feat: Add pre-cycle stale branch cleanup to security.sh (#930)

* refactor: Simplify security workflow to match discovery/refactor pattern Move mode-detection logic from the GitHub Actions workflow into security.sh where it belongs. The workflow now passes github.event_name directly as the reason parameter (like discovery.yml and refactor.yml), and security.sh uses `gh issue view` to check labels when reason=issues. - Remove 25-line if/elif/else reason-mapping block from security.yml - Remove workflow_dispatch mode input (server-side handles it) - Add `if:` label guard for issues (safe-to-work + team-building/security) - Add `labeled` to issue trigger types - Set cancel-in-progress: false (prevents killing long review_all runs) - Bump cron to */5 - Handle schedule/workflow_dispatch → review_all in security.sh - Keep backwards compat for direct team_building/triage reasons Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: Add pre-cycle stale branch cleanup to security.sh Clean up merged and stale security-related branches (team-building/*, review-pr-*) and leftover worktrees before each cycle starts. Follows the same pattern as qa-cycle.sh. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: Add pre-cycle stale branch cleanup to discovery.sh and refactor.sh Each agent script now cleans up its own merged branches before starting: - discovery.sh: add-*, impl-*, gap-filler-* branches - refactor.sh: fix/*, refactor/*, test/*, ux/* branches - (security.sh already added in prior commit) - (qa-cycle.sh already had this) Replaces the "branch pruning handled by security team" comments with actual cleanup, following the qa-cycle.sh pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Security Reviewer <security-reviewer@spawn.dev> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-06 08:10:48 +00:00 · 2026-02-13 05:34:09 -08:00 · 2026-02-13 05:34:09 -08:00 · 890b99dbfd
commit 890b99dbfd
parent f69f95c7c7
3 changed files with 65 additions and 7 deletions
--- a/.claude/skills/setup-agent-team/discovery.sh
+++ b/.claude/skills/setup-agent-team/discovery.sh
@ -517,15 +517,32 @@ run_team_cycle() {
    git fetch --prune origin 2>/dev/null || true
    git pull --rebase origin main 2>/dev/null || true

-    # --- Pre-cycle cleanup: stale worktrees ---
-    log_info "Pre-cycle cleanup: stale worktrees..."
+    # --- Pre-cycle cleanup: stale worktrees and branches ---
+    log_info "Pre-cycle cleanup..."
    git worktree prune 2>/dev/null || true
    if [[ -d "${WORKTREE_BASE}" ]]; then
        rm -rf "${WORKTREE_BASE}" 2>/dev/null || true
        log_info "Removed stale ${WORKTREE_BASE} directory"
    fi

-    # Note: branch pruning and PR management is handled by the security team
+    # Delete merged discovery-related remote branches
+    # Discovery agents create branches like: add-*, impl-*, gap-filler-*, {cloud}-{agent}
+    MERGED_BRANCHES=$(git branch -r --merged origin/main | grep -v 'origin/main\|origin/HEAD' | grep -E 'origin/(add-|impl-|gap-filler-)' | sed 's|origin/||' | tr -d ' ') || true
+    for branch in $MERGED_BRANCHES; do
+        if [[ -n "$branch" ]]; then
+            git push origin --delete "$branch" 2>&1 && log_info "Deleted merged branch: $branch" || true
+        fi
+    done
+
+    # Delete stale local discovery-related branches
+    LOCAL_BRANCHES=$(git branch --list 'add-*' --list 'impl-*' --list 'gap-filler-*' | tr -d ' *') || true
+    for branch in $LOCAL_BRANCHES; do
+        if [[ -n "$branch" ]]; then
+            git branch -D "$branch" 2>/dev/null || true
+        fi
+    done
+
+    log_info "Pre-cycle cleanup done."

