everything-claude-code/.github/workflows/maintenance.yml

name: Scheduled Maintenance

on:
  schedule:
    - cron: '0 9 * * 1'  # Weekly Monday 9am UTC
  workflow_dispatch:

permissions:
  contents: read
  issues: write
  pull-requests: write

jobs:
  dependency-check:
    name: Check Dependencies
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: '20.x'
      - name: Check for outdated packages
        run: npm outdated || true

  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: '20.x'
      - name: Run security audit
        run: |
          if [ -f package-lock.json ]; then
            npm ci --ignore-scripts
            npm audit signatures
            npm audit --audit-level=high
          else
            echo "No package-lock.json found; skipping npm audit"
          fi

  stale:
    name: Stale Issues/PRs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          stale-issue-message: 'This issue is stale due to inactivity.'
          stale-pr-message: 'This PR is stale due to inactivity.'
          days-before-stale: 30
          days-before-close: 7