Skip to content

feat: log out of Tessl CLI at job completion#13

Open
FauxFaux wants to merge 1 commit into
mainfrom
feat/logout-at-job-completion
Open

feat: log out of Tessl CLI at job completion#13
FauxFaux wants to merge 1 commit into
mainfrom
feat/logout-at-job-completion

Conversation

@FauxFaux

Copy link
Copy Markdown

What

Adds a best-effort tessl logout at job teardown for every workflow that uses setup-tessl, so cached Tessl credentials don't linger on the runner after a job completes.

Why

CI jobs authenticate via TESSL_TOKEN and, when they run tessl agent, leave a cached LiteLLM API key at ~/.tessl/llm-key.json (mode 0600). tessl logout clears that key (plus remote-config.json and, if present, api-credentials.json). On ephemeral GitHub-hosted runners this is belt-and-braces; on self-hosted/persistent runners it's a real cleanup. Logout is idempotent and exits 0 when there's nothing to clear, so it's safe for token-only jobs too.

How

setup-tessl is a composite action, which can't declare a post: hook directly. Instead this adds a tiny nested node20 action (logout/) whose post: entry runs tessl logout; the composite invokes it as its final step, and GitHub runs the nested action's post: at job teardown. The helper is dependency-free (Node built-ins only — no package.json/build step) and never fails the job: it swallows a missing binary (ENOENT) or a non-zero logout and always exits 0.

  • logout/action.yml — nested action (main: main.js, post: post.js)
  • logout/main.js — no-op (required main entry)
  • logout/post.js — best-effort tessl logout, always exits 0
  • action.yml — new final composite step uses: ./logout
  • README.md — new ## Cleanup section

Scope note

This cleans Tessl's own on-disk credentials. It intentionally does not touch the gh token store, the git credential helper, ~/.gitconfig identity, or the detached auto-refresh sidecar that tessl github setup-auth --auto-refresh leaves behind — those have no Tessl teardown and are out of scope here.

Note for consumers

Consumers that pin setup-tessl by SHA (e.g. tesslio/monorepo pins 25ec223…) will need to bump the pin / move the v2 tag to pick this up.

🤖 Generated with Claude Code

Add a best-effort `tessl logout` at job teardown so cached on-disk
credentials (notably `~/.tessl/llm-key.json`) do not persist on
self-hosted / persistent runners.

Composite actions cannot declare a `post:` hook and their steps run at
setup time, so the logout is implemented as a nested node20 JS action
(`logout/`) whose `post.js` entry GitHub runs at job completion. The
composite references it as a final step. The post step is dependency-free
(Node built-ins only) and never fails the job: a missing binary or a
non-zero logout is swallowed and logged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant