chore: commit generated references with GitHub App

[marandaneto]

💡 Motivation and Context

The generated references workflow was failing when trying to push directly to main with github-actions[bot], because repository rules require verified commits and PR/ruleset checks.

References are only needed after releases, so this removes the standalone manual generate-references.yml workflow and generates/commits references inline in the already-approved release job. The commit now uses the same GitHub App token and planetscale/ghcommit-action flow used by the release workflow, avoiding a second environment approval.

💚 How did you test it?

• Parsed .github/workflows/release.yml as YAML locally.
• Ran git diff --check.

📝 Checklist

• I reviewed the submitted code.
• I added tests to verify the changes.
• I updated the docs if needed.
• No breaking change or entry added to the changelog.

If releasing new changes

• Ran sampo add to generate a changeset file
• Added the release label to the PR

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

[greptile-apps]

Security Review

• actions/create-github-app-token@v3 in .github/workflows/generate-references.yml uses a mutable tag rather than a pinned SHA. This action produces the token used to commit directly to main; all other actions in both workflow files are SHA-pinned. Risk is low given the trusted actions org, but pinning is recommended for consistency and supply-chain hygiene.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/workflows/generate-references.yml:16
**Unpinned action version**

`actions/create-github-app-token@v3` uses a mutable tag while every other action in both workflow files is pinned to a full commit SHA. This action produces the token used to write directly to `main`, so a tag mutation (however unlikely from the official `actions` org) would affect a highly privileged step. Pin it to a specific SHA for consistency and defence in depth.

(replace `@v3` with the actual SHA for that tag)

_{Reviews (1): Last reviewed commit: "chore: commit generated references with ..." | Re-trigger Greptile}

[github-actions]

posthog-python Compliance Report

Date: 2026-04-30 10:11:53 UTC
Duration: 160014ms

✅ All Tests Passed!

30/30 tests passed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	517ms
Format Validation.Event Has Uuid	✅	1507ms
Format Validation.Event Has Lib Properties	✅	1507ms
Format Validation.Distinct Id Is String	✅	1506ms
Format Validation.Token Is Present	✅	1507ms
Format Validation.Custom Properties Preserved	✅	1506ms
Format Validation.Event Has Timestamp	✅	1507ms
Retry Behavior.Retries On 503	✅	9514ms
Retry Behavior.Does Not Retry On 400	✅	3510ms
Retry Behavior.Does Not Retry On 401	✅	3506ms
Retry Behavior.Respects Retry After Header	✅	9514ms
Retry Behavior.Implements Backoff	✅	23517ms
Retry Behavior.Retries On 500	✅	7512ms
Retry Behavior.Retries On 502	✅	7515ms
Retry Behavior.Retries On 504	✅	7513ms
Retry Behavior.Max Retries Respected	✅	23528ms
Deduplication.Generates Unique Uuids	✅	1496ms
Deduplication.Preserves Uuid On Retry	✅	7511ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	14524ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	7508ms
Deduplication.No Duplicate Events In Batch	✅	1503ms
Deduplication.Different Events Have Different Uuids	✅	1507ms
Compression.Sends Gzip When Enabled	✅	1507ms
Batch Format.Uses Proper Batch Structure	✅	1506ms
Batch Format.Flush With No Events Sends Nothing	✅	1005ms
Batch Format.Multiple Events Batched Together	✅	1505ms
Error Handling.Does Not Retry On 403	✅	3509ms
Error Handling.Does Not Retry On 413	✅	3507ms
Error Handling.Retries On 408	✅	7513ms

Feature_Flags Tests

✅ 1/1 tests passed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	✅	514ms

[marandaneto]

we need this to live here because of the GH token, otherwise it'd require a 2nd environment approval

[marandaneto]

https://github.com/PostHog/posthog-python/actions/runs/25156855061/job/73740806572

[ioannisj]

Do we need a continue on error for these next steps? Low context from me here but if the package is released and externally visible I think we should not fail. Plus previous impl was just dispatching to another workflow so any failures were isolated there and did not affect this one

[marandaneto]

i dont disagree but this is exactly what happened before
generate references was failing and we didnt notice for quite a while

[ioannisj]

Could this be a warning message on slack?

[marandaneto]

since this is executed after release, github release etc the release will work anyway, and if references failed, we can just fix forward

[marandaneto]

yes, its gonna be a failed release, so the slack thread gets updated, we know that it partly failed, fix forward and thats it

[marandaneto]

we can change if this often fails and its breaking releases
we tried the other way, we had this broken for a few weeks, now we try the other way

[ioannisj]

Approving anw to unblock