Auto-clean stale pr-test-builds releases#11678
Open
sensei-hacker wants to merge 1 commit into
Open
Conversation
iNavFlight/pr-test-builds accumulated releases forever since nothing deleted them once a PR closed (157 at time of writing). Adds a merge-triggered workflow for immediate cleanup plus a scheduled sweep and manual script as a safety net / backlog cleaner.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
iNavFlight/pr-test-buildsaccumulates a release for every PR (viapr-test-builds.yml) but nothing ever deleted them once a PR closed — 157 stale releases had built up. This adds three cleanup mechanisms.Changes
.github/workflows/cleanup-pr-test-builds.yml— deletes a PR'spr-test-buildsrelease immediately when the PR merges. Usespull_request_target(notpull_request) so the existingPR_BUILDS_TOKENsecret is available even for fork PRs; this is safe here because the workflow never checks out or executes any PR code, it only readsnumber/mergedfrom the trusted event payload and calls the GitHub API. Also acceptsworkflow_dispatchfor manual retries..github/workflows/cleanup-pr-test-builds-scheduled.yml— a daily cron safety-net sweep (--older-than 14) for anything the merge-triggered workflow missed, and to gradually clear the pre-existing backlog..github/scripts/cleanup-old-pr-test-builds.py— the script the scheduled sweep runs; also runnable by hand with--dry-runand--older-than DAYS.docs/development/cleanup-pr-test-builds.md— usage, token setup, and troubleshooting.inav-configuratordoesn't need any of this — its PR test builds are plain GitHub Actions artifacts linked from a PR comment, notpr-test-buildsreleases, so they already expire under GitHub's own artifact retention policy.No new secrets needed — everything reuses the existing
PR_BUILDS_TOKENthatpr-test-builds.ymlalready uses to publish releases.Testing
python3 .github/scripts/cleanup-old-pr-test-builds.py --dry-run --older-than 14correctly classified all ~150 live releases (150 to delete, 7 correctly skipped as recent+open) across ~300 real API calls with 0 errors. Default (merged-only) mode: 112 to delete, 45 correctly skipped (open or closed-without-merge).created_atfield is bogus (identical across every release regardless of actual publish date) — using it for--older-thanwould have deleted the entire repo on first run regardless of threshold. Switched topublished_at, which is verified accurate.pr-11614) using the exact command the workflow runs (gh release delete ... --cleanup-tag --yes). Verified afterward that both the release and its underlying git tag are gone (404 on bothgh release viewand the git ref API).py_compile) and YAML syntax (yaml.safe_load) for all new files; shellchecked the embedded bash in the merge-triggered workflow (clean).Code Review
Reviewed with the inav-code-review agent. Three IMPORTANT issues found and fixed before this PR: the merge-triggered workflow's "not found" check was swallowing all
gh release viewfailures (including real auth/rate-limit errors) instead of only genuine not-found cases, contradicting the workflow's own documented behavior; the script'slist_releases()call wasn't wrapped in the same error handling as the rest of the tool; and the doc incorrectly claimed both workflows share the Python script's logic (only the scheduled sweep does — the merge-triggered workflow has its own simpler inline logic).