PostHog · jonathanlab · Jan 8, 2026
diff --git a/.github/workflows/agent-release.yml b/.github/workflows/agent-release.yml
@@ -56,6 +56,12 @@ jobs:
           cache: "pnpm"
           registry-url: https://registry.npmjs.org
 
+      - name: Install pnpm
+        run: npm install -g pnpm
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 

diff --git a/.github/workflows/array-stack-check.yml b/.github/workflows/array-stack-check.yml
@@ -0,0 +1,134 @@
+# Generated by Array CLI - https://github.com/posthog/array
+# Blocks stacked PRs until their downstack dependencies are merged
+# Only runs for PRs managed by Array (detected via stack comment marker)
+
+name: Stack Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+  pull_request_target:
+    types: [closed]
+
+permissions:
+  contents: read
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      pull-requests: read
+      issues: read
+    steps:
+      - name: Check stack dependencies
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+
+            // Check if this is an Array-managed PR by looking for stack comment
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number
+            });
+
+            const isArrayPR = comments.some(c =>
+              c.body.includes('<!-- array-stack-comment -->')
+            );
+
+            if (!isArrayPR) {
+              console.log('Not an Array PR, skipping');
+              return;
+            }
+
+            const baseBranch = pr.base.ref;
+            const trunk = ['main', 'master', 'develop'];
+
+            if (trunk.includes(baseBranch)) {
+              console.log('Base is trunk, no dependencies');
+              return;
+            }
+
+            async function getBlockers(base, visited = new Set()) {
+              if (trunk.includes(base) || visited.has(base)) {
+                return [];
+              }
+              visited.add(base);
+
+              const { data: prs } = await github.rest.pulls.list({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                state: 'open',
+                head: `${context.repo.owner}:${base}`
+              });
+
+              if (prs.length === 0) {
+                return [];
+              }
+
+              const blocker = prs[0];
+              const upstream = await getBlockers(blocker.base.ref, visited);
+              return [{ number: blocker.number, title: blocker.title }, ...upstream];
+            }
+
+            const blockers = await getBlockers(baseBranch);
+
+            if (blockers.length > 0) {
+              const list = blockers.map(b => `#${b.number} (${b.title})`).join('\n  - ');
+              core.setFailed(`Blocked by:\n  - ${list}\n\nMerge these PRs first (bottom to top).`);
+            } else {
+              console.log('All dependencies merged, ready to merge');
+            }
+
+  recheck-dependents:
+    runs-on: ubuntu-latest
+    if: >-
+      github.event_name == 'pull_request_target' &&
+      github.event.action == 'closed' &&
+      github.event.pull_request.merged == true
+    permissions:
+      pull-requests: write
+      issues: read
+    steps:
+      - name: Trigger recheck of dependent PRs
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+
+            // Check if this is an Array-managed PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number
+            });
+
+            const isArrayPR = comments.some(c =>
+              c.body.includes('<!-- array-stack-comment -->')
+            );
+
+            if (!isArrayPR) {
+              console.log('Not an Array PR, skipping');
+              return;
+            }
+
+            const mergedBranch = pr.head.ref;
+
+            const { data: dependentPRs } = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              base: mergedBranch,
+              state: 'open'
+            });
+
+            for (const dependentPR of dependentPRs) {
+              console.log(`Re-checking PR #${dependentPR.number}`);
+              await github.rest.pulls.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: dependentPR.number,
+                base: 'main'
+              });
+            }
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -2,10 +2,9 @@ name: Build
 
 on:
   pull_request:
-
-concurrency:
-  group: build-${{ github.head_ref || github.ref }}
-  cancel-in-progress: true
+  push:
+    branches:
+      - main
 
