Skip to content

Remove Expired Refs #498

Remove Expired Refs

Remove Expired Refs #498

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
name: Remove Expired Refs
on:
schedule:
- cron: "4 2 * * *"
pull_request:
paths:
- ".github/workflows/remove_expired.yml"
workflow_dispatch:
permissions: {}
jobs:
remove_expired:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: true
# Use PAT so the commit triggers other actions
token: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} # zizmor: ignore[secrets-outside-env]
- name: Print token details
if: ${{ github.event_name != 'pull_request' }}
env:
GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN }} # zizmor: ignore[secrets-outside-env]
run: |
echo "::group::Token details"
echo "Token user and permissions:"
gh api /user --jq '"Login: \(.login)\nName: \(.name)\nEmail: \(.email)"'
echo ""
echo "Token expiration:"
gh api /installation/token --jq '.expires_at' 2>/dev/null || echo "Token expiration not available (likely a PAT, not an installation token)"
echo ""
echo "Token scopes:"
curl -sS -H "Authorization: token ${GH_TOKEN}" -I https://api.github.com/ 2>/dev/null | grep -i 'x-oauth-scopes' || echo "No OAuth scopes header (fine-grained or app token)"
echo "::endgroup::"
- run: pipx install uv
- name: Clean actions.yml
run: |
uv run python << 'PYEOF'
import sys
sys.path.append("./gateway/")
import gateway as g
g.clean_actions("actions.yml")
g.update_patterns("approved_patterns.yml", "actions.yml")
PYEOF
- name: Commit and push changes
if: ${{ github.event_name != 'pull_request' }}
env:
GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} # zizmor: ignore[secrets-outside-env]
run: |
AUTHOR_NAME=$(gh api /user --jq '.login' 2>/dev/null || echo "asfgit")
AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com")
git config --local user.name "${AUTHOR_NAME}"
git config --local user.email "${AUTHOR_EMAIL}"
git add -f actions.yml approved_patterns.yml
git commit -m "Remove Expired Refs" -m "Generated by .github/workflows/remove_expired.yml" || echo "No changes"
git push origin