ci: Harden release workflow

[marandaneto]

💡 Motivation and Context

Harden the automated release workflow so release preparation and verification run separately from the approved publishing job. This reduces the blast radius of poisoned package/build tooling while preserving signed release commits via planetscale/ghcommit-action.

💚 How did you test it?

• Parsed .github/workflows/release.yml as YAML.
• Ran git diff --check.
• Simulated release candidate generation with a temporary changeset, including pnpm exec changeset version, scripts/bump-version.sh hash validation, patch generation, and patch application/version validation.

📝 Checklist

• I reviewed the submitted code.
• I added tests to verify the changes.
• I updated the docs if needed.
• No breaking change or entry added to the changelog.

If releasing new changes

• Ran pnpm changeset to generate a changeset file

🤖 Agent context

Autonomy: Human-driven (agent-assisted)

This PR was authored with the pi coding agent. The implementation keeps signed release commits, but moves release candidate preparation and release-specific validation into read-only jobs before approval. The approved publishing job is intentionally minimal and no longer runs package-manager installs, tests, repository scripts, or notification actions beyond the required publish primitives. PHPUnit and public API checks remain covered by the existing php.yml workflow rather than being duplicated in the release workflow.

A hash check was added before running scripts/bump-version.sh, release candidates are tied to the triggering commit, pre-existing tags/releases fail before approval, release candidate artifacts are retained for 5 days to allow weekend approvals, the generated patch file allowlist is checked during candidate preparation, recovery steps were documented in RELEASING.md, and a patch changeset was added so the new release workflow can be exercised after merge.

[marandaneto]

we'll also do:
Protect tags/release names in repo rulesets
- Require only the release GitHub App can create semver tags.
- Block tag deletion and force updates.

[greptile-apps]

_{Reviews (1): Last reviewed commit: "ci: extend release candidate artifact re..." | Re-trigger Greptile}

[marandaneto]

@PostHog/team-security this is where i wanna go
not sure if this approach is possible with all SDKs, probably some of them i'd need to upload the final bundle or the zipped source code using actions/upload-artifact and then executing the final publish cmd
but thats the split i want to do with all steps/jobs so poisoned acitons/scripts etc have a lower chance to do anything

[greptile-apps]

_{Reviews (2): Last reviewed commit: "ci: address release workflow review feed..." | Re-trigger Greptile}

[github-actions]

posthog-php Compliance Report

Date: 2026-06-30 06:57:23 UTC
Duration: 95099ms

✅ All Tests Passed!

45/45 tests passed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	12ms
Format Validation.Event Has Uuid	✅	6ms
Format Validation.Event Has Lib Properties	✅	6ms
Format Validation.Distinct Id Is String	✅	5ms
Format Validation.Token Is Present	✅	6ms
Format Validation.Custom Properties Preserved	✅	6ms
Format Validation.Event Has Timestamp	✅	6ms
Retry Behavior.Retries On 503	✅	5315ms
Retry Behavior.Does Not Retry On 400	✅	2009ms
Retry Behavior.Does Not Retry On 401	✅	2010ms
Retry Behavior.Respects Retry After Header	✅	8014ms
Retry Behavior.Implements Backoff	✅	15728ms
Retry Behavior.Retries On 500	✅	5114ms
Retry Behavior.Retries On 502	✅	5114ms
Retry Behavior.Retries On 504	✅	5114ms
Retry Behavior.Max Retries Respected	✅	16530ms
Deduplication.Generates Unique Uuids	✅	11ms
Deduplication.Preserves Uuid On Retry	✅	5113ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	10322ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	5117ms
Deduplication.No Duplicate Events In Batch	✅	11ms
Deduplication.Different Events Have Different Uuids	✅	7ms
Compression.Sends Gzip When Enabled	✅	6ms
Batch Format.Uses Proper Batch Structure	✅	5ms
Batch Format.Flush With No Events Sends Nothing	✅	4ms
Batch Format.Multiple Events Batched Together	✅	10ms
Error Handling.Does Not Retry On 403	✅	2008ms
Error Handling.Does Not Retry On 413	✅	2009ms
Error Handling.Retries On 408	✅	5114ms

Feature_Flags Tests

✅ 16/16 tests passed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	✅	7ms
Request Payload.Flags Request Uses V2 Query Param	✅	5ms
Request Payload.Flags Request Hits Flags Path Not Decide	✅	4ms
Request Payload.Flags Request Omits Authorization Header	✅	5ms
Request Payload.Token In Flags Body Matches Init	✅	4ms
Request Payload.Groups Round Trip	✅	5ms
Request Payload.Groups Default To Empty Object	✅	5ms
Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It	✅	4ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False	✅	5ms
Request Payload.Disable Geoip Omitted Defaults To False	✅	4ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key	✅	5ms
Request Lifecycle.No Flags Request On Init Alone	✅	2ms
Request Lifecycle.No Flags Request On Normal Capture	✅	5ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests	✅	8ms
Request Lifecycle.Mock Response Value Is Returned To Caller	✅	4ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event	✅	7ms

[marandaneto]

we'll also do: Protect tags/release names in repo rulesets - Require only the release GitHub App can create semver tags. - Block tag deletion and force updates.

https://github.com/PostHog/posthog-php/settings/rules/18299376