heroku · colincasey · Jun 4, 2026 · Jun 4, 2026 · Jun 11, 2026 · edmorley
@@ -25,6 +25,12 @@ on:
           Slack Workflow Builder webhook URL for #heroku-languages-ops. A message is posted
           here if a production publish fails.
         required: true
+      honeycomb_api_key:
+        description: >-
+          Honeycomb env API key with the 'create markers' scope. When set, a release
+          marker is posted to the `builds` dataset on a successful production publish.
+          Omit to disable (no-op for callers that don't opt in).
+        required: false
 
 # Full set of permissions the CALLING workflow must grant — a reusable workflow's GITHUB_TOKEN
 # is capped by what the caller provides. Each job below narrows to only what it needs via its
@@ -752,6 +758,38 @@ jobs:
             exit 1
           fi
 
+      - name: Post Honeycomb release marker
+        # No-op when the secret is absent (other teams) or in QA mode. Secrets can't be
+        # referenced in `if:`, so the key is mirrored to env and tested there.
+        if: env.HONEYCOMB_API_KEY != '' && env.MODE == 'production'
+        env:
+          HONEYCOMB_API_KEY: ${{ secrets.honeycomb_api_key }}
+          HONEYCOMB_DATASET: builds          # shared dataset for all classic buildpacks
+          BUILDPACK_ID: ${{ inputs.buildpack_id }}
+          TAG: ${{ steps.tag.outputs.name }}
+        run: |
+          api="https://api.honeycomb.io/1/markers/${HONEYCOMB_DATASET}"
+          url="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/tag/${TAG}"
+          msg="${BUILDPACK_ID} ${TAG}"
+          body=$(jq -n --arg msg "$msg" --arg url "$url" '{message: $msg, type: "deploy", url: $url}')
+          auth=(-H "X-Honeycomb-Team: ${HONEYCOMB_API_KEY}" -H "Content-Type: application/json")
+
+          # Dedup on the release URL: stable identity for this release. A re-run of an idempotent
+          # publish finds the existing marker and skips, rather than stacking a duplicate line on
+          # the board. The marker content is fully derived from the tag, so there's nothing to
+          # update. This warns on failure and never exits non-zero — a Honeycomb outage must not
+          # fail an already-successful publish.
+          existing=$(curl -sS --fail --connect-timeout 10 --retry 3 --retry-all-errors --max-time 30 "${auth[@]}" "${api}" \
+            | jq -r --arg url "$url" 'map(select(.url == $url)) | first | .id // empty') || existing=""
+
+          if [[ -n "$existing" ]]; then
+            echo "Release marker already exists (${existing}) — skipping"
+          else
+            curl -sS --fail --connect-timeout 10 --retry 3 --retry-all-errors --max-time 30 -X POST "${api}" "${auth[@]}" -d "${body}" \
+              >/dev/null && echo "Created release marker for ${TAG}" \
+              || echo "::warning::Failed to create Honeycomb release marker (publish succeeded regardless)"
+          fi
+
   notify-failure:
     name: Notify Release Failure
     needs: [publish]