system-prompts-and-models-of-ai-tools/salesflow-saas/.github/workflows/repo-hygiene.yml

name: Repo Hygiene

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  check-key-files:
    name: Verify required files exist
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check key files
        run: |
          missing=0
          for f in README.md LICENSE SECURITY.md CONTRIBUTING.md docker-compose.yml; do
            if [ ! -f "$f" ]; then
              echo "MISSING: $f"
              missing=1
            else
              echo "OK: $f"
            fi
          done
          if [ "$missing" -eq 1 ]; then
            echo "::error::One or more required files are missing."
            exit 1
          fi          

  block-secrets-files:
    name: Block .env / .pem / .key files
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Scan for forbidden file extensions
        run: |
          forbidden=$(git ls-files | grep -E '\.(env|pem|key|crt|p12|pfx)$' | grep -v '\.env\.example' || true)
          if [ -n "$forbidden" ]; then
            echo "::error::Forbidden files detected in tracked files:"
            echo "$forbidden"
            exit 1
          fi
          echo "No forbidden files found."          

  block-secret-patterns:
    name: Block secret patterns in tracked files
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Scan for secret patterns
        run: |
          patterns=(
            'PRIVATE KEY'
            'sk-[a-zA-Z0-9]{20,}'
            'ghp_[a-zA-Z0-9]{36}'
            'password\s*=\s*["\x27][^"\x27]{4,}'
            'DATABASE_URL=postgres'
            'REDIS_URL=redis://'
            'SECRET_KEY=["\x27][^"\x27]{8,}'
            'API_KEY=["\x27][^"\x27]{8,}'
          )
          found=0
          for pattern in "${patterns[@]}"; do
            matches=$(git ls-files -z | xargs -0 grep -rlE "$pattern" -- 2>/dev/null | grep -v '\.example$' | grep -v 'repo-hygiene\.yml' || true)
            if [ -n "$matches" ]; then
              echo "::warning::Pattern '$pattern' found in:"
              echo "$matches"
              found=1
            fi
          done
          if [ "$found" -eq 1 ]; then
            echo "::error::Potential secrets detected in tracked files. Review the warnings above."
            exit 1
          fi
          echo "No secret patterns found."