cardstack
diff --git a/‎.github/workflows/observability-diff.yml‎
Lines changed: 45 additions & 31 deletions b/‎.github/workflows/observability-diff.yml‎
Lines changed: 45 additions & 31 deletions
diff --git a/‎.github/workflows/observability-preview-sweep.yml‎
Lines changed: 188 additions & 0 deletions b/‎.github/workflows/observability-preview-sweep.yml‎
Lines changed: 188 additions & 0 deletions
@@ -83,13 +83,17 @@ jobs:
           fetch-depth: 0
 
       - name: Fetch PR base ref
-        # Belt-and-suspenders: even with `fetch-depth: 0`, ensure the
-        # PR base ref is available as `origin/<base>` so diff.sh's
-        # `git rev-parse --verify` succeeds. Cheap on already-fetched
-        # history; idempotent if the ref is already up to date.
+        # Ensure the PR base ref is available as `origin/<base>` so
+        # diff.sh's `git rev-parse --verify` and `git diff <base>...HEAD`
+        # both succeed. NOTE: no `--depth=1` here. A shallow fetch makes
+        # origin/<base> an orphan with no parent history; when main has
+        # advanced past the PR's actual merge base (any non-trivial PR
+        # in flight long enough for main to move), `git diff <base>...HEAD`
+        # then fails with "no merge base". Unbounded fetch is cheap
+        # against an already-full repo (`fetch-depth: 0` on checkout).
         env:
           PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
-        run: git fetch --no-tags --depth=1 origin "${PR_BASE_REF}"
+        run: git fetch --no-tags origin "${PR_BASE_REF}"
 
       - name: Install grafanactl
         uses: ./.github/actions/install-grafanactl
@@ -184,17 +188,43 @@ jobs:
             const diffBytes = Buffer.byteLength(diff, 'utf8');
             const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
 
-            let body;
+            // Find existing sticky comment. Paginate so we don't miss
+            // the marker on PRs with >100 comments (would otherwise
+            // create duplicates on every push).
+            const comments = await github.paginate(
+              github.rest.issues.listComments,
+              {
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                per_page: 100,
+              }
+            );
+            const existing = comments.find(
+              (c) => c.body && c.body.startsWith(marker)
+            );
+
             if (!diff.trim()) {
-              body = [
-                marker,
-                '## Observability diff (vs staging)',
-                '',
-                'No dashboard / folder changes detected against the staging Grafana.',
-                '',
-                `_(Run: ${runUrl})_`,
-              ].join('\n');
-            } else if (diffBytes > maxBytes) {
+              // No drift between the PR's committed state and live staging.
+              // Don't post a "nothing changed" comment — but if a prior push
+              // left a sticky behind (the PR used to touch dashboards and
+              // now doesn't), delete it so the PR's comment stream matches
+              // its current state.
+              if (existing) {
+                await github.rest.issues.deleteComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: existing.id,
+                });
+                core.info(`Deleted stale sticky comment ${existing.id}`);
+              } else {
+                core.info('No diff vs staging — nothing to post.');
+              }
+              return;
+            }
+
+            let body;
+            if (diffBytes > maxBytes) {
               // Truncate by bytes, not characters. Walk back from a
               // character boundary so we don't slice mid-codepoint and
               // produce invalid UTF-8.
@@ -225,22 +255,6 @@ jobs:
               ].join('\n');
             }
 
-            // Find existing sticky comment. Paginate so we don't miss
-            // the marker on PRs with >100 comments (would otherwise
-            // create duplicates on every push).
-            const comments = await github.paginate(
-              github.rest.issues.listComments,
-              {
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                per_page: 100,
-              }
-            );
-            const existing = comments.find(
-              (c) => c.body && c.body.startsWith(marker)
-            );
-
             if (existing) {
               await github.rest.issues.updateComment({
                 owner: context.repo.owner,
 
