chore: upgrade PostHog GitHub Action to v1

[marandaneto]

💡 Motivation and Context

This repo still referenced PostHog/posthog-github-action@v0.1 in its GitHub workflow(s). This updates that usage to @v1 so the workflow uses the current supported major version.

💚 How did you test it?

• Verified the workflow reference was updated from PostHog/posthog-github-action@v0.1 to @v1
• Re-scanned workflow files in the repo to confirm there are no remaining PostHog/posthog-github-action references below @v1

📝 Checklist

• I reviewed the submitted code.
• I added tests to verify the changes.
• I updated the docs if needed.
• No breaking change or entry added to the changelog.

[greptile-apps]

Comments Outside Diff (1)

1. .github/workflows/release.yml, line 206-221 (link)

   Missing actions: read permission for capture-run-duration

   The notify-failed job has no permissions block, so it inherits the workflow-level permissions: contents: read. The new capture-run-duration: true input in PostHog/posthog-github-action@v1 needs to query the GitHub Actions API to measure the release job's duration — that endpoint requires at minimum actions: read. Without it, the token used by the action will be denied, causing this step (and potentially the entire job) to fail precisely when you need it most: during a release failure.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: .github/workflows/release.yml
   Line: 206-221
   
   Comment:
   **Missing `actions: read` permission for `capture-run-duration`**
   
   The `notify-failed` job has no `permissions` block, so it inherits the workflow-level `permissions: contents: read`. The new `capture-run-duration: true` input in `PostHog/posthog-github-action@v1` needs to query the GitHub Actions API to measure the release job's duration — that endpoint requires at minimum `actions: read`. Without it, the token used by the action will be denied, causing this step (and potentially the entire job) to fail precisely when you need it most: during a release failure.
   
   
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 206-221

Comment:
**Missing `actions: read` permission for `capture-run-duration`**

The `notify-failed` job has no `permissions` block, so it inherits the workflow-level `permissions: contents: read`. The new `capture-run-duration: true` input in `PostHog/posthog-github-action@v1` needs to query the GitHub Actions API to measure the release job's duration — that endpoint requires at minimum `actions: read`. Without it, the token used by the action will be denied, causing this step (and potentially the entire job) to fail precisely when you need it most: during a release failure.

```suggestion
  notify-failed:
    name: Notify release failure
    needs: [check-release-label, notify-approval-needed, release]
    runs-on: ubuntu-latest
    permissions:
      actions: read
    # Keep failure reporting in a separate job so it still runs when `release`
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "chore: upgrade PostHog GitHub Action to ..." | Re-trigger Greptile}

[greptile-apps]

_{Reviews (2): Last reviewed commit: "chore: upgrade PostHog GitHub Action to ..." | Re-trigger Greptile}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	autogen-ext@​0.7.5
	boto3@​1.42.75
	boto3@​1.42.76
	autogen-agentchat@​0.7.5

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb CVE: GHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb (HIGH) Affected versions: < 3.13.3 Patched version: 3.13.3 From: ? → pypi/aiohttp@3.12.13 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/aiohttp@3.12.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

posthog-python Compliance Report

Date: 2026-04-22 10:35:10 UTC
Duration: 160003ms

✅ All Tests Passed!

30/30 tests passed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	518ms
Format Validation.Event Has Uuid	✅	1507ms
Format Validation.Event Has Lib Properties	✅	1507ms
Format Validation.Distinct Id Is String	✅	1508ms
Format Validation.Token Is Present	✅	1507ms
Format Validation.Custom Properties Preserved	✅	1507ms
Format Validation.Event Has Timestamp	✅	1507ms
Retry Behavior.Retries On 503	✅	9514ms
Retry Behavior.Does Not Retry On 400	✅	3510ms
Retry Behavior.Does Not Retry On 401	✅	3508ms
Retry Behavior.Respects Retry After Header	✅	9514ms
Retry Behavior.Implements Backoff	✅	23530ms
Retry Behavior.Retries On 500	✅	7504ms
Retry Behavior.Retries On 502	✅	7508ms
Retry Behavior.Retries On 504	✅	7513ms
Retry Behavior.Max Retries Respected	✅	23530ms
Deduplication.Generates Unique Uuids	✅	1501ms
Deduplication.Preserves Uuid On Retry	✅	7515ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	14513ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	7513ms
Deduplication.No Duplicate Events In Batch	✅	1508ms
Deduplication.Different Events Have Different Uuids	✅	1507ms
Compression.Sends Gzip When Enabled	✅	1508ms
Batch Format.Uses Proper Batch Structure	✅	1507ms
Batch Format.Flush With No Events Sends Nothing	✅	1005ms
Batch Format.Multiple Events Batched Together	✅	1506ms
Error Handling.Does Not Retry On 403	✅	3509ms
Error Handling.Does Not Retry On 413	✅	3508ms
Error Handling.Retries On 408	✅	7509ms

Feature_Flags Tests

✅ 1/1 tests passed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	✅	522ms