Skip to content

BUILD-10739 Self-service S3 cache cleanup#41

Merged
mikolaj-matuszny-ext-sonarsource merged 4 commits intomasterfrom
feat/mmatuszny/BUILD-10739-cache-cleanup
Mar 18, 2026
Merged

BUILD-10739 Self-service S3 cache cleanup#41
mikolaj-matuszny-ext-sonarsource merged 4 commits intomasterfrom
feat/mmatuszny/BUILD-10739-cache-cleanup

Conversation

@mikolaj-matuszny-ext-sonarsource
Copy link
Contributor

@mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource commented Mar 17, 2026
edited
Loading

Summary

Adds a self-service cache cleanup composite action (SonarSource/gh-action_cache/cleanup@v1) that allows users to delete S3 cache entries by branch name and optional key prefix.

Usage

- uses: SonarSource/gh-action_cache/cleanup@v1
  with:
    branch: feature/my-branch
    key: sccache-Linux-    # optional - omit to delete all cache for the branch
    dry-run: "true"        # optional - preview what would be deleted

Users just provide the branch name as they know it (e.g., master, feat/my-branch). The action automatically handles both PR-created and push-created cache entries.

What's included

  • cleanup/action.yml - composite action that handles AWS auth and runs the cleanup script
  • scripts/cleanup-cache.sh - cleanup logic using aws s3 rm with --include/--exclude wildcard patterns
  • .github/workflows/cleanup-cache.yml - workflow_dispatch workflow for direct trigger from this repo
  • README documentation with usage examples (GitHub UI, CLI, API)
  • CI test job - dry-run cleanup in the test workflow

How it works

S3 cache paths look like: cache/<org>/<repo>/<hash>/<branch>/<key>

The hash prefix is opaque (SHA256 of cache paths + compression + salt), so the script uses aws s3 rm --recursive --exclude "*" --include "*/<branch>/*" to match across all hash prefixes.

Branch names in S3 vary by event type (PRs use bare names like feat/my-branch, pushes use full refs like refs/heads/master), so the script searches for both forms automatically.

IAM dependency

Requires SonarSource/github-runners-infra#336 to be merged and applied first. The current Cognito role IAM policy scopes ListBucket/DeleteObject to the caller's own branch. The IAM PR adds two new statements that allow broader listing/deletion scoped to workflow_dispatch events from protected branches only.

Test plan

  • Cleanup script handles bare branch names, full refs, key prefixes, and dry-run mode
  • Composite action correctly wires up credentials and script execution
  • IAM policy applied to dev → cleanup dry-run succeeds (blocked on #336)
  • End-to-end: actual deletion of cache entries

🤖 Generated with Claude Code

@mikolaj-matuszny-ext-sonarsource
BUILD-10739 Test cache cleanup
e10c1b1
@mikolaj-matuszny-ext-sonarsource @claude
BUILD-10739 feat: add cache cleanup reusable workflow
7c0f755 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mikolaj-matuszny-ext-sonarsource @claude
BUILD-10739 test: add cache cleanup script tests
69ae6a7 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource force-pushed the feat/mmatuszny/BUILD-10739-cache-cleanup branch 4 times, most recently from 407c113 to 021fddc Compare March 17, 2026 13:23
@mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource changed the title BUILD-10739 Test cache cleanup BUILD-10739 Self-service S3 cache cleanup Mar 17, 2026
@mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource force-pushed the feat/mmatuszny/BUILD-10739-cache-cleanup branch 4 times, most recently from 03a70cd to 2c90162 Compare March 17, 2026 13:35
@mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource marked this pull request as ready for review March 17, 2026 13:38
@sonar-review-alpha
Copy link

sonar-review-alpha bot commented Mar 17, 2026
edited
Loading

Summary

Adds a self-service cache cleanup action that lets users delete S3 cache by branch and optional key prefix. Reuses the existing credential-setup@v1 action for AWS auth and implements cleanup via aws s3 rm with wildcard patterns. Includes a workflow dispatch UI, documentation, and a smoke test (dry-run only until IAM #336 is merged).

What reviewers should know

Start with: cleanup/action.ymlscripts/cleanup-cache.sh → then the workflow and tests.

Key logic: The bash script handles both PR-created cache (bare branch names like feat/my-branch) and push-created cache (full refs like refs/heads/master) by searching for */<branch>/* patterns across all opaque hash prefixes. This dual-form matching is why it "just works" regardless of event type—see lines 20-32 of cleanup-cache.sh.

Wildcard patterns: The script uses --exclude "*" --include "*/<branch>/*" to match across all unknown hash prefixes. This is correct but non-obvious.

Testing limitation: The test added to test-action.yml (test-cleanup-dry-run) is a smoke test only—it runs against a nonexistent branch to verify the action wires up correctly. Actual deletion testing is blocked on SonarSource/github-runners-infra#336 (IAM policy addition). Until that merges, the Cognito role can't do cross-branch deletion.

External dependency: The README correctly notes that the IAM PR must be merged and applied first before actual cleanup works in prod.

  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

julien-carsique-sonarsource
julien-carsique-sonarsource approved these changes Mar 17, 2026
View reviewed changes
sonar-review-alpha[bot]
sonar-review-alpha bot reviewed Mar 17, 2026
View reviewed changes
Copy link

@sonar-review-alpha sonar-review-alpha bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conclusion: Clean, well-structured addition that fits naturally into the existing architecture. The dual-form branch search in the cleanup script is the right approach and correctly mirrors how prepare-keys.sh stores cache keys (bare name for PR events, full ref for push events). Ready to merge once SonarSource/github-runners-infra#336 is applied.

🗣️ Give feedback

@mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource force-pushed the feat/mmatuszny/BUILD-10739-cache-cleanup branch from 2c90162 to e076b58 Compare March 18, 2026 07:53
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 18, 2026

SonarQube reviewer guide

Review in SonarQube

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sonarqube-cloud-us
Copy link

sonarqube-cloud-us bot commented Mar 18, 2026

SonarQube reviewer guide

Review in SonarQube

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource merged commit f35d4d1 into master Mar 18, 2026
13 of 15 checks passed
@mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource deleted the feat/mmatuszny/BUILD-10739-cache-cleanup branch March 18, 2026 07:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@julien-carsique-sonarsource julien-carsique-sonarsource julien-carsique-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mikolaj-matuszny-ext-sonarsource @julien-carsique-sonarsource