feat(blog): add automated PostHog tiles update workflow

[nurul3101]

Summary by CodeRabbit

• New Features
  • Added an automated GitHub workflow to keep “Blog PostHog Tiles” up to date from the latest blog content.
  • Blog-related dashboard tiles are now refreshed automatically on relevant content changes.
  • Includes a dry-run option to preview updates without applying them.
• Bug Fixes
  • Improves robustness when scanning blog content by safely skipping incomplete folders.
  • Tile updates won’t run if the required API key is missing, and failures surface clearly if any update doesn’t succeed.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
blog	Ready	Preview, Comment	Jun 25, 2026 8:52am
docs	Ready	Preview, Comment	Jun 25, 2026 8:52am
eclipse	Ready	Preview, Comment	Jun 25, 2026 8:52am
site	Ready	Preview, Comment	Jun 25, 2026 8:52am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1adba5f9-a627-4bd5-9b40-72f52c600e03

📥 Commits

Reviewing files that changed from the base of the PR and between 3c3495b and eab2b6b.

📒 Files selected for processing (1)

• apps/blog/scripts/update-posthog-blog-tiles.mjs

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/blog/scripts/update-posthog-blog-tiles.mjs

---

Walkthrough

A new workflow runs a Node.js script that scans blog MDX frontmatter, derives post counts and recent slugs, builds three PostHog HogQL queries, and patches the configured insights. The script also supports dry-run mode and exits when the API key is missing.

Changes

Blog PostHog Tiles

Layer / File(s)	Summary
Post discovery and derived inputs apps/blog/scripts/update-posthog-blog-tiles.mjs	The script defines PostHog and content constants, scans blog posts from frontmatter, computes publish-month counts and recent slugs, and formats histogram tuples.
PostHog query builders apps/blog/scripts/update-posthog-blog-tiles.mjs	The script builds the monthly post, library-age, and recent-post HogQL queries from the derived blog data.
Workflow dispatch and insight patching .github/workflows/blog-posthog-tiles.yml, apps/blog/scripts/update-posthog-blog-tiles.mjs	The script PATCHes configured insights with POSTHOG_API_KEY, supports dry-run output, and the workflow runs it on manual dispatch or matching MDX pushes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: an automated workflow to update PostHog blog tiles.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands.}

[argos-ci]

The latest updates on your projects. Learn more about Argos notifications ↗︎

Build	Status	Details	Updated (UTC)
default (Inspect)	✅ No changes detected	-	Jun 25, 2026, 8:58 AM

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/blog-posthog-tiles.yml (1)

27-33: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Harden the checkout and pin actions to commit SHAs.

Two things your static analysis is (correctly) nudging on:

1. persist-credentials — actions/checkout leaves the GITHUB_TOKEN in .git/config by default. This job only reads frontmatter and talks to PostHog; it never needs to push back to the repo, so persisting the credential just widens the blast radius if a later step is compromised. Disable it.
2. Hash pinning — @v4 is a moving tag; pinning to a full commit SHA prevents a re-tagged/compromised release from silently flowing into this workflow, which your blanket policy requires.

🔒 Suggested changes

       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@<full-commit-sha> # v4.x.x
+        with:
+          persist-credentials: false

       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@<full-commit-sha> # v4.x.x
         with:
           node-version: "20"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/blog-posthog-tiles.yml around lines 27 - 33, Harden the
workflow by updating the Checkout repository and Setup Node.js steps in the
blog-posthog-tiles job: set actions/checkout to not persist credentials because
this job only reads content and does not need repo write access, and replace the
moving `@v4` references with pinned full commit SHAs for both actions. Use the
existing step names and the actions/checkout and actions/setup-node entries to
locate the changes.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/blog/scripts/update-posthog-blog-tiles.mjs`:
- Around line 156-163: The guard in update-posthog-blog-tiles.mjs currently
treats a missing POSTHOG_API_KEY the same as --dry-run, which can turn a real CI
run into a false success. Split the logic around the main execution path so
--dry-run remains the only case that prints the generated queries and exits
cleanly, and make the normal path fail explicitly when POSTHOG_API_KEY is
absent. Keep the behavior localized near the existing argv/env check and the
query-writing flow so accidental secret misconfiguration is surfaced
immediately.
- Around line 116-119: The recentPostsQuery helper is building a HogQL array
from slugs by interpolating raw values into quoted literals, which can break on
apostrophes and create an injection foot-gun. Update recentPostsQuery to escape
or serialize each slug before joining them into the array expression, keeping
the query construction safe while preserving the existing CAST([] AS
Array(String)) fallback.

---

Nitpick comments:
In @.github/workflows/blog-posthog-tiles.yml:
- Around line 27-33: Harden the workflow by updating the Checkout repository and
Setup Node.js steps in the blog-posthog-tiles job: set actions/checkout to not
persist credentials because this job only reads content and does not need repo
write access, and replace the moving `@v4` references with pinned full commit SHAs
for both actions. Use the existing step names and the actions/checkout and
actions/setup-node entries to locate the changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f08f95de-75de-4c8e-b308-619699f85178

📥 Commits

Reviewing files that changed from the base of the PR and between 7ad9022 and 3c3495b.

📒 Files selected for processing (2)

• .github/workflows/blog-posthog-tiles.yml
• apps/blog/scripts/update-posthog-blog-tiles.mjs