[mbreese]

I think we agree more than we don’t and the rest are personal preferences and policy differences. But we largely agree in principle.

I like the idea of having a person whose job is approving releases. Kind of like a QC tag — this release was approved by XX. I saw the issue as PostHog having a credential available to the CI/CD that had the authority to push releases automatically. When a new GitHub action was added, that credential was abused to push a bad update to npm. I might be wrong, I don’t deal with npm that much.

There are many ways to fix this.