140 lines
4.0 KiB
YAML
140 lines
4.0 KiB
YAML
name: Scheduled Repository Cleanup Check
|
|
|
|
on:
|
|
schedule:
|
|
- cron: "43 3 * * 1"
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
cleanup-check:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Check ignored and untracked generated files
|
|
shell: bash
|
|
run: |
|
|
echo "Ignored files that would be skipped by git:"
|
|
git status --ignored --short || true
|
|
|
|
echo
|
|
echo "Tracked generated files check:"
|
|
generated_patterns=(
|
|
'(^|/)node_modules/'
|
|
'(^|/)dist/'
|
|
'(^|/)build/'
|
|
'(^|/)out/'
|
|
'(^|/)release/'
|
|
'(^|/)target/'
|
|
'(^|/)coverage/'
|
|
'\.log$'
|
|
'\.tmp$'
|
|
'\.temp$'
|
|
)
|
|
|
|
found=0
|
|
tracked_files="$(git ls-files)"
|
|
for pattern in "${generated_patterns[@]}"; do
|
|
if echo "$tracked_files" | grep -Ei "$pattern"; then
|
|
found=1
|
|
fi
|
|
done
|
|
|
|
if [ "$found" -eq 1 ]; then
|
|
echo "Generated files appear to be tracked. Review .gitignore and remove generated outputs from version control if appropriate."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Check large tracked files
|
|
shell: bash
|
|
run: |
|
|
limit_bytes="${LARGE_FILE_LIMIT_BYTES:-5242880}"
|
|
found=0
|
|
|
|
while IFS= read -r file; do
|
|
[ -f "$file" ] || continue
|
|
size="$(wc -c < "$file")"
|
|
if [ "$size" -gt "$limit_bytes" ]; then
|
|
echo "${file} is ${size} bytes, above limit ${limit_bytes}."
|
|
found=1
|
|
fi
|
|
done < <(git ls-files)
|
|
|
|
if [ "$found" -eq 1 ]; then
|
|
echo "Large tracked files found. Move release artifacts to packages/releases or document why they belong in git."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Check local config and secret-prone files
|
|
shell: bash
|
|
run: |
|
|
found=0
|
|
|
|
risky_patterns=(
|
|
'^\.env$'
|
|
'^\.env\.'
|
|
'\.pfx$'
|
|
'\.p12$'
|
|
'\.pem$'
|
|
'\.key$'
|
|
'\.token$'
|
|
'(^|/)secrets/'
|
|
)
|
|
|
|
tracked_files="$(git ls-files)"
|
|
for pattern in "${risky_patterns[@]}"; do
|
|
if echo "$tracked_files" | grep -Ei "$pattern" | grep -vE '^\.env\.example$'; then
|
|
found=1
|
|
fi
|
|
done
|
|
|
|
if [ "$found" -eq 1 ]; then
|
|
echo "Secret-prone local config files are tracked. Review immediately."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Check stale branches
|
|
shell: bash
|
|
run: |
|
|
git fetch --all --prune
|
|
|
|
protected='^(main|master|develop|dev|release|staging|production)$'
|
|
cutoff="$(date -u -d '90 days ago' +%s)"
|
|
found=0
|
|
|
|
while IFS='|' read -r branch timestamp; do
|
|
branch="${branch#origin/}"
|
|
[ "$branch" = "HEAD" ] && continue
|
|
echo "$branch" | grep -Eq "$protected" && continue
|
|
|
|
if [ "$timestamp" -lt "$cutoff" ]; then
|
|
echo "Stale remote branch candidate: ${branch}"
|
|
found=1
|
|
fi
|
|
done < <(git for-each-ref refs/remotes/origin --format='%(refname:short)|%(committerdate:unix)')
|
|
|
|
if [ "$found" -eq 1 ]; then
|
|
echo "Stale branch candidates found. Review manually before deleting anything."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Cleanup guidance
|
|
shell: bash
|
|
run: |
|
|
cat <<'EOF'
|
|
Repository cleanup check completed.
|
|
|
|
This workflow reports cleanup candidates. It does not delete branches,
|
|
packages, releases, or files automatically.
|
|
|
|
Recommended manual follow-up:
|
|
- remove generated files from git,
|
|
- update .gitignore,
|
|
- move large artifacts to releases or package registry,
|
|
- review stale branches,
|
|
- document intentional exceptions.
|
|
EOF
|