 jobs:
   build:
@@ -17,24 +16,20 @@ jobs:
         uses: actions/checkout@v6
         with:
           persist-credentials: false
-
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
-
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: 22
-          cache: "pnpm"
-
+          cache: 'pnpm'
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-
       - name: Build electron-trpc
         run: pnpm --filter @posthog/electron-trpc build
-
       - name: Build agent
         run: pnpm --filter agent build
-
       - name: Build array
         run: pnpm --filter array build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,150 @@
+name: Publish Release
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "apps/array/**"
+      - "packages/agent/**"
+      - "packages/electron-trpc/**"
+      - "pnpm-lock.yaml"
+      - "package.json"
+      - "turbo.json"
+      - ".github/workflows/release.yml"
+
+concurrency:
+  group: release
+  cancel-in-progress: true
+
+jobs:
+  publish:
+    runs-on: macos-latest
+    env:
+      NODE_ENV: production
+      APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }}
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+      APPLE_CODESIGN_CERT_BASE64: ${{ secrets.APPLE_CODESIGN_CERT_BASE64 }}
+      APPLE_CODESIGN_CERT_PASSWORD: ${{ secrets.APPLE_CODESIGN_CERT_PASSWORD }}
+      APPLE_CODESIGN_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_CODESIGN_KEYCHAIN_PASSWORD }}
+    steps:
+      - name: Get app token
+        id: app-token
+        uses: getsentry/action-github-app-token@d4b5da6c5e37703f8c3b3e43abb5705b46e159cc # v3
+        with:
+          app_id: ${{ secrets.GH_APP_ARRAY_RELEASER_APP_ID }}
+          private_key: ${{ secrets.GH_APP_ARRAY_RELEASER_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: "pnpm"
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Compute version from git tags
+        id: version
+        run: |
+          # Find the latest minor version tag (vX.Y format - exactly 2 parts)
+          # These are manually created to mark new minor releases
+          # Release tags (vX.Y.Z) are ignored for base version calculation
+          LATEST_TAG=$(git tag --list 'v[0-9]*.[0-9]*' --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+$' | head -1)
+
+          # Fall back to vX.Y.0 format if no vX.Y tags exist (backward compat)
+          if [ -z "$LATEST_TAG" ]; then
+            LATEST_TAG=$(git tag --list 'v[0-9]*.[0-9]*.0' --sort=-v:refname | head -1)
+          fi
+
+          if [ -z "$LATEST_TAG" ]; then
+            echo "No version tag found. Create one with: git tag v0.15 && git push origin v0.15"
+            exit 1
+          fi
+
+          # Extract major.minor from tag
+          VERSION_PART=${LATEST_TAG#v}
+          MAJOR=$(echo "$VERSION_PART" | cut -d. -f1)
+          MINOR=$(echo "$VERSION_PART" | cut -d. -f2)
+
+          # Count commits since the base tag
+          PATCH=$(git rev-list "$LATEST_TAG"..HEAD --count)
+
+          if [ "$PATCH" -eq 0 ]; then
+            echo "No commits since $LATEST_TAG. Nothing to release."
+            exit 1
+          fi
+
+          NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}"
+          echo "Version: $NEW_VERSION (from base tag $LATEST_TAG + $PATCH commits)"
+
+          echo "version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
+          echo "base_tag=$LATEST_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Set version in package.json
+        env:
+          APP_VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          # Update package.json for the build (not committed)
+          jq --arg v "$APP_VERSION" '.version = $v' apps/array/package.json > tmp.json && mv tmp.json apps/array/package.json
+          echo "Set apps/array/package.json version to $APP_VERSION"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build electron-trpc package
+        run: pnpm --filter @posthog/electron-trpc run build
+
+      - name: Build agent package
+        run: pnpm --filter @posthog/agent run build
+
+      - name: Import code signing certificate
+        if: env.APPLE_CODESIGN_IDENTITY != ''
+        env:
+          CERT_BASE64: ${{ env.APPLE_CODESIGN_CERT_BASE64 }}
+          CERT_PASSWORD: ${{ env.APPLE_CODESIGN_CERT_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ env.APPLE_CODESIGN_KEYCHAIN_PASSWORD }}
+        run: |
+          if [ -z "$CERT_BASE64" ] || [ -z "$CERT_PASSWORD" ] || [ -z "$KEYCHAIN_PASSWORD" ]; then
+            echo "Missing code signing certificate secrets"
+            exit 1
+          fi
+          KEYCHAIN="$RUNNER_TEMP/codesign.keychain-db"
+          echo "$CERT_BASE64" | base64 --decode > "$RUNNER_TEMP/certificate.p12"
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
+          security import "$RUNNER_TEMP/certificate.p12" -k "$KEYCHAIN" -P "$CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
+          security list-keychains -d user -s "$KEYCHAIN" $(security list-keychains -d user | tr -d '"')
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
+          rm "$RUNNER_TEMP/certificate.p12"
+
+      - name: Create tag
+        env:
+          APP_VERSION: ${{ steps.version.outputs.version }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          TAG="v$APP_VERSION"
+          git tag -a "$TAG" -m "Release $TAG"
+          git push "https://x-access-token:${GH_TOKEN}@github.com/$REPOSITORY" "$TAG"
+
+      - name: Build native modules
+        run: pnpm --filter array run build-native
+
+      - name: Publish with Electron Forge
+        env:
+          APP_VERSION: ${{ steps.version.outputs.version }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: pnpm --filter array run publish
diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml
@@ -3,10 +3,6 @@ name: Typecheck
 on:
   pull_request:
 
-concurrency:
-  group: typecheck-${{ github.head_ref || github.ref }}
-  cancel-in-progress: true
-
 jobs:
   typecheck:
     runs-on: ubuntu-latest
@@ -17,18 +13,16 @@ jobs:
         uses: actions/checkout@v6
         with:
           persist-credentials: false
-
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
-
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: 22
           cache: "pnpm"
-
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-
       - name: Run type check
         run: pnpm run typecheck