version }}" \
-            -f body="$LAST_CHANGELOG_ENTRY" \
-            -F draft=false \
-            -F prerelease=false \
-            -F generate_release_notes=false
+          gh release create "$NEW_VERSION" \
+            --target master \
+            --title "$NEW_VERSION" \
+            --notes "$LAST_CHANGELOG_ENTRY"
 
       # Notify in case of a failure
       - name: Send failure event to PostHog
