fix(ci): preview cleanup no longer fails on GitHub environment delete#71
Merged
kentcdodds merged 2 commits intomainfrom Apr 12, 2026
Merged
Conversation
The cleanup job calls DELETE /repos/.../environments/... which returns 403 for the default GITHUB_TOKEN. PR #70 removed invalid workflow permission environments: write, which did not fix token scope anyway. Catch 403 so PR-close cleanup succeeds after Cloudflare teardown. Use optional secret PREVIEW_ENV_CLEANUP_TOKEN when a repo wants automatic environment removal, and document it in the setup guide. Co-authored-by: Kent C. Dodds <me+github@kentcdodds.com>
|
🔎 Preview deployed: https://epicflare-pr-71.kentcdodds.workers.dev Worker: Mocks:
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Misleading 403 warning when custom PAT is used
- Updated the 403 warning to describe missing permissions for the current token and distinguish between default token usage and PAT scope issues.
Preview (95db2843fb)
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -561,6 +561,10 @@
INPUT_TARGET: ${{ inputs.target }}
INPUT_PR_NUMBER: ${{ inputs.pr_number }}
with:
+ # The default GITHUB_TOKEN cannot delete deployment environments (403).
+ # Optional: set repo secret PREVIEW_ENV_CLEANUP_TOKEN to a PAT with repo
+ # scope (classic) or Administration: write (fine-grained) for this repo.
+ github-token: ${{ secrets.PREVIEW_ENV_CLEANUP_TOKEN || github.token }}
script: |
const eventName = process.env.EVENT_NAME;
let envName;
@@ -606,6 +610,14 @@
core.info(
`GitHub environment not found (already deleted): ${envName}`,
);
+ } else if (e.status === 403) {
+ core.warning(
+ [
+ `Cannot delete GitHub environment "${envName}" with the current token (403).`,
+ "The current token may not have permission to delete environments.",
+ "If you're using the default workflow token, add repository secret PREVIEW_ENV_CLEANUP_TOKEN (PAT: classic `repo`, or fine-grained with Administration read/write on this repository). If you're already using a PAT, ensure it has the required permissions.",
+ ].join(" "),
+ );
} else {
throw e;
}
diff --git a/docs/agents/setup.md b/docs/agents/setup.md
--- a/docs/agents/setup.md
+++ b/docs/agents/setup.md
@@ -121,6 +121,16 @@
When a PR is closed, the cleanup job deletes the preview Worker(s) and these
resources as well.
+The same cleanup job removes the matching GitHub deployment environment
+(`preview-<pr>`). GitHub’s default `GITHUB_TOKEN` cannot call the delete
+environment API (you would see HTTP 403). That step is non-fatal: the workflow
+still succeeds and Cloudflare resources are still removed. To delete the GitHub
+environment automatically, add an Actions secret named
+`PREVIEW_ENV_CLEANUP_TOKEN` whose value is a personal access token with
+permission to administer this repository (for example a classic PAT with the
+`repo` scope, or a fine-grained PAT with **Administration** read and write on
+this repo only).
+
Cloudflare Workers supports version `preview_urls`, but those preview URLs are
not currently available for Workers that use Durable Objects. The main app
Worker binds `MCP_OBJECT`, so app previews continue to use per-PR Worker names.You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 392c571. Configure here.
Co-authored-by: Kent C. Dodds <me+github@kentcdodds.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Run 24308663446 failed on Cleanup Preview Resources with
HttpError: Resource not accessible by integrationat the Delete GitHub preview environment step.Root cause
DELETE /repos/{owner}/{repo}/environments/{environment_name}.GITHUB_TOKENis not allowed to delete deployment environments (GitHub returns 403 for this API).environments: writefrom workflowpermissionsbecause that key is invalid for workflow YAML validation — but that permission was never a real fix for this API limitation anyway.So the failure is not transient; it will recur on every PR close until the step stops throwing on 403.
Changes
PREVIEW_ENV_CLEANUP_TOKEN(PAT with repo admin for this repository) passed toactions/github-scriptasgithub-tokenwhen maintainers want automatic GitHub environment removal.docs/agents/setup.md.Verification
bun run lintandbun run typecheckpass.bun run validatestill fails onprettier --checkfor several pre-existing files in the workspace (unchanged by this PR); formatted only the touched docs file.