Skip to content

ci: add weekly cleanup of expired e2e PATs#1691

Merged
ralphbean merged 3 commits into
mainfrom
ci/cleanup-botsend-pats
Jun 1, 2026
Merged

ci: add weekly cleanup of expired e2e PATs#1691
ralphbean merged 3 commits into
mainfrom
ci/cleanup-botsend-pats

Conversation

@ralphbean

Copy link
Copy Markdown
Member

Summary

  • Add hack/cleanup-pats script that uses Playwright to delete expired classic PATs from the botsend e2e test account
  • Add .github/workflows/pat-cleanup.yml weekly cron (Sundays 4am UTC) + manual trigger
  • Uses the existing E2E_GITHUB_SESSION secret to authenticate

The botsend account accumulates PATs from e2e runs that crash or time out before t.Cleanup runs. The script paginates from last page to first, deleting expired tokens via fetch+POST, and stops when it hits a page with no expired tokens.

Closes #1683

Test plan

  • Ran locally against botsend account, confirmed deletion of expired PATs across multiple pages
  • Trigger workflow manually from Actions tab to verify CI execution

🤖 Generated with Claude Code

@github-actions

github-actions Bot commented May 29, 2026

Copy link
Copy Markdown

Site preview

Preview: https://eea43437-site.fullsend-ai.workers.dev

Commit: 4910960518fb22e68c0cab102700d80672ad94ca

@fullsend-ai-review

fullsend-ai-review Bot commented May 29, 2026

Copy link
Copy Markdown

Review

Findings

Medium

  • [protected-path] .github/workflows/pat-cleanup.yml — This PR adds a new workflow under .github/, which is a protected path. The PR links to e2e: clean up botsend PATs accumulating from test runs #1683 and provides clear rationale for adding the cleanup workflow. Human approval is always required for protected-path changes, regardless of context.

Info

  • [testing] hack/cleanup-pats.go — No automated tests for the cleanup script. Given it's a hack/ utility that operates via browser automation against a live GitHub account, unit testing is impractical, but consider adding a dry-run flag for safer manual verification.
Previous run

Review

Findings

Medium

  • [protected-path] .github/workflows/pat-cleanup.yml — This PR adds a new workflow under .github/, which is a protected path requiring human approval. The PR links to e2e: clean up botsend PATs accumulating from test runs #1683 and explains the rationale (cleaning up expired e2e PATs from the botsend account). Human approval is always required for protected-path changes, regardless of context.

Low

  • [correctness] .github/workflows/pat-cleanup.yml:34 — The workflow does not check whether the E2E_GITHUB_SESSION secret is available before attempting to base64-decode it in the "Decode session" step. The existing e2e.yml workflow has a secrets-check step that guards against missing secrets and provides a clear warning message. Since this workflow only triggers on schedule and workflow_dispatch (not fork PRs), the practical risk is minimal, but a missing or misconfigured secret would produce a confusing base64 -d error rather than a clear diagnostic.
    Remediation: Add a secrets-check step similar to e2e.yml that verifies E2E_GITHUB_SESSION_B64 is non-empty before proceeding.
Previous run (2)

Review

Findings

Medium

  • [protected-path] .github/workflows/pat-cleanup.yml — This PR adds a new GitHub Actions workflow under .github/, which is a protected path. The PR links to e2e: clean up botsend PATs accumulating from test runs #1683 and provides clear rationale (weekly cleanup of expired e2e PATs from the botsend account). Human approval is required for all changes to protected paths regardless of context.

Info

  • [correctness] hack/cleanup-pats.go — The remaining-token count at the end is an estimate (assumes 10 tokens per full page). This is fine for a summary message but worth noting — the actual count could differ slightly if GitHub changes its pagination size.

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label May 29, 2026
The botsend account used by e2e tests accumulates classic PATs over
time when test runs crash or time out before cleanup. Add a Playwright-
based script that paginates the GitHub tokens settings page, deletes
all expired tokens, and reports how many remain.

- hack/cleanup-pats: bash wrapper for manual use
- hack/cleanup-pats.go: Playwright Go program that deletes expired PATs
  via fetch+POST against each token's delete form
- .github/workflows/pat-cleanup.yml: weekly cron (Sundays 4am UTC)
  using the existing E2E_GITHUB_SESSION secret

Closes #1683

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@ralphbean ralphbean force-pushed the ci/cleanup-botsend-pats branch from 2e9fb8b to e9955f2 Compare May 29, 2026 15:35
@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels May 29, 2026
Comment thread hack/cleanup-pats Outdated
Remove hack/cleanup-pats shell script and call
go run hack/cleanup-pats.go from the workflow step.

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
The previous commit deleted the bash wrapper but missed updating
the workflow step that invoked it.

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jun 1, 2026
@ralphbean ralphbean added this pull request to the merge queue Jun 1, 2026
Merged via the queue into main with commit 027de9f Jun 1, 2026
10 checks passed
@ralphbean ralphbean deleted the ci/cleanup-botsend-pats branch June 1, 2026 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

requires-manual-review Review requires human judgment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

e2e: clean up botsend PATs accumulating from test runs

2 participants