From 30c5f8679254edbfa35eda3a640b92550f918f69 Mon Sep 17 00:00:00 2001
From: "Alan D. Tse" <alandtse@gmail.com>
Date: Fri, 23 May 2025 22:14:17 -0700
Subject: [PATCH 1/4] ci: add pr release cleanup job

---
 .github/workflows/cleanup-pr-releases.yaml | 41 ++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 .github/workflows/cleanup-pr-releases.yaml

diff --git a/.github/workflows/cleanup-pr-releases.yaml b/.github/workflows/cleanup-pr-releases.yaml
new file mode 100644
index 0000000000..d1cc951d60
--- /dev/null
+++ b/.github/workflows/cleanup-pr-releases.yaml
@@ -0,0 +1,41 @@
+name: Cleanup Closed PR Releases
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 2 * * *'  # Optional: runs daily at 2am UTC
+  pull_request_target:
+    types: [closed]
+
+permissions:
+  contents: write
+
+jobs:
+  cleanup-prereleases:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete closed PR prereleases
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "Fetching all prereleases..."
+          releases=$(gh release list --limit 1000 --json tagName,isPrerelease --jq '.[] | select(.isPrerelease) | .tagName')
+
+          for tag in $releases; do
+            if [[ "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+-pr([0-9]+)$ ]]; then
+              pr_number="${BASH_REMATCH[1]}"
+              echo "Checking PR #$pr_number for tag $tag"
+
+              pr_status=$(gh pr view "$pr_number" --json state --jq .state 2>/dev/null || echo "NOT_FOUND")
+
+              if [[ "$pr_status" != "OPEN" ]]; then
+                echo "Deleting prerelease with tag $tag (PR #$pr_number is $pr_status)"
+                gh release delete "$tag" --yes
+                gh tag delete "$tag"
+              else
+                echo "PR #$pr_number is still open. Keeping tag $tag"
+              fi
+            else
+              echo "Skipping non-PR tag $tag"
+            fi
+          done
\ No newline at end of file

From f82b44120be95edf44f7f729d41c4f95172129c7 Mon Sep 17 00:00:00 2001
From: "Alan D. Tse" <alandtse@gmail.com>
Date: Fri, 23 May 2025 22:59:41 -0700
Subject: [PATCH 2/4] build: fix tag deletion errors

---
 .github/workflows/cleanup-pr-releases.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cleanup-pr-releases.yaml b/.github/workflows/cleanup-pr-releases.yaml
index d1cc951d60..8eeb31a2c8 100644
--- a/.github/workflows/cleanup-pr-releases.yaml
+++ b/.github/workflows/cleanup-pr-releases.yaml
@@ -9,6 +9,7 @@ on:
 
 permissions:
   contents: write
+  pull-requests: read
 
 jobs:
   cleanup-prereleases:
@@ -27,10 +28,11 @@ jobs:
               echo "Checking PR #$pr_number for tag $tag"
 
               pr_status=$(gh pr view "$pr_number" --json state --jq .state 2>/dev/null || echo "NOT_FOUND")
-
               if [[ "$pr_status" != "OPEN" ]]; then
                 echo "Deleting prerelease with tag $tag (PR #$pr_number is $pr_status)"
-                gh release delete "$tag" --yes
+                # Remove release and cleanup the Git tag (requires GH CLI ≥2.3.0)
+                gh release delete "$tag" --yes --cleanup-tag \
+                  || git push --delete origin "$tag"
                 gh tag delete "$tag"
               else
                 echo "PR #$pr_number is still open. Keeping tag $tag"

From e98526c69b9221d31ab37b199ae6abd781323c5b Mon Sep 17 00:00:00 2001
From: "Alan D. Tse" <alandtse@gmail.com>
Date: Fri, 23 May 2025 23:05:18 -0700
Subject: [PATCH 3/4] ci: checkout default branch to avoid security issues

---
 .github/workflows/cleanup-pr-releases.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/cleanup-pr-releases.yaml b/.github/workflows/cleanup-pr-releases.yaml
index 8eeb31a2c8..f9f88f78f6 100644
--- a/.github/workflows/cleanup-pr-releases.yaml
+++ b/.github/workflows/cleanup-pr-releases.yaml
@@ -15,6 +15,11 @@ jobs:
   cleanup-prereleases:
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+
       - name: Delete closed PR prereleases
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From ca444d7f937931d1d52d1888e463bdd78f76bcd7 Mon Sep 17 00:00:00 2001
From: "Alan D. Tse" <alandtse@gmail.com>
Date: Fri, 23 May 2025 23:10:20 -0700
Subject: [PATCH 4/4] ci: fix tag deletion

---
 .github/workflows/cleanup-pr-releases.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cleanup-pr-releases.yaml b/.github/workflows/cleanup-pr-releases.yaml
index f9f88f78f6..5585b584a7 100644
--- a/.github/workflows/cleanup-pr-releases.yaml
+++ b/.github/workflows/cleanup-pr-releases.yaml
@@ -38,7 +38,7 @@ jobs:
                 # Remove release and cleanup the Git tag (requires GH CLI ≥2.3.0)
                 gh release delete "$tag" --yes --cleanup-tag \
                   || git push --delete origin "$tag"
-                gh tag delete "$tag"
+                git tag -d "$tag" || true
               else
                 echo "PR #$pr_number is still open. Keeping tag $tag"
               fi