From feb4482213f521610e943dfbe57b570aae60f95a Mon Sep 17 00:00:00 2001
From: Charles Vien <charles.v@posthog.com>
Date: Sat, 17 Jan 2026 00:43:50 -0800
Subject: [PATCH 1/2] Fix CI/CD pipeline trying to double release on commits to
 main

---
 .github/workflows/agent-release.yml |  2 -
 .github/workflows/array-release.yml | 59 ++---------------------
 .github/workflows/tag.yml           | 74 +++++++++++++++++++++++++++++
 3 files changed, 78 insertions(+), 57 deletions(-)
 create mode 100644 .github/workflows/tag.yml

diff --git a/.github/workflows/agent-release.yml b/.github/workflows/agent-release.yml
index e298a05c2..8540ab992 100644
--- a/.github/workflows/agent-release.yml
+++ b/.github/workflows/agent-release.yml
@@ -4,8 +4,6 @@ on:
   push:
     branches:
       - main
-    tags:
-      - "v*"
   workflow_dispatch:
 
 concurrency:
diff --git a/.github/workflows/array-release.yml b/.github/workflows/array-release.yml
index ac6f2f549..b850722a5 100644
--- a/.github/workflows/array-release.yml
+++ b/.github/workflows/array-release.yml
@@ -2,16 +2,6 @@ name: Release Array
 
 on:
   push:
-    branches:
-      - main
-    paths:
-      - "apps/array/**"
-      - "packages/agent/**"
-      - "packages/electron-trpc/**"
-      - "pnpm-lock.yaml"
-      - "package.json"
-      - "turbo.json"
-      - ".github/workflows/array-release.yml"
     tags:
       - "v*"
 
@@ -57,48 +47,17 @@ jobs:
           node-version: 22
           cache: "pnpm"
 
-      - name: Compute version from git tags
+      - name: Extract version from tag
         id: version
         run: |
-          # Find the latest minor version tag (vX.Y format - exactly 2 parts)
-          # These are manually created to mark new minor releases
-          # Release tags (vX.Y.Z) are ignored for base version calculation
-          LATEST_TAG=$(git tag --list 'v[0-9]*.[0-9]*' --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+$' | head -1)
-
-          # Fall back to vX.Y.0 format if no vX.Y tags exist (backward compat)
-          if [ -z "$LATEST_TAG" ]; then
-            LATEST_TAG=$(git tag --list 'v[0-9]*.[0-9]*.0' --sort=-v:refname | head -1)
-          fi
-
-          if [ -z "$LATEST_TAG" ]; then
-            echo "No version tag found. Create one with: git tag v0.15 && git push origin v0.15"
-            exit 1
-          fi
-
-          # Extract major.minor from tag
-          VERSION_PART=${LATEST_TAG#v}
-          MAJOR=$(echo "$VERSION_PART" | cut -d. -f1)
-          MINOR=$(echo "$VERSION_PART" | cut -d. -f2)
-
-          # Count commits since the base tag
-          PATCH=$(git rev-list "$LATEST_TAG"..HEAD --count)
-
-          if [ "$PATCH" -eq 0 ]; then
-            echo "No commits since $LATEST_TAG. Nothing to release."
-            exit 1
-          fi
-
-          NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}"
-          echo "Version: $NEW_VERSION (from base tag $LATEST_TAG + $PATCH commits)"
-
-          echo "version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
-          echo "base_tag=$LATEST_TAG" >> "$GITHUB_OUTPUT"
+          TAG_VERSION="${GITHUB_REF#refs/tags/v}"
+          echo "Version: $TAG_VERSION"
+          echo "version=$TAG_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Set version in package.json
         env:
           APP_VERSION: ${{ steps.version.outputs.version }}
         run: |
-          # Update package.json for the build (not committed)
           jq --arg v "$APP_VERSION" '.version = $v' apps/array/package.json > tmp.json && mv tmp.json apps/array/package.json
           echo "Set apps/array/package.json version to $APP_VERSION"
 
@@ -132,16 +91,6 @@ jobs:
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
           rm "$RUNNER_TEMP/certificate.p12"
 
-      - name: Create tag
-        env:
-          APP_VERSION: ${{ steps.version.outputs.version }}
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY: ${{ github.repository }}
-        run: |
-          TAG="v$APP_VERSION"
-          git tag -a "$TAG" -m "Release $TAG"
-          git push "https://x-access-token:${GH_TOKEN}@github.com/$REPOSITORY" "$TAG"
-
       - name: Build native modules
         run: pnpm --filter array run build-native
 
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
new file mode 100644
index 000000000..6b95eb408
--- /dev/null
+++ b/.github/workflows/tag.yml
@@ -0,0 +1,74 @@
+name: Tag Release
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "apps/array/**"
+      - "packages/agent/**"
+      - "packages/electron-trpc/**"
+      - "pnpm-lock.yaml"
+      - "package.json"
+      - "turbo.json"
+      - ".github/workflows/tag.yml"
+      - ".github/workflows/array-release.yml"
+
+concurrency:
+  group: tag
+  cancel-in-progress: false
+
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get app token
+        id: app-token
+        uses: getsentry/action-github-app-token@d4b5da6c5e37703f8c3b3e43abb5705b46e159cc # v3
+        with:
+          app_id: ${{ secrets.GH_APP_ARRAY_RELEASER_APP_ID }}
+          private_key: ${{ secrets.GH_APP_ARRAY_RELEASER_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Compute version and create tag
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          # Find the latest minor version tag (vX.Y format - exactly 2 parts)
+          LATEST_TAG=$(git tag --list 'v[0-9]*.[0-9]*' --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+$' | head -1)
+
+          # Fall back to vX.Y.0 format if no vX.Y tags exist (backward compat)
+          if [ -z "$LATEST_TAG" ]; then
+            LATEST_TAG=$(git tag --list 'v[0-9]*.[0-9]*.0' --sort=-v:refname | head -1)
+          fi
+
+          if [ -z "$LATEST_TAG" ]; then
+            echo "No version tag found. Create one with: git tag v0.15 && git push origin v0.15"
+            exit 1
+          fi
+
+          # Extract major.minor from tag
+          VERSION_PART=${LATEST_TAG#v}
+          MAJOR=$(echo "$VERSION_PART" | cut -d. -f1)
+          MINOR=$(echo "$VERSION_PART" | cut -d. -f2)
+
+          # Count commits since the base tag
+          PATCH=$(git rev-list "$LATEST_TAG"..HEAD --count)
+
+          if [ "$PATCH" -eq 0 ]; then
+            echo "No commits since $LATEST_TAG. Nothing to release."
+            exit 0
+          fi
+
+          NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}"
+          TAG="v$NEW_VERSION"
+          echo "Creating tag: $TAG (from base tag $LATEST_TAG + $PATCH commits)"
+
+          git tag -a "$TAG" -m "Release $TAG"
+          git push "https://x-access-token:${GH_TOKEN}@github.com/$REPOSITORY" "$TAG"

From f582a4197d626e6ae7192a5dee0bc175bc09d6fc Mon Sep 17 00:00:00 2001
From: Charles Vien <charles.v@posthog.com>
Date: Sat, 17 Jan 2026 14:48:00 -0800
Subject: [PATCH 2/2] Update tag.yml

---
 .github/workflows/tag.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index 6b95eb408..f16cd6e40 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -20,6 +20,8 @@ concurrency:
 
 jobs:
   tag:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Get app token