From 17dc11364806f1b3960d750e3e289423d1a4facf Mon Sep 17 00:00:00 2001
From: Suhong Qin <suhongq@google.com>
Date: Thu, 7 Sep 2023 10:44:24 -0700
Subject: [PATCH] feat: delete the branch once cleanup is completed

---
 .github/workflows/cleanup.yml | 16 +++++++++++++++-
 .github/workflows/note.yml    |  6 ++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
index f0fab39..99e449c 100644
--- a/.github/workflows/cleanup.yml
+++ b/.github/workflows/cleanup.yml
@@ -77,7 +77,8 @@ jobs:
     if: '${{ needs.review_status.outputs.REVIEW_DECISION == ''APPROVED'' }}'
     runs-on: 'ubuntu-latest'
     permissions:
-      contents: 'read'
+      # Required for closing a branch, see ref: https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents
+      contents: 'write'
       id-token: 'write'
       pull-requests: 'write'
     name: 'Handle AOD Request Cleanup'
@@ -282,3 +283,16 @@ jobs:
               issue_number: ${{ github.event.pull_request.number }},
               body: `**\`Access on Demand\`** - 🟦 **\`IAM\`** request not found, skip cleanup.`,
             });
+      - name: 'Delete Branch'
+        # Only delete branch when cleanups are skipped or successfully handled.
+        if: '${{ always() && steps.cleanup_iam.outcome != ''failure'' && steps.cleanup_tool.outcome != ''failure'' }}'
+        uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6
+        with:
+          github-token: '${{ github.token }}'
+          retries: '3'
+          script: |+
+            await github.rest.git.deleteRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: `heads/${{ github.event.pull_request.head.ref }}`,
+            });
diff --git a/.github/workflows/note.yml b/.github/workflows/note.yml
index 4942e33..fc40046 100644
--- a/.github/workflows/note.yml
+++ b/.github/workflows/note.yml
@@ -33,8 +33,10 @@ env:
     ⛔️ <strong>This is an AOD request, and merging is NOT allowed.</strong>
     The request will be automatically applied once the code owners approve it.
     Please close the PR once you are finished or it will automatically be closed
-    after ~${{ inputs.expiry_hours }} hours of it's last update. For more
-    instructions, please see [here](${{ inputs.aod_instruction_link }}).
+    after ~${{ inputs.expiry_hours }} hours of it's last update. Please
+    <strong>DO NOT</strong> delete the branch manually, the branch will be
+    automatically deleted once PR is closed. For more instructions, please see
+    [here](${{ inputs.aod_instruction_link }}).
 
 jobs:
   note: