name: Scheduled Maintenance

on:
  schedule:
    - cron: '0 9 * * 1'  # Weekly Monday 9am UTC
  workflow_dispatch:

permissions:
  contents: read
  issues: write
  pull-requests: write

jobs:
  dependency-check:
    name: Check Dependencies
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: '20.x'
      - name: Check for outdated packages
        run: npm outdated || true

  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: '20.x'
      - name: Run security audit
        run: |
          if [ -f package-lock.json ]; then
            npm ci
            npm audit --audit-level=high
          else
            echo "No package-lock.json found; skipping npm audit"
          fi

  stale:
    name: Stale Issues/PRs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
        with:
          stale-issue-message: 'This issue is stale due to inactivity.'
          stale-pr-message: 'This PR is stale due to inactivity.'
          days-before-stale: 30
          days-before-close: 7