diff --git a/.github/actions/posthog/action.yml b/.github/actions/posthog/action.yml new file mode 100644 index 0000000..f59c728 --- /dev/null +++ b/.github/actions/posthog/action.yml @@ -0,0 +1,98 @@ +name: PostHog Capture +description: Send a workflow analytics event to PostHog + +inputs: + api_key: + description: "PostHog project API key" + required: true + gha_repository: + description: "GitHub repository where the reusable workflow lives, in the format 'owner/repo' (e.g. 'entur/gha-helm')" + required: true + workflow_inputs: + description: "Workflow inputs as a JSON string (e.g. toJSON(inputs))" + required: false + default: "{}" + workflow_name: + description: "Name of the workflow. Used as the event name in PostHog (lint, deploy, etc.)" + required: true + +runs: + using: composite + steps: + - name: Resolve action version + id: workflow_version + env: + GHA_REPOSITORY: ${{ inputs.gha_repository }} + shell: bash + run: | + set -o pipefail + + # Resolve version by finding this reusable workflow's entry in the caller's run. + # (GITHUB_WORKFLOW_REF is the caller's ref, not the reusable workflow's ref) + RUN_DATA=$(curl -sf \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" || echo "{}") + + GHA_SHA=$(echo "$RUN_DATA" | jq -r --arg repo "$GHA_REPOSITORY" \ + '(.referenced_workflows // [])[] | select(.path | startswith($repo)) | .sha' | head -1) + GHA_REF=$(echo "$RUN_DATA" | jq -r '(.referenced_workflows // [])[] | select(.path | startswith($GHA_REPOSITORY)) | .ref // ""' | head -1) + + WORKFLOW_VERSION="" + if [ -n "$GHA_REF" ]; then + WORKFLOW_VERSION="${GHA_REF}" + elif [ -n "$GHA_SHA" ]; then + WORKFLOW_VERSION="${GHA_SHA:0:7}" + fi + + echo "Workflow version: $WORKFLOW_VERSION" + echo "workflow_version=${WORKFLOW_VERSION}" >> "$GITHUB_OUTPUT" + - name: Build properties + id: build_properties + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + GHA_REPOSITORY: ${{ inputs.gha_repository }} + WORKFLOW_INPUTS: ${{ inputs.workflow_inputs }} + WORKFLOW_NAME: ${{ inputs.workflow_name }} + WORKFLOW_VERSION: ${{ steps.workflow_version.outputs.workflow_version }} + run: | + set -o pipefail + + # Strip inputs whose key names suggest sensitive content + SAFE_INPUTS=$(echo "$WORKFLOW_INPUTS" | jq -c ' + with_entries( + select( + (.key | test("token|secret|key|password|credential|auth"; "i")) | not + ) + ) + ') + + properties=$(jq -n \ + --arg event "$GITHUB_EVENT_NAME" \ + --argjson inputs "$SAFE_INPUTS" \ + --arg name "$WORKFLOW_NAME" \ + --arg repo "$GHA_REPOSITORY" \ + --arg run_id "$GITHUB_RUN_ID" \ + --arg version "$WORKFLOW_VERSION" \ + '{ + event_name: $event, + gha_repository: $repo, + run_id: $run_id, + workflow_name: $name, + workflow_version: $version + } + + ($inputs | with_entries(.key = ("input_" + .key)))' + ) + echo "properties=$(echo "$properties" | jq -c .)" >> "$GITHUB_OUTPUT" + - name: Send event to PostHog + uses: PostHog/posthog-github-action@58dea254b598fb5d469c0699c98af8288a7f7650 # v1.2.0 + continue-on-error: true + with: + capture-job-durations: 'true' + capture-run-duration: 'true' + event: ${{ inputs.workflow_name }} + github-token: ${{ github.token }} + posthog-api-host: https://eu.i.posthog.com + posthog-token: ${{ inputs.api_key }} + properties: ${{ steps.build_properties.outputs.properties }} diff --git a/.gitignore b/.gitignore index e62667f..e68c876 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ # Intellij IDEA -.idea \ No newline at end of file +.idea +.vscode/settings.json +.DS_Store