chore: use shared semantic PR title workflow

[dustinbyrne]

💡 Motivation and Context

PostHog/.github now provides a shared reusable workflow for validating PR titles against Conventional Commits. This switches the local SDK workflow to call that shared workflow, pinned to the merged .github workflow SHA, so the semantic PR title policy is centralized while each SDK repo still owns its PR trigger.

This supports the changelog flow because merged PR titles are used to determine changelog entries.

💚 How did you test it?

• Parsed the updated workflow YAML locally with PyYAML.

📝 Checklist

• I reviewed the submitted code.
• I added tests to verify the changes.
• I updated the docs if needed.
• No breaking change or entry added to the changelog.

If releasing new changes

• No changeset/Sampo entry needed for this CI-only change.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb CVE: GHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb (HIGH) Affected versions: < 3.13.3 Patched version: 3.13.3 From: uv.lock → pypi/aiohttp@3.12.13 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/aiohttp@3.12.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[greptile-apps]

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/workflows/lint-pr.yml:21
The pinned SHA has no inline comment describing what commit or tag it resolves to. The removed action had `# pin v6.1.1` which made it easy to audit and bump the pin. Adding a similar comment here keeps the same traceability.

```suggestion
    uses: PostHog/.github/.github/workflows/semantic-pr-title.yml@926dd076f0c796f7531177ae5cfcf1cf7cf0aeb3 # main as of 2026-05-27
```

_{Reviews (1): Last reviewed commit: "chore: use shared semantic PR title work..." | Re-trigger Greptile}

[greptile-apps]

The pinned SHA has no inline comment describing what commit or tag it resolves to. The removed action had # pin v6.1.1 which made it easy to audit and bump the pin. Adding a similar comment here keeps the same traceability.

Suggested change

	uses: PostHog/.github/.github/workflows/semantic-pr-title.yml@926dd076f0c796f7531177ae5cfcf1cf7cf0aeb3
	uses: PostHog/.github/.github/workflows/semantic-pr-title.yml@926dd076f0c796f7531177ae5cfcf1cf7cf0aeb3 # main as of 2026-05-27

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/lint-pr.yml
Line: 21

Comment:
The pinned SHA has no inline comment describing what commit or tag it resolves to. The removed action had `# pin v6.1.1` which made it easy to audit and bump the pin. Adding a similar comment here keeps the same traceability.

```suggestion
    uses: PostHog/.github/.github/workflows/semantic-pr-title.yml@926dd076f0c796f7531177ae5cfcf1cf7cf0aeb3 # main as of 2026-05-27
```

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[github-actions]

posthog-python Compliance Report

Date: 2026-05-27 18:50:35 UTC
Duration: 176125ms

✅ All Tests Passed!

45/45 tests passed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	517ms
Format Validation.Event Has Uuid	✅	1508ms
Format Validation.Event Has Lib Properties	✅	1507ms
Format Validation.Distinct Id Is String	✅	1507ms
Format Validation.Token Is Present	✅	1507ms
Format Validation.Custom Properties Preserved	✅	1507ms
Format Validation.Event Has Timestamp	✅	1507ms
Retry Behavior.Retries On 503	✅	9516ms
Retry Behavior.Does Not Retry On 400	✅	3509ms
Retry Behavior.Does Not Retry On 401	✅	3508ms
Retry Behavior.Respects Retry After Header	✅	9514ms
Retry Behavior.Implements Backoff	✅	23522ms
Retry Behavior.Retries On 500	✅	7508ms
Retry Behavior.Retries On 502	✅	7513ms
Retry Behavior.Retries On 504	✅	7512ms
Retry Behavior.Max Retries Respected	✅	23522ms
Deduplication.Generates Unique Uuids	✅	1508ms
Deduplication.Preserves Uuid On Retry	✅	7516ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	14521ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	7504ms
Deduplication.No Duplicate Events In Batch	✅	1508ms
Deduplication.Different Events Have Different Uuids	✅	1507ms
Compression.Sends Gzip When Enabled	✅	1507ms
Batch Format.Uses Proper Batch Structure	✅	1507ms
Batch Format.Flush With No Events Sends Nothing	✅	1005ms
Batch Format.Multiple Events Batched Together	✅	1505ms
Error Handling.Does Not Retry On 403	✅	3509ms
Error Handling.Does Not Retry On 413	✅	3508ms
Error Handling.Retries On 408	✅	7514ms

Feature_Flags Tests

✅ 16/16 tests passed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	✅	1004ms
Request Payload.Flags Request Uses V2 Query Param	✅	1006ms
Request Payload.Flags Request Hits Flags Path Not Decide	✅	1007ms
Request Payload.Flags Request Omits Authorization Header	✅	1007ms
Request Payload.Token In Flags Body Matches Init	✅	1007ms
Request Payload.Groups Round Trip	✅	1007ms
Request Payload.Groups Default To Empty Object	✅	1007ms
Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It	✅	1007ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False	✅	1006ms
Request Payload.Disable Geoip Omitted Defaults To False	✅	1007ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key	✅	1007ms
Request Lifecycle.No Flags Request On Init Alone	✅	503ms
Request Lifecycle.No Flags Request On Normal Capture	✅	1507ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests	✅	1012ms
Request Lifecycle.Mock Response Value Is Returned To Caller	✅	1002ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event	✅	1510ms