feat: initial release + publishing infrastructure#36
Merged
Conversation
Adds CI, CodeQL, and a release-please workflow that publishes @posthog/warlock to npm via OIDC trusted publishing + provenance. No long-lived NPM_TOKEN. The publish step is gated by a Release GitHub Environment with @PostHog/team-docs-wizard as required reviewers. Slack notifications are intentionally omitted for v1 - GitHub's native env-pending notifications are sufficient given the lower release cadence. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
tagging @PostHog/team-security to make sure everything looks good. if there's another way you'd prefer we do this, lmk. I have it set up to match the way we do releases for the wizard + some extra steps from https://posthog.com/handbook/engineering/sdks/releases |
CI was failing at `pnpm store path` (called by setup-node's pnpm cache setup) with "packages field missing or empty". Two fixes, belt-and-suspenders: - Bump CI workflow pnpm from 9 to 10 to match the version used locally and in release.yml. pnpm 10 is lenient about pnpm-workspace.yaml. - Add an explicit `packages: ['.']` to pnpm-workspace.yaml so the file is valid for any future pnpm 9 or stricter tooling that reads it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
GitHub's default CodeQL setup is already enabled on this repo and conflicts with an advanced workflow file. Leaning on the default for v1 to unblock the first publish; we can switch to advanced (with SHA-pinned actions and security-and-quality queries) as a follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feliperalmeida
left a comment
feliperalmeida
left a comment
There was a problem hiding this comment.
Can we set a 7 days cool down time for dependencies to avoid supply chain attacks via malicious packages?
https://pnpm.io/settings#minimumreleaseage
Addresses semgrep findings (3 blocking) and Felipe's PR feedback, both pointing at the same hardening called out in the Shai-Hulud post-mortem: refuse to install dependency versions published less than 7 days ago, so we're not the first to get burned by a malicious release. - pnpm-workspace.yaml: minimumReleaseAge: 10080 (minutes = 7 days) - .github/dependabot.yml: cooldown.default-days: 7 on both package-ecosystem entries (npm + github-actions) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
Author
added! 🙏 |
feliperalmeida
approved these changes
Jun 8, 2026
edwinyjlim
approved these changes
Jun 8, 2026
edwinyjlim
left a comment
edwinyjlim
left a comment
Member
There was a problem hiding this comment.
WIZARD, MEET YOUR FUCKING MAKER
- Warlock
gewenyu99
approved these changes
Jun 8, 2026
Reverts the exact pin so consumers of @posthog/warlock can pick up yara-x patch fixes (including future security patches) without needing a manual override. Reproducibility for our own installs is already handled by the lockfile, and minimumReleaseAge gates new versions for 7 days. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
sarahxsanders
changed the title
sarahxsanders
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
we're ready to publish the warlock to npm. this PR gets the repo ready for that
details
adds CI + CodeQL + a release-please-based release workflow
the actual publish is gated by a
ReleaseGitHub Environment and goes out via npm OIDC trusted publishing with provenance@PostHog/team-docs-wizardChanges
.github/workflows/ci.yml: test + build on PR.github/workflows/codeql.yml: CodeQL weekly + on PR.github/workflows/release.yml: release-please + OIDC publish gated byReleaseenv.github/dependabot.yml: weekly npm + GitHub Actions updates.github/CODEOWNERS: Docs & Wizard teamrelease-please-config.json+.release-please-manifest.json: bootstrap config.nvmrc: Node 22package.json: version → 0.1.0, removedprivate, addedrepository, pinned@virustotal/yara-xto exactREADME.md: new "Releasing" section explaining the flowSetup work post-merge
ReleaseGitHub Environment with@PostHog/team-docs-wizardas required reviewer (prevent self-review on, admin bypass off, deployment branches restricted tomain) ✅npx setup-npm-trusted-publish @posthog/warlock(note: capitalPostHog) coming soonTest plan
pnpm testpasses (516/516)pnpm buildclean