    # Set up worktree directory for parallel agent work
    mkdir -p "${WORKTREE_BASE}"
--- a/.claude/skills/setup-agent-team/refactor.sh
+++ b/.claude/skills/setup-agent-team/refactor.sh
@ -86,14 +86,30 @@ if [[ "${RUN_MODE}" == "refactor" ]]; then
    # Reset main checkout to origin/main
    git reset --hard origin/main 2>&1 | tee -a "${LOG_FILE}" || true

-    log "Pre-cycle cleanup: stale worktrees..."
+    log "Pre-cycle cleanup: stale worktrees and branches..."
    git worktree prune 2>&1 | tee -a "${LOG_FILE}" || true
    if [[ -d "${WORKTREE_BASE}" ]]; then
        rm -rf "${WORKTREE_BASE}" 2>&1 | tee -a "${LOG_FILE}" || true
        log "Removed stale ${WORKTREE_BASE} directory"
    fi

-    # Note: branch pruning and PR management is handled by the security team
+    # Delete merged refactor-related remote branches (fix/*, refactor/*, test/*, ux/*)
+    MERGED_BRANCHES=$(git branch -r --merged origin/main | grep -v 'origin/main\|origin/HEAD' | grep -E 'origin/(fix/|refactor/|test/|ux/)' | sed 's|origin/||' | tr -d ' ') || true
+    for branch in $MERGED_BRANCHES; do
+        if [[ -n "$branch" ]]; then
+            git push origin --delete "$branch" 2>&1 | tee -a "${LOG_FILE}" && log "Deleted merged branch: $branch" || true
+        fi
+    done
+
+    # Delete stale local refactor-related branches
+    LOCAL_BRANCHES=$(git branch --list 'fix/*' --list 'refactor/*' --list 'test/*' --list 'ux/*' | tr -d ' *') || true
+    for branch in $LOCAL_BRANCHES; do
+        if [[ -n "$branch" ]]; then
+            git branch -D "$branch" 2>&1 | tee -a "${LOG_FILE}" || true
+        fi
+    done
+
+    log "Pre-cycle cleanup done."
 fi

 # Launch Claude Code with mode-specific prompt
--- a/.claude/skills/setup-agent-team/security.sh
+++ b/.claude/skills/setup-agent-team/security.sh
@ -115,10 +115,35 @@ if [[ "${RUN_MODE}" == "team_building" ]] || [[ "${RUN_MODE}" == "triage" ]]; th
    log "Issue: #${ISSUE_NUM}"
 fi

-# Fetch latest refs (read-only, safe for concurrent runs)
-log "Fetching latest refs..."
+# Pre-cycle cleanup (stale branches, worktrees from prior runs)
+log "Pre-cycle cleanup..."
 git fetch --prune origin 2>&1 | tee -a "${LOG_FILE}" || true

+# Clean stale worktrees
+git worktree prune 2>&1 | tee -a "${LOG_FILE}" || true
+if [[ -d "${WORKTREE_BASE}" ]]; then
+    rm -rf "${WORKTREE_BASE}" 2>&1 | tee -a "${LOG_FILE}" || true
+    log "Removed stale ${WORKTREE_BASE} directory"
+fi
+
+# Delete merged security-related remote branches (team-building/*, review-pr-*)
+MERGED_BRANCHES=$(git branch -r --merged origin/main | grep -E 'origin/(team-building/|review-pr-)' | sed 's|origin/||' | tr -d ' ') || true
+for branch in $MERGED_BRANCHES; do
+    if [[ -n "$branch" ]]; then
+        git push origin --delete "$branch" 2>&1 | tee -a "${LOG_FILE}" && log "Deleted merged branch: $branch" || true
+    fi
+done
+
+# Delete stale local security-related branches
+LOCAL_BRANCHES=$(git branch --list 'team-building/*' --list 'review-pr-*' | tr -d ' *') || true
+for branch in $LOCAL_BRANCHES; do
+    if [[ -n "$branch" ]]; then
+        git branch -D "$branch" 2>&1 | tee -a "${LOG_FILE}" || true
+    fi
+done
+
+log "Pre-cycle cleanup done."
+
 # Launch Claude Code with mode-specific prompt
 log "Launching ${RUN_MODE} cycle..."