From 1e8c54ddffa6961e6f6931e76b84ce53203c5b69 Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <tom.p@posthog.com>
Date: Wed, 10 Dec 2025 10:33:49 -0800
Subject: [PATCH 1/2] Replace PAT with default GITHUB_TOKEN

A PAT isn't needed for either of these Actions.
---
 .github/workflows/generate-references.yml | 3 ++-
 .github/workflows/release.yml             | 5 ++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/generate-references.yml b/.github/workflows/generate-references.yml
index 9f41469a..51b2d346 100644
--- a/.github/workflows/generate-references.yml
+++ b/.github/workflows/generate-references.yml
@@ -7,12 +7,13 @@ jobs:
   docs-generation:
     name: Generate references
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout the repository
         uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
         with:
           fetch-depth: 0
-          token: ${{ secrets.POSTHOG_BOT_PAT }}
 
       - name: Set up Python
         uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 08bc3000..007a6f8d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,12 +15,13 @@ jobs:
     env:
       TWINE_USERNAME: __token__
       TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+    permissions:
+      contents: write
     steps:
       - name: Checkout the repository
         uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
         with:
           fetch-depth: 0
-          token: ${{ secrets.POSTHOG_BOT_PAT }}
 
       - name: Set up Python
         uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
@@ -44,8 +45,6 @@ jobs:
 
       - name: Create GitHub release
         uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.POSTHOG_BOT_PAT }}
         with:
           tag_name: v${{ env.REPO_VERSION }}
           release_name: ${{ env.REPO_VERSION }}

From e5abda15dc59e78f21f8e61e86b123e7481e3c24 Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <tom.p@posthog.com>
Date: Wed, 10 Dec 2025 10:34:58 -0800
Subject: [PATCH 2/2] Only expose env vars to step that needs them

---
 .github/workflows/release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 007a6f8d..15ff9da4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,9 +12,6 @@ jobs:
   release:
     name: Publish release
     runs-on: ubuntu-latest
-    env:
-      TWINE_USERNAME: __token__
-      TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
     permissions:
       contents: write
     steps:
@@ -41,6 +38,9 @@ jobs:
         run: uv sync --extra dev
 
       - name: Push releases to PyPI
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
         run: uv run make release && uv run make release_analytics
 
       - name: Create GitHub release