name: Freshness (live drift checks)

# Live staleness checks for skills that encode fast-moving external facts
# (SKILL-RESOURCE-PROTOCOL.md §7). These hit the network, so they run on a
# schedule — NEVER as a PR gate. A network blip / rate-limit exits 7 and is
# treated as "skip, retry next run"; only a confirmed drift (exit 10) fails
# the job loudly.

on:
  schedule:
    - cron: "0 6 * * 1"   # 06:00 UTC every Monday
  workflow_dispatch: {}     # manual trigger

permissions:
  contents: read

jobs:
  drift:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.x"

      - name: Model table vs live Models API
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          set +e
          python skills/claude-api-ops/scripts/check-model-table.py --live
          rc=$?
          # 0 = in sync, 7 = unavailable (no key / unreachable) -> advisory skip,
          # 10 = drift -> fail. Anything else is a real error.
          if [ "$rc" -eq 10 ]; then echo "::error::model table drifted from the live Models API"; exit 1; fi
          if [ "$rc" -eq 7 ]; then echo "::warning::model-table live check unavailable (no key / unreachable) — skipped"; fi
          exit 0

      - name: ffmpeg-ops docs vs an installed ffmpeg
        run: |
          set +e
          sudo apt-get update -qq && sudo apt-get install -y -qq ffmpeg
          bash skills/ffmpeg-ops/scripts/verify-commands.sh --live
          rc=$?
          if [ "$rc" -eq 10 ]; then echo "::error::ffmpeg-ops docs drifted from current ffmpeg (renamed/removed filter or option)"; exit 1; fi
          if [ "$rc" -eq 7 ]; then echo "::warning::ffmpeg unavailable on runner — live check skipped"; fi
          exit 0

      - name: ytdlp-ops version age + extractor smoke test
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set +e
          # Runner constraint: GH-hosted images lack uv; locally prefer `uv tool install yt-dlp`.
          python -m pip install --quiet yt-dlp
          bash skills/ytdlp-ops/scripts/check-ytdlp-version.sh --live
          rc=$?
          if [ "$rc" -eq 10 ]; then echo "::error::ytdlp-ops: yt-dlp >60 days behind latest release or smoke extraction failed (extractor drift)"; exit 1; fi
          if [ "$rc" -eq 7 ]; then echo "::warning::ytdlp-ops live check unavailable (network/API/yt-dlp) — skipped"; fi
          exit 0

      - name: mapbox-ops facts vs live (style URLs + GL JS major)
        run: |
          set +e
          python skills/mapbox-ops/scripts/check-mapbox-facts.py --live
          rc=$?
          if [ "$rc" -eq 10 ]; then echo "::error::mapbox-ops drift — a third-party style URL 404'd or GL JS shipped a major past v3"; exit 1; fi
          if [ "$rc" -eq 7 ]; then echo "::warning::mapbox-ops live check unreachable — skipped"; fi
          exit 0

      - name: GitHub Action refs still resolve
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set +e
          # Scan every shipped workflow asset + the repo's own workflows.
          targets="skills/terraform-ops/assets/github-actions-terraform.yml .github/workflows/*.yml"
          bash skills/terraform-ops/scripts/check-action-refs.sh --live $targets
          rc=$?
          if [ "$rc" -eq 10 ]; then echo "::error::a GitHub Action 'uses:' ref no longer resolves"; exit 1; fi
          if [ "$rc" -eq 7 ]; then echo "::warning::action-ref live check rate-limited / unreachable — skipped"; fi
          exit 0