Skip to content

ci: org-wide branch cleanup for merged/closed PRs#2

Open
KenanBek wants to merge 1 commit into
mainfrom
ci/org-branch-cleanup
Open

ci: org-wide branch cleanup for merged/closed PRs#2
KenanBek wants to merge 1 commit into
mainfrom
ci/org-branch-cleanup

Conversation

@KenanBek

Copy link
Copy Markdown

What

An org-wide policy to auto-delete branches for merged and closed PRs across all active iomete repos.

GitHub natively deletes a branch only when a PR is merged — never on close-without-merge, and there's no org-level default. This PR fills both gaps with one nightly job that lives here in the org .github repo and acts across every active repo via the API.

Already applied (outside this PR)

delete_branch_on_merge ("Automatically delete head branches") has been enabled on all 73 active repos (60 were previously off). Merged-PR branches now auto-delete instantly, org-wide.

What this PR adds

File Purpose
.github/workflows/branch-cleanup.yml Nightly (03:00 UTC) + manual workflow
scripts/enforce-delete-on-merge.sh Re-asserts the native setting on every active repo → new repos onboard automatically
scripts/delete-stale-branches.sh Deletes head branches of closed/merged PRs (the native gap), with guards
docs/branch-cleanup-policy.md How it works, setup, rollout, tuning

Safety

Ships in dry-run (BRANCH_CLEANUP_DRY_RUN defaults to true) — it only logs what it would delete until you flip the variable. A branch is deleted only when all hold: it had a closed/merged PR, head is in this repo (not a fork), it's not the default branch, name isn't protected (main/master/release/*/…), no open PR, not protected by a rule/ruleset, and its tip commit is older than GRACE_DAYS (default 7). Validated against 5 repos in dry-run: correctly flagged 12 real stale branches, skipped 2.

To activate after merge

  1. Create a cross-repo token (GitHub App or org-admin PAT — see the doc) and store it as the BRANCH_CLEANUP_TOKEN secret on this repo. (The default GITHUB_TOKEN can't act on other repos.)
  2. Let the nightly dry-runs accumulate; review the run summaries.
  3. Set repo variable BRANCH_CLEANUP_DRY_RUN=false to go live. For a one-time historical backfill, run the workflow manually with a large lookback_days.

See docs/branch-cleanup-policy.md for details.

Adds a nightly workflow (run from this org .github repo) that keeps branch
hygiene across all active iomete repos:

1. enforce-delete-on-merge.sh — ensures the native "delete head branch on
   merge" setting is on for every active repo (covers MERGED PRs instantly and
   auto-onboards new repos; there is no org-level default for this setting).
2. delete-stale-branches.sh — deletes head branches whose PRs are now CLOSED or
   MERGED, which GitHub does not do natively. Heavily guarded (skips forks, the
   default branch, protected/ruleset branches, branches with an open PR, and
   recently-pushed branches) and dry-run by default.

Cross-repo writes use a BRANCH_CLEANUP_TOKEN secret (the default GITHUB_TOKEN
cannot act on other repos). Setup + rollout steps are in
docs/branch-cleanup-policy.md. Ships in dry-run mode; flip the
BRANCH_CLEANUP_DRY_RUN repo variable to go live after reviewing the logs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant