chore: update branch references to main

[marandaneto]

💡 Motivation and Context

This repo was still using master as the default branch. This updates the workflow, release references, and Sampo config that still pointed at master so the repository can use main consistently.

💚 How did you test it?

• Ran git diff --check
• Searched the repo for remaining branch-name references with rg --hidden '\bmaster\b'

📝 Checklist

• I reviewed the submitted code.
• I added tests to verify the changes.
• I updated the docs if needed.
• No breaking change or entry added to the changelog.

If releasing new changes

• Ran sampo add to generate a changeset file
• Added the release label to the PR

[greptile-apps]

_{Reviews (1): Last reviewed commit: "chore: update branch references to main" | Re-trigger Greptile}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	openai@​2.29.0
	openai@​2.30.0
	posthog@​7.9.12
	posthog@​7.11.1
	requests@​2.32.5
	requests@​2.32.4
	requests@​2.33.0
	distro@​1.9.0
	python-dateutil@​2.9.0.post0
	typing-extensions@​4.15.0
	typing-extensions@​4.14.0
	typing-extensions@​4.14.1
	pydantic@​2.11.10
	pydantic@​2.11.7
	pydantic@​2.12.5
	six@​1.17.0
	httpx@​0.28.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: FITS GZIP decompression bomb in Pillow CVE: GHSA-whj4-6x5x-4v2j FITS GZIP decompression bomb in Pillow (HIGH) Affected versions: >= 10.3.0 < 12.2.0 Patched version: 12.2.0 From: ? → pypi/[email protected] → pypi/[email protected] → pypi/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: pypi urllib3 streaming API improperly handles highly compressed data CVE: GHSA-2xpw-w6gg-jr37 urllib3 streaming API improperly handles highly compressed data (HIGH) Affected versions: >= 1.0 < 2.6.0 Patched version: 2.6.0 From: ? → pypi/[email protected] → pypi/[email protected] → pypi/[email protected] → pypi/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) in pypi urllib3 CVE: GHSA-38jv-5279-wg99 Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) (HIGH) Affected versions: >= 1.22 < 2.6.3 Patched version: 2.6.3 From: ? → pypi/[email protected] → pypi/[email protected] → pypi/[email protected] → pypi/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: pypi urllib3 allows an unbounded number of links in the decompression chain CVE: GHSA-gm62-xv2j-4w53 urllib3 allows an unbounded number of links in the decompression chain (HIGH) Affected versions: >= 1.24 < 2.6.0 Patched version: 2.6.0 From: ? → pypi/[email protected] → pypi/[email protected] → pypi/[email protected] → pypi/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

posthog-python Compliance Report

Date: 2026-04-14 14:34:56 UTC
Duration: 159489ms

✅ All Tests Passed!

29/29 tests passed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	517ms
Format Validation.Event Has Uuid	✅	1506ms
Format Validation.Event Has Lib Properties	✅	1507ms
Format Validation.Distinct Id Is String	✅	1506ms
Format Validation.Token Is Present	✅	1506ms
Format Validation.Custom Properties Preserved	✅	1507ms
Format Validation.Event Has Timestamp	✅	1507ms
Retry Behavior.Retries On 503	✅	9519ms
Retry Behavior.Does Not Retry On 400	✅	3505ms
Retry Behavior.Does Not Retry On 401	✅	3508ms
Retry Behavior.Respects Retry After Header	✅	9510ms
Retry Behavior.Implements Backoff	✅	23533ms
Retry Behavior.Retries On 500	✅	7500ms
Retry Behavior.Retries On 502	✅	7517ms
Retry Behavior.Retries On 504	✅	7511ms
Retry Behavior.Max Retries Respected	✅	23525ms
Deduplication.Generates Unique Uuids	✅	1500ms
Deduplication.Preserves Uuid On Retry	✅	7514ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	14516ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	7511ms
Deduplication.No Duplicate Events In Batch	✅	1506ms
Deduplication.Different Events Have Different Uuids	✅	1508ms
Compression.Sends Gzip When Enabled	✅	1507ms
Batch Format.Uses Proper Batch Structure	✅	1507ms
Batch Format.Flush With No Events Sends Nothing	✅	1005ms
Batch Format.Multiple Events Batched Together	✅	1505ms
Error Handling.Does Not Retry On 403	✅	3509ms
Error Handling.Does Not Retry On 413	✅	3506ms
Error Handling.Retries On 408	✅	7515ms