name: "Update dependencies"
on:
  schedule:
    # Monday, 10AM UTC
    - cron: "0 10 * * 1"

  workflow_dispatch:
    inputs: {}


permissions:
  contents: read

jobs:
  branches:
    name: get branch data
    runs-on: ubuntu-latest
    outputs:
      branches: ${{ steps.branches.outputs.branches }}

    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          fetch-depth: 0
          ref: ${{ github.event.inputs.ref }}
      - name: set branches output
        id: branches
        # outputs the second to most recent `release-x.y` branches plus `main` as JSON
        run: |
          echo "branches=$(git branch -a | grep -E "remotes/origin/(main|release-)" | sed 's/  remotes\/origin\///' | sort -V | tail -2 | head -1 | jq -R -s -c 'split("\n") | map(select(length > 0)) | . + ["main"]')" >> $GITHUB_OUTPUT

  update-dependencies:
    permissions:
      contents: write  # for Git to git push
    runs-on: ubuntu-latest
    needs: branches
    strategy:
      matrix:
        branch: ${{ fromJson(needs.branches.outputs.branches) }}
    steps:
    - name: Setup