ci: pass POSTHOG_API_KEY through to release builds#96
Conversation
Both .goreleaser.yaml and .goreleaser.preview.yaml inject POSTHOG_API_KEY via -X ldflag into src/internal/telemetry.APIKey, but the deploy and preview workflows weren't passing the secret into the GoReleaser action's env block. Result: every released binary had APIKey="" baked in, telemetry was silent dead code for everyone but dev builds (which never had a key anyway), and no opt-in user could fire events even if they tried. Wires POSTHOG_API_KEY into both workflows' env blocks so the ldflag resolves to the actual secret at release time. The mechanism mirrors the existing GITHUB_TOKEN / HOMEBREW_TOKEN passthrough — same shape, same secret-management story. Docs.yml already references the secret correctly for the site build, so the secret was always available; only the release workflows were missing the wiring. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Wires the POSTHOG_API_KEY repository secret into the GoReleaser steps for both the stable (deploy.yml) and preview (preview.yml) release workflows, so the -X ldflag in the goreleaser configs can bake the key into src/internal/telemetry.APIKey for shipped binaries.
Changes:
- Add
POSTHOG_API_KEYenv passthrough to the GoReleaser step indeploy.yml. - Add the same passthrough in
preview.yml, with explanatory comments in both files.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/deploy.yml | Passes POSTHOG_API_KEY secret into the GoReleaser release step for stable builds. |
| .github/workflows/preview.yml | Passes POSTHOG_API_KEY secret into the GoReleaser release step for preview builds. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #96 +/- ##
==========================================
- Coverage 90.86% 90.81% -0.05%
==========================================
Files 47 47
Lines 4063 4063
==========================================
- Hits 3692 3690 -2
- Misses 244 245 +1
- Partials 127 128 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Auto-review by meeseeks Updates pushed: none No action taken: workflow-only PR; no actionable Copilot feedback and patch coverage already ≥ project. |
Summary
Caught during the v1.0 release-readiness check: both
.goreleaser.yamland.goreleaser.preview.yamlinjectPOSTHOG_API_KEYvia-Xldflag intosrc/internal/telemetry.APIKey— but the deploy and preview workflows weren't passing the secret into the GoReleaser action'senv:block.Result before this PR: every released binary had
APIKey=\"\"baked in, telemetry was silent dead code for everyone but dev builds (which never had a key anyway), and no opt-in user could fire events even if they tried. Confirmed live by checking the workflow files against the goreleaser configs.Confirmed secret is set:
POSTHOG_API_KEYis configured as a repo-level secret per your check.Change
Adds
POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}to the GoReleaser step'senv:block in both .github/workflows/deploy.yml (stable channel) and .github/workflows/preview.yml (preview channel). Same shape as the existingGITHUB_TOKEN/HOMEBREW_TOKENpassthroughs.Validation
envOrDefault \"POSTHOG_API_KEY\" \"\", so missing-secret tolerance is preserved (dev / branch builds without the secret still produce a working empty-APIKey binary that no-ops telemetry).docs.ymlalready wires the secret correctly — used as the reference pattern.Why this matters for v1.0
This needs to land before the v1.0.0 tag. Otherwise the first "real" telemetry-capable binary that ships will silently never send anything — opted-in users contribute zero signal, and the project gets a free "opt-out rate looks 100%" data point that's actually a CI bug.
🤖 Generated with Claude Code