name: Scheduled Repository Cleanup Check on: schedule: - cron: "43 3 * * 1" workflow_dispatch: jobs: cleanup-check: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Check ignored and tracked generated files shell: bash run: | echo "Ignored files that would be skipped by git:" git status --ignored --short || true echo echo "Tracked generated files check:" generated_patterns=( '(^|/)\.codex-agent-repository-kit/' '(^|/)\.gradle/' '(^|/)build/' '(^|/)run/' '(^|/)src/generated/' '\.log$' '\.tmp$' '\.temp$' ) found=0 tracked_files="$(git ls-files)" for pattern in "${generated_patterns[@]}"; do if echo "$tracked_files" | grep -Ei "$pattern"; then found=1 fi done if [ "$found" -eq 1 ]; then echo "Generated files appear to be tracked. Review .gitignore and remove generated outputs from version control if appropriate." exit 1 fi - name: Check large tracked files shell: bash run: | limit_bytes="${LARGE_FILE_LIMIT_BYTES:-5242880}" found=0 while IFS= read -r file; do [ -f "$file" ] || continue size="$(wc -c < "$file")" if [ "$size" -gt "$limit_bytes" ]; then echo "${file} is ${size} bytes, above limit ${limit_bytes}." found=1 fi done < <(git ls-files) if [ "$found" -eq 1 ]; then echo "Large tracked files found. Move release artifacts to packages/releases or document why they belong in git." exit 1 fi - name: Check local config and secret-prone files shell: bash run: | found=0 risky_patterns=( '^\.env$' '^\.env\.' '\.pfx$' '\.p12$' '\.pem$' '\.key$' '\.token$' '(^|/)secrets/' ) tracked_files="$(git ls-files)" for pattern in "${risky_patterns[@]}"; do if echo "$tracked_files" | grep -Ei "$pattern" | grep -vE '^\.env\.example$'; then found=1 fi done if [ "$found" -eq 1 ]; then echo "Secret-prone local config files are tracked. Review immediately." exit 1 fi - name: Cleanup guidance shell: bash run: | cat <<'EOF' Repository cleanup check completed. This workflow reports cleanup candidates. It does not delete branches, packages, releases, or files automatically. EOF