Add scheduled repository cleanup workflow

files/AGENTS.md

@@ -21,6 +21,8 @@ PROJECT_NAME: PROJECT_DESCRIPTION
 - When the project uses `blueprint.md` and `blueprint.json` for README generation, keep the rainbow `{{ template:section-line }}` divider between major README sections. Do not replace it with plain `---` unless the target renderer cannot display inline images.
 - If README blueprint files are changed, regenerate or update `README.md` in the same change and verify the generated output renders reasonably.
 - For releasable projects, add or preserve `.gitea/workflows/security-scan.yml` using `files/security-scan-gitea.yml` unless the repository already has equivalent scheduled security automation.
+- For active projects, add or preserve `.gitea/workflows/repo-cleanup.yml` using `files/repo-cleanup-gitea.yml` unless the repository already has equivalent cleanup checks.
+- Repository cleanup automation must be non-destructive. Do not delete branches, packages, releases, or tracked files without explicit user approval.
 
 ## Commands
 
@@ -56,6 +58,7 @@ ARTIFACT_NAME
 - Review `docs/security-review.md` before release work.
 - Fill `docs/security-review.md` with actual checked commands and results when performing release-readiness work.
 - Review scheduled security workflow failures before changing code. Treat matches as leads: they may be true positives, documentation examples, or test fixtures.
+- Review repository cleanup workflow failures as maintenance leads. Document intentional exceptions instead of blindly deleting files.
 - Treat generated credentials and config files as sensitive.
 - Keep external network calls documented.
 - Prefer local processing for user data.

files/repo-cleanup-gitea.yml

@@ -0,0 +1,139 @@
+name: Scheduled Repository Cleanup Check
+
+on:
+  schedule:
+    - cron: "43 3 * * 1"
+  workflow_dispatch:
+
+jobs:
+  cleanup-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check ignored and untracked generated files
+        shell: bash
+        run: |
+          echo "Ignored files that would be skipped by git:"
+          git status --ignored --short || true
+
+          echo
+          echo "Tracked generated files check:"
+          generated_patterns=(
+            '(^|/)node_modules/'
+            '(^|/)dist/'
+            '(^|/)build/'
+            '(^|/)out/'
+            '(^|/)release/'
+            '(^|/)target/'
+            '(^|/)coverage/'
+            '\.log$'
+            '\.tmp$'
+            '\.temp$'
+          )
+
+          found=0
+          tracked_files="$(git ls-files)"
+          for pattern in "${generated_patterns[@]}"; do
+            if echo "$tracked_files" | grep -Ei "$pattern"; then
+              found=1
+            fi
+          done
+
+          if [ "$found" -eq 1 ]; then
+            echo "Generated files appear to be tracked. Review .gitignore and remove generated outputs from version control if appropriate."
+            exit 1
+          fi
+
+      - name: Check large tracked files
+        shell: bash
+        run: |
+          limit_bytes="${LARGE_FILE_LIMIT_BYTES:-5242880}"
+          found=0
+
+          while IFS= read -r file; do
+            [ -f "$file" ] || continue
+            size="$(wc -c < "$file")"
+            if [ "$size" -gt "$limit_bytes" ]; then
+              echo "${file} is ${size} bytes, above limit ${limit_bytes}."
+              found=1
+            fi
+          done < <(git ls-files)
+
+          if [ "$found" -eq 1 ]; then
+            echo "Large tracked files found. Move release artifacts to packages/releases or document why they belong in git."
+            exit 1
+          fi
+
+      - name: Check local config and secret-prone files
+        shell: bash
+        run: |
+          found=0
+
+          risky_patterns=(
+            '^\.env$'
+            '^\.env\.'
+            '\.pfx$'
+            '\.p12$'
+            '\.pem$'
+            '\.key$'
+            '\.token$'
+            '(^|/)secrets/'
+          )
+
+          tracked_files="$(git ls-files)"
+          for pattern in "${risky_patterns[@]}"; do
+            if echo "$tracked_files" | grep -Ei "$pattern" | grep -vE '^\.env\.example$'; then
+              found=1
+            fi
+          done
+
+          if [ "$found" -eq 1 ]; then
+            echo "Secret-prone local config files are tracked. Review immediately."
+            exit 1
+          fi
+
+      - name: Check stale branches
+        shell: bash
+        run: |
+          git fetch --all --prune
+
+          protected='^(main|master|develop|dev|release|staging|production)$'
+          cutoff="$(date -u -d '90 days ago' +%s)"
+          found=0
+
+          while IFS='|' read -r branch timestamp; do
+            branch="${branch#origin/}"
+            [ "$branch" = "HEAD" ] && continue
+            echo "$branch" | grep -Eq "$protected" && continue
+
+            if [ "$timestamp" -lt "$cutoff" ]; then
+              echo "Stale remote branch candidate: ${branch}"
+              found=1
+            fi
+          done < <(git for-each-ref refs/remotes/origin --format='%(refname:short)|%(committerdate:unix)')
+
+          if [ "$found" -eq 1 ]; then
+            echo "Stale branch candidates found. Review manually before deleting anything."
+            exit 1
+          fi
+
+      - name: Cleanup guidance
+        shell: bash
+        run: |
+          cat <<'EOF'
+          Repository cleanup check completed.
+
+          This workflow reports cleanup candidates. It does not delete branches,
+          packages, releases, or files automatically.
+
+          Recommended manual follow-up:
+          - remove generated files from git,
+          - update .gitignore,
+          - move large artifacts to releases or package registry,
+          - review stale branches,
+          - document intentional exceptions.
+          EOF