From 898c890ce91352f8084d692a6a10e50658d5bbb3 Mon Sep 17 00:00:00 2001
From: Alex <alex.salerno@me.com>
Date: Thu, 14 May 2026 20:06:01 -0700
Subject: [PATCH] ci: pass POSTHOG_API_KEY through to release builds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both .goreleaser.yaml and .goreleaser.preview.yaml inject
POSTHOG_API_KEY via -X ldflag into src/internal/telemetry.APIKey,
but the deploy and preview workflows weren't passing the secret
into the GoReleaser action's env block. Result: every released
binary had APIKey="" baked in, telemetry was silent dead code for
everyone but dev builds (which never had a key anyway), and no
opt-in user could fire events even if they tried.

Wires POSTHOG_API_KEY into both workflows' env blocks so the
ldflag resolves to the actual secret at release time. The
mechanism mirrors the existing GITHUB_TOKEN / HOMEBREW_TOKEN
passthrough — same shape, same secret-management story.

Docs.yml already references the secret correctly for the site
build, so the secret was always available; only the release
workflows were missing the wiring.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yml  | 7 ++++++-
 .github/workflows/preview.yml | 6 ++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index be96a41..3cb864a 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -96,4 +96,9 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HOMEBREW_TOKEN: ${{ secrets.HOMEBREW_TOKEN }}
\ No newline at end of file
+          HOMEBREW_TOKEN: ${{ secrets.HOMEBREW_TOKEN }}
+          # Injected via -X ldflag into src/internal/telemetry.APIKey by
+          # .goreleaser.yaml. Without this env wiring the ldflag resolves
+          # to the empty string and shipped binaries silently no-op every
+          # Capture call — telemetry would be dead code for release users.
+          POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
\ No newline at end of file
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index 5b01496..61e3460 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -79,3 +79,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TOKEN: ${{ secrets.HOMEBREW_TOKEN }}
+          # Injected via -X ldflag into src/internal/telemetry.APIKey by
+          # .goreleaser.preview.yaml. Without this env wiring the ldflag
+          # resolves to the empty string and preview binaries can't fire
+          # telemetry — keep parity with the stable channel so opted-in
+          # preview users contribute the same signal.
+          POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}