@@ -0,0 +1,188 @@
+name: Observability — preview sweep
+
+# Daily sweep that removes stale preview folders + dashboards from the
+# staging Grafana. Safety net for observability-preview.yml's cleanup-on-
+# close job: a missed `closed` webhook, a job that errored mid-delete, or a
+# preview pushed against a PR that was later deleted from GitHub all leave
+# orphan `pr<n>-*` resources behind. This workflow notices and cleans up.
+#
+# Decision rule per PR number (derived from the `pr<n>-` UID prefix):
+#   - PR is open                → keep
+#   - PR is closed/merged       → delete
+#   - PR doesn't exist on GitHub → delete (PR was deleted from repo state)
+#
+# CS-11106.
+
+on:
+  schedule:
+    # Daily at 06:23 UTC — chosen to avoid the top-of-hour rush. No
+    # particular significance to the minute; deliberately not on :00 so
+    # GHA's "scheduled workflows often run minutes late" behavior doesn't
+    # batch this with other on-the-hour crons.
+    - cron: "23 6 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+  # `gh pr view` calls in the sweep step need read access to the repo's
+  # pull requests. Without this, every PR-state lookup would return 403
+  # and the sweep would either delete previews for genuinely open PRs
+  # (legacy behavior) or — after the indeterminate-state guard below —
+  # abort the sweep entirely.
+  pull-requests: read
+
+concurrency:
+  # The sweeper is idempotent, but running two at once would do redundant
+  # API calls against Grafana and GitHub. Serialize; don't cancel an
+  # in-flight run if the cron fires while a manual dispatch is still going.
+  group: observability-preview-sweep
+  cancel-in-progress: false
+
+env:
+  AWS_REGION: us-east-1
+  AWS_ROLE_ARN: arn:aws:iam::680542703984:role/boxel-observability-apply
+  GRAFANACTL_VERSION: "0.1.10"
+
+jobs:
+  sweep:
+    name: Sweep stale previews from staging
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install grafanactl
+        uses: ./.github/actions/install-grafanactl
+        with:
+          version: ${{ env.GRAFANACTL_VERSION }}
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
+        with:
+          role-to-assume: ${{ env.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Source GRAFANA_TOKEN
+        run: |
+          GRAFANA_TOKEN="$(aws ssm get-parameter \
+            --name /staging/grafana/grafanactl_token \
+            --with-decryption \
+            --query 'Parameter.Value' \
+            --output text)"
+          echo "::add-mask::$GRAFANA_TOKEN"
+          echo "GRAFANA_TOKEN=$GRAFANA_TOKEN" >> "$GITHUB_ENV"
+
+      - name: Identify stale previews
+        id: identify
+        working-directory: packages/observability
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -eo pipefail
+          remote="$(mktemp -d)"
+          cfg="$(./scripts/render-config.sh staging)"
+          trap 'rm -rf "$remote"; rm -f "$cfg"' EXIT
+
+          grafanactl --config "$cfg" --context staging \
+            resources pull dashboards folders --path "$remote" >/dev/null
+
+          # Extract the set of unique PR numbers present in preview UIDs.
+          # `grep ... || true` because `set -eo pipefail` would otherwise
+          # abort the step when grep finds no matches — that's the legitimate
+          # "no previews live in staging" path, not an error.
+          pr_numbers="$(find "$remote" -type f -name '*.json' \
+            -exec jq -r '.metadata.name // ""' {} \; \
+            | { grep -E '^pr[0-9]+-' || true; } \
+            | sed -E 's/^pr([0-9]+)-.*/\1/' \
+            | sort -u)"
+
+          if [[ -z "$pr_numbers" ]]; then
+            echo "no preview resources present — nothing to sweep"
+            echo "stale_prs=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "found previews for PR(s): $(echo "$pr_numbers" | tr '\n' ' ')"
+
+          # For each PR number, ask GitHub whether it's still open. Use
+          # `gh api` directly (rather than `gh pr view`) so we can
+          # distinguish a real 404 ("PR was deleted from the repo —
+          # safe to sweep") from any other failure ("transient API
+          # error / rate limit / auth glitch — DO NOT sweep, fail the
+          # step so a human can investigate"). Treating every nonzero
+          # exit as "PR doesn't exist → delete its preview" would let
+          # a GitHub outage wipe previews for legitimately open PRs.
+          stale=""
+          while IFS= read -r pr; do
+            [[ -n "$pr" ]] || continue
+            api_out="$(mktemp)"
+            api_err="$(mktemp)"
+            if gh api "repos/${REPO}/pulls/${pr}" \
+                 --jq '.state' \
+                 > "$api_out" 2> "$api_err"; then
+              state="$(cat "$api_out")"
+              rm -f "$api_out" "$api_err"
+              case "$state" in
+                open)
+                  echo "  PR #${pr}: open — keep"
+                  ;;
+                closed)
+                  echo "  PR #${pr}: closed — sweep"
+                  stale="${stale}${pr} "
+                  ;;
+                *)
+                  echo "::error::PR #${pr}: unexpected state '${state}' — aborting sweep"
+                  exit 1
+                  ;;
+              esac
+            else
+              # `gh api` writes the HTTP status in the error body for
+              # non-2xx responses. A 404 is the unambiguous "PR was
+              # deleted from the repo" signal; anything else (network,
+              # rate-limit, 5xx, 403) is indeterminate and we refuse
+              # to sweep on it.
+              err_body="$(cat "$api_err")"
+              rm -f "$api_out" "$api_err"
+              if grep -q 'HTTP 404' <<< "$err_body"; then
+                echo "  PR #${pr}: 404 — sweep (PR deleted from repo)"
+                stale="${stale}${pr} "
+              else
+                echo "::error::PR #${pr}: indeterminate gh-api failure — aborting sweep"
+                echo "::error::${err_body}"
+                exit 1
+              fi
+            fi
+          done <<< "$pr_numbers"
+
+          echo "stale_prs=${stale}" >> "$GITHUB_OUTPUT"
+
+      - name: Sweep
+        if: steps.identify.outputs.stale_prs != ''
+        working-directory: packages/observability
+        env:
+          STALE_PRS: ${{ steps.identify.outputs.stale_prs }}
+        run: |
+          set -eo pipefail
+          for pr in $STALE_PRS; do
+            echo "::group::Cleanup PR #${pr}"
+            ./scripts/cleanup-preview.sh --pr "$pr" --env staging
+            echo "::endgroup::"
+          done
+
+      - name: Summary
+        if: always()
+        env:
+          STALE_PRS: ${{ steps.identify.outputs.stale_prs }}
+        run: |
+          {
+            echo "## Preview sweep"
+            echo ""
+            if [[ -z "${STALE_PRS:-}" ]]; then
+              echo "No stale previews."
+            else
+              echo "Swept previews for PR(s): \`${STALE_PRS}\`"
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"