minecraft-renew-mod/.gitea/workflows/repo-cleanup.yml

name: Scheduled Repository Cleanup Check

on:
  schedule:
    - cron: "43 3 * * 1"
  workflow_dispatch:

jobs:
  cleanup-check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Check ignored and tracked generated files
        shell: bash
        run: |
          echo "Ignored files that would be skipped by git:"
          git status --ignored --short || true

          echo
          echo "Tracked generated files check:"
          generated_patterns=(
            '(^|/)\.codex-agent-repository-kit/'
            '(^|/)\.gradle/'
            '(^|/)build/'
            '(^|/)run/'
            '(^|/)src/generated/'
            '\.log$'
            '\.tmp$'
            '\.temp$'
          )

          found=0
          tracked_files="$(git ls-files)"
          for pattern in "${generated_patterns[@]}"; do
            if echo "$tracked_files" | grep -Ei "$pattern"; then
              found=1
            fi
          done

          if [ "$found" -eq 1 ]; then
            echo "Generated files appear to be tracked. Review .gitignore and remove generated outputs from version control if appropriate."
            exit 1
          fi

      - name: Check large tracked files
        shell: bash
        run: |
          limit_bytes="${LARGE_FILE_LIMIT_BYTES:-5242880}"
          found=0

          while IFS= read -r file; do
            [ -f "$file" ] || continue
            size="$(wc -c < "$file")"
            if [ "$size" -gt "$limit_bytes" ]; then
              echo "${file} is ${size} bytes, above limit ${limit_bytes}."
              found=1
            fi
          done < <(git ls-files)

          if [ "$found" -eq 1 ]; then
            echo "Large tracked files found. Move release artifacts to packages/releases or document why they belong in git."
            exit 1
          fi

      - name: Check local config and secret-prone files
        shell: bash
        run: |
          found=0

          risky_patterns=(
            '^\.env$'
            '^\.env\.'
            '\.pfx$'
            '\.p12$'
            '\.pem$'
            '\.key$'
            '\.token$'
            '(^|/)secrets/'
          )

          tracked_files="$(git ls-files)"
          for pattern in "${risky_patterns[@]}"; do
            if echo "$tracked_files" | grep -Ei "$pattern" | grep -vE '^\.env\.example$'; then
              found=1
            fi
          done

          if [ "$found" -eq 1 ]; then
            echo "Secret-prone local config files are tracked. Review immediately."
            exit 1
          fi

      - name: Cleanup guidance
        shell: bash
        run: |
          cat <<'EOF'
          Repository cleanup check completed.

          This workflow reports cleanup candidates. It does not delete branches,
          packages, releases, or files automatically.
          EOF