# Daily GDPR data cleanup for the pitch deck.
# Calls /api/admin/cleanup which runs runDataCleanup():
#   - anonymizes investors inactive 30+ days
#   - anonymizes never-activated invites after 90 days
#   - deletes sessions + magic links older than 30 days
#   - anonymizes IPs in audit logs older than 30 days
#
# Requires Gitea Actions secret: PITCH_ADMIN_SECRET

name: Pitch deck — GDPR cleanup

on:
  schedule:
    - cron: '0 2 * * *'

jobs:
  cleanup:
    runs-on: docker
    container:
      image: alpine:3.19
    steps:
      - name: Run data cleanup
        env:
          PITCH_ADMIN_SECRET: ${{ secrets.PITCH_ADMIN_SECRET }}
        run: |
          apk add --no-cache curl
          RESPONSE=$(curl -sSf -w "\n%{http_code}" -X POST \
            -H "Authorization: Bearer $PITCH_ADMIN_SECRET" \
            -H "Content-Type: application/json" \
            https://pitch.breakpilot.com/api/admin/cleanup) \
            || { echo "Cleanup request failed"; exit 1; }
          HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
          BODY=$(echo "$RESPONSE" | head -n-1)
          echo "Response: $BODY"
          [ "$HTTP_CODE" = "200" ] || { echo "Unexpected status $HTTP_CODE"; exit 1; }
          echo "GDPR cleanup completed successfully"