feat: Gmail token auto-renewal system - keepalive + auto-rotation

dlnraja · dlnraja · commit 6056ee10ee1e · 2026-02-22T15:42:44.000+01:00
- New: gmail-token-keepalive.yml runs daily at 6AM to prevent 7-day expiry
- New: gmail-token-keepalive.js lightweight token refresh script
- Updated: fetch-gmail-diagnostics.js captures new refresh tokens + logs expiry info
- Updated: gmail-diagnostics.yml auto-rotates GitHub secret when new token received
- Protection: 3 layers - daily keepalive, 3x/day diagnostics, auto-rotation on renewal
diff --git a/.github/scripts/fetch-gmail-diagnostics.js b/.github/scripts/fetch-gmail-diagnostics.js
@@ -36,7 +36,10 @@ async function getToken(){
     headers:{'Content-Type':'application/x-www-form-urlencoded'},
     body:'client_id='+id+'&client_secret='+s+'&refresh_token='+r+'&grant_type=refresh_token'});
   if(!res.ok){const e=await res.text();console.error('Token refresh failed:',res.status,e);if(e.includes('invalid_grant'))console.error('EXPIRED! Publish OAuth consent screen or re-generate refresh token');return null;}
-  return(await res.json()).access_token;
+  const j=await res.json();
+  if(j.refresh_token_expires_in)console.log('Refresh token expires in '+Math.round(j.refresh_token_expires_in/3600)+'h (Testing mode)');
+  if(j.refresh_token){console.log('New refresh token received - writing for auto-rotation');fs.writeFileSync(path.join(SD,'_new_refresh_token.txt'),j.refresh_token);}
+  return j.access_token;
 }
 
 async function gapi(tk,ep,retries=2){
diff --git a/.github/scripts/gmail-token-keepalive.js b/.github/scripts/gmail-token-keepalive.js
@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+'use strict';
+const fs=require('fs'),path=require('path');
+const SD=path.join(__dirname,'..','state');
+async function main(){
+const{GMAIL_CLIENT_ID:id,GMAIL_CLIENT_SECRET:s,GMAIL_REFRESH_TOKEN:r}=process.env;
+if(!id||!s||!r){console.log('No creds');process.exit(0);}
+const res=await fetch('https://oauth2.googleapis.com/token',{method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:'client_id='+id+'&client_secret='+s+'&refresh_token='+r+'&grant_type=refresh_token'});
+if(!res.ok){console.error('FAIL:',res.status);process.exit(1);}
+const j=await res.json();
+console.log('OK:',j.expires_in+'s');
+if(j.refresh_token){fs.mkdirSync(SD,{recursive:true});fs.writeFileSync(path.join(SD,'_new_refresh_token.txt'),j.refresh_token);console.log('NEW token saved');}
+}
+main().catch(e=>{console.error(e);process.exit(1);});
diff --git a/.github/workflows/gmail-diagnostics.yml b/.github/workflows/gmail-diagnostics.yml
@@ -38,6 +38,17 @@ jobs:
           COUNT=$(node -p "try{JSON.parse(require('fs').readFileSync('.github/state/diagnostics-report.json')).emails?.length||0}catch(e){0}")
           git diff --staged --quiet || git commit -m "Gmail diagnostics $(date -u +%Y-%m-%d): ${COUNT} emails analyzed [skip ci]"
           git push || true
+      - name: Auto-rotate refresh token if renewed
+        env:
+          GH_TOKEN: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }}
+        run: |
+          TOKEN_FILE=".github/state/_new_refresh_token.txt"
+          if [ -f "$TOKEN_FILE" ]; then
+            echo "New refresh token detected - rotating GitHub secret..."
+            cat "$TOKEN_FILE" | gh secret set GMAIL_REFRESH_TOKEN
+            rm -f "$TOKEN_FILE"
+            echo "::notice::Gmail refresh token auto-rotated"
+          fi
       - name: Create issues for critical diagnostics
         if: always()
         run: |
diff --git a/.github/workflows/gmail-token-keepalive.yml b/.github/workflows/gmail-token-keepalive.yml
@@ -0,0 +1,41 @@
+name: Gmail Token Keepalive
+on:
+  schedule:
+    - cron: '0 6 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: gmail-keepalive
+  cancel-in-progress: true
+
+jobs:
+  keepalive:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+      - name: Refresh Gmail token
+        env:
+          GMAIL_CLIENT_ID: ${{ secrets.GMAIL_CLIENT_ID }}
+          GMAIL_CLIENT_SECRET: ${{ secrets.GMAIL_CLIENT_SECRET }}
+          GMAIL_REFRESH_TOKEN: ${{ secrets.GMAIL_REFRESH_TOKEN }}
+        run: node .github/scripts/gmail-token-keepalive.js
+      - name: Auto-rotate if new token
+        env:
+          GH_TOKEN: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }}
+        run: |
+          TOKEN_FILE=".github/state/_new_refresh_token.txt"
+          if [ -f "$TOKEN_FILE" ]; then
+            echo "Rotating refresh token..."
+            cat "$TOKEN_FILE" | gh secret set GMAIL_REFRESH_TOKEN
+            rm -f "$TOKEN_FILE"
+            echo "::notice::Gmail refresh token auto-rotated"
+          else
+            echo "Token still valid - no rotation needed"
+          fi
