molecule-core

History

rabbitblood 3c18b76aa7 ops(cf): hourly sweep workflow for orphan Cloudflare DNS records (#239 ) Closes Molecule-AI/molecule-controlplane#239. CF zone hit the 200-record quota 2026-04-23+ — every E2E and canary left a record on moleculesai.app, and no scheduled job pruned them. Provisions started failing with code 81045 ('Record quota exceeded'). The sweep-cf-orphans.sh script (PR #1978, with decision-function unit tests added in #2079) already exists but no workflow fires it. Adding it here as a parallel janitor to sweep-stale-e2e-orgs.yml: - hourly schedule at :15 (offset from the e2e-orgs sweep at :00 so the two converge cleanly without racing the same CP admin endpoint) - workflow_dispatch with dry_run input default true (ad-hoc verify without committing to deletes) - workflow_dispatch with max_delete_pct input for major cleanups (the script's own MAX_DELETE_PCT defaults to 50% as a safety gate) - concurrency group prevents schedule + manual-dispatch from racing the same zone Why a separate workflow vs sweep-stale-e2e-orgs.yml: - That workflow drives DELETE /cp/admin/tenants/:slug, assumes CP has the org row. Doesn't catch records left when CP itself never knew about the tenant (canary scratch, manual ops experiments) or when the CP-side cascade's CF-delete branch failed. - sweep-cf-orphans.sh enumerates the CF zone directly + matches against live CP slugs + AWS EC2 names. Catches what the CP-driven sweep can't. Required secrets (will need to be set on the repo): CF_API_TOKEN, CF_ZONE_ID, CP_PROD_ADMIN_TOKEN, CP_STAGING_ADMIN_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY. Pre-flight verify-secrets step fails loud if any are missing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-26 04:16:43 -07:00
..
workflows	ops(cf): hourly sweep workflow for orphan Cloudflare DNS records (#239 )	2026-04-26 04:16:43 -07:00

rabbitblood 3c18b76aa7 ops(cf): hourly sweep workflow for orphan Cloudflare DNS records (#239 )

Closes Molecule-AI/molecule-controlplane#239.

CF zone hit the 200-record quota 2026-04-23+ — every E2E and canary
left a record on moleculesai.app, and no scheduled job pruned them.
Provisions started failing with code 81045 ('Record quota exceeded').

The sweep-cf-orphans.sh script (PR #1978, with decision-function
unit tests added in #2079) already exists but no workflow fires it.
Adding it here as a parallel janitor to sweep-stale-e2e-orgs.yml:

- hourly schedule at :15 (offset from the e2e-orgs sweep at :00 so
  the two converge cleanly without racing the same CP admin endpoint)
- workflow_dispatch with dry_run input default true (ad-hoc verify
  without committing to deletes)
- workflow_dispatch with max_delete_pct input for major cleanups
  (the script's own MAX_DELETE_PCT defaults to 50% as a safety gate)
- concurrency group prevents schedule + manual-dispatch from racing
  the same zone

Why a separate workflow vs sweep-stale-e2e-orgs.yml:
- That workflow drives DELETE /cp/admin/tenants/:slug, assumes CP
  has the org row. Doesn't catch records left when CP itself never
  knew about the tenant (canary scratch, manual ops experiments)
  or when the CP-side cascade's CF-delete branch failed.
- sweep-cf-orphans.sh enumerates the CF zone directly + matches
  against live CP slugs + AWS EC2 names. Catches what the CP-driven
  sweep can't.

Required secrets (will need to be set on the repo): CF_API_TOKEN,
CF_ZONE_ID, CP_PROD_ADMIN_TOKEN, CP_STAGING_ADMIN_TOKEN,
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY. Pre-flight verify-secrets
step fails loud if any are missing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-26 04:16:43 -07:00

workflows

ops(cf): hourly sweep workflow for orphan Cloudflare DNS records (#239 )

2026-04-26 04:16:43 -07:00