chore(ci): make foss/private sync atomic and faster#60583
Merged
Conversation
Replace PostHog/git-sync (which full-clones the entire history into a fresh container every run) with a blob:none partial-clone checkout plus a direct push. The full commit graph keeps pushes connected while historical blobs are fetched lazily, so runs no longer re-download the whole repo. foss-sync now builds the signed FOSS commit on a staging branch via the GitHub API and then atomically repoints master, so posthog-foss/master is never momentarily left as raw posthog (ee/ present, non-MIT LICENSE) between the sync and the cleanup commit. private-sync stays a 1:1 mirror, just via a direct push of master and tags.
Contributor
Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
.github/workflows/foss-sync.yml:43-49
**Staging branch persists with non-FOSS content on workflow failure**
`foss-sync-staging` is pushed to the public `posthog/posthog-foss` repo at the raw posthog HEAD (including `ee/` and the non-MIT LICENSE) before any FOSS transformations are applied. If the workflow fails anywhere between this push and the final "Promote staging to master and clean up" step, that branch is left behind indefinitely with non-FOSS code visible to anyone. The only cleanup currently runs as the last command in a script that exits early on any error.
Adding a cleanup step with `if: always()` would delete `foss-sync-staging` regardless of whether the run succeeds or fails.
Reviews (1): Last reviewed commit: "chore(ci): make foss/private sync gap-fr..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
webjunkie
approved these changes
May 29, 2026
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The current
PostHog/git-syncaction has two issues:ee/directory and our proprietary license are copied over first and then the removal/license change happens at some later point. The workflow could fail between the two steps, leaving posthog-foss with a non-MIT license.This PR replaces
PostHog/git-syncwith ablob:nonepartial-clone checkout plus a direct push. The full commit graph keeps pushes connected while historical blobs are fetched lazily, so runs no longer re-download the whole repo.foss-sync also now builds the signed FOSS commit on a staging branch via the GitHub API and then atomically repoints master, so
posthog-foss/masteris never momentarily left as raw posthog (withee/present).