feat: log out of Tessl CLI at job completion#13
Open
FauxFaux wants to merge 1 commit into
Open
Conversation
Add a best-effort `tessl logout` at job teardown so cached on-disk credentials (notably `~/.tessl/llm-key.json`) do not persist on self-hosted / persistent runners. Composite actions cannot declare a `post:` hook and their steps run at setup time, so the logout is implemented as a nested node20 JS action (`logout/`) whose `post.js` entry GitHub runs at job completion. The composite references it as a final step. The post step is dependency-free (Node built-ins only) and never fails the job: a missing binary or a non-zero logout is swallowed and logged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a best-effort
tessl logoutat job teardown for every workflow that usessetup-tessl, so cached Tessl credentials don't linger on the runner after a job completes.Why
CI jobs authenticate via
TESSL_TOKENand, when they runtessl agent, leave a cached LiteLLM API key at~/.tessl/llm-key.json(mode 0600).tessl logoutclears that key (plusremote-config.jsonand, if present,api-credentials.json). On ephemeral GitHub-hosted runners this is belt-and-braces; on self-hosted/persistent runners it's a real cleanup. Logout is idempotent and exits 0 when there's nothing to clear, so it's safe for token-only jobs too.How
setup-tesslis a composite action, which can't declare apost:hook directly. Instead this adds a tiny nested node20 action (logout/) whosepost:entry runstessl logout; the composite invokes it as its final step, and GitHub runs the nested action'spost:at job teardown. The helper is dependency-free (Node built-ins only — nopackage.json/build step) and never fails the job: it swallows a missing binary (ENOENT) or a non-zero logout and always exits 0.logout/action.yml— nested action (main: main.js,post: post.js)logout/main.js— no-op (requiredmainentry)logout/post.js— best-efforttessl logout, always exits 0action.yml— new final composite stepuses: ./logoutREADME.md— new## CleanupsectionScope note
This cleans Tessl's own on-disk credentials. It intentionally does not touch the
ghtoken store, the git credential helper,~/.gitconfigidentity, or the detached auto-refresh sidecar thattessl github setup-auth --auto-refreshleaves behind — those have no Tessl teardown and are out of scope here.Note for consumers
Consumers that pin
setup-tesslby SHA (e.g. tesslio/monorepo pins25ec223…) will need to bump the pin / move thev2tag to pick this up.🤖 Generated with Claude Code