name: Scheduled Repository Cleanup Check on: schedule: - cron: "43 3 * * 1" workflow_dispatch: jobs: cleanup-check: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Check ignored and untracked generated files shell: bash run: | echo "Ignored files that would be skipped by git:" git status --ignored --short || true echo echo "Tracked generated files check:" generated_patterns=( '(^|/)node_modules/' '(^|/)dist/' '(^|/)build/' '(^|/)out/' '(^|/)release/' '(^|/)target/' '(^|/)coverage/' '\.log$' '\.tmp$' '\.temp$' ) found=0 tracked_files="$(git ls-files)" for pattern in "${generated_patterns[@]}"; do if echo "$tracked_files" | grep -Ei "$pattern"; then found=1 fi done if [ "$found" -eq 1 ]; then echo "Generated files appear to be tracked. Review .gitignore and remove generated outputs from version control if appropriate." exit 1 fi - name: Check large tracked files shell: bash run: | limit_bytes="${LARGE_FILE_LIMIT_BYTES:-5242880}" found=0 while IFS= read -r file; do [ -f "$file" ] || continue size="$(wc -c < "$file")" if [ "$size" -gt "$limit_bytes" ]; then echo "${file} is ${size} bytes, above limit ${limit_bytes}." found=1 fi done < <(git ls-files) if [ "$found" -eq 1 ]; then echo "Large tracked files found. Move release artifacts to packages/releases or document why they belong in git." exit 1 fi - name: Check local config and secret-prone files shell: bash run: | found=0 risky_patterns=( '^\.env$' '^\.env\.' '\.pfx$' '\.p12$' '\.pem$' '\.key$' '\.token$' '(^|/)secrets/' ) tracked_files="$(git ls-files)" for pattern in "${risky_patterns[@]}"; do if echo "$tracked_files" | grep -Ei "$pattern" | grep -vE '^\.env\.example$'; then found=1 fi done if [ "$found" -eq 1 ]; then echo "Secret-prone local config files are tracked. Review immediately." exit 1 fi - name: Check stale branches shell: bash run: | git fetch --all --prune protected='^(main|master|develop|dev|release|staging|production)$' cutoff="$(date -u -d '90 days ago' +%s)" found=0 while IFS='|' read -r branch timestamp; do branch="${branch#origin/}" [ "$branch" = "HEAD" ] && continue echo "$branch" | grep -Eq "$protected" && continue if [ "$timestamp" -lt "$cutoff" ]; then echo "Stale remote branch candidate: ${branch}" found=1 fi done < <(git for-each-ref refs/remotes/origin --format='%(refname:short)|%(committerdate:unix)') if [ "$found" -eq 1 ]; then echo "Stale branch candidates found. Review manually before deleting anything." exit 1 fi - name: Cleanup guidance shell: bash run: | cat <<'EOF' Repository cleanup check completed. This workflow reports cleanup candidates. It does not delete branches, packages, releases, or files automatically. Recommended manual follow-up: - remove generated files from git, - update .gitignore, - move large artifacts to releases or package registry, - review stale branches, - document intentional exceptions. EOF