ci: add weekly cleanup of expired e2e PATs

[ralphbean]

Summary

• Add hack/cleanup-pats script that uses Playwright to delete expired classic PATs from the botsend e2e test account
• Add .github/workflows/pat-cleanup.yml weekly cron (Sundays 4am UTC) + manual trigger
• Uses the existing E2E_GITHUB_SESSION secret to authenticate

The botsend account accumulates PATs from e2e runs that crash or time out before t.Cleanup runs. The script paginates from last page to first, deleting expired tokens via fetch+POST, and stops when it hits a page with no expired tokens.

Closes #1683

Test plan

• Ran locally against botsend account, confirmed deletion of expired PATs across multiple pages
• Trigger workflow manually from Actions tab to verify CI execution

🤖 Generated with Claude Code

[github-actions]

Site preview

Preview: https://eedaf891-site.fullsend-ai.workers.dev

Commit: e9955f26e49dc5531c2b6a087e0f2e686ca4149d

[fullsend-ai-review]

Review

Findings

Medium

• [protected-path] .github/workflows/pat-cleanup.yml — This PR adds a new workflow under .github/, which is a protected path requiring human approval. The PR links to e2e: clean up botsend PATs accumulating from test runs #1683 and explains the rationale (cleaning up expired e2e PATs from the botsend account). Human approval is always required for protected-path changes, regardless of context.

Low

• [correctness] .github/workflows/pat-cleanup.yml:34 — The workflow does not check whether the E2E_GITHUB_SESSION secret is available before attempting to base64-decode it in the "Decode session" step. The existing e2e.yml workflow has a secrets-check step that guards against missing secrets and provides a clear warning message. Since this workflow only triggers on schedule and workflow_dispatch (not fork PRs), the practical risk is minimal, but a missing or misconfigured secret would produce a confusing base64 -d error rather than a clear diagnostic.
  Remediation: Add a secrets-check step similar to e2e.yml that verifies E2E_GITHUB_SESSION_B64 is non-empty before proceeding.

Previous run

Review

Findings

Medium

• [protected-path] .github/workflows/pat-cleanup.yml — This PR adds a new GitHub Actions workflow under .github/, which is a protected path. The PR links to e2e: clean up botsend PATs accumulating from test runs #1683 and provides clear rationale (weekly cleanup of expired e2e PATs from the botsend account). Human approval is required for all changes to protected paths regardless of context.

Info

• [correctness] hack/cleanup-pats.go — The remaining-token count at the end is an estimate (assumes 10 tokens per full page). This is fine for a summary message but worth noting — the actual count could differ slightly if GitHub changes its pagination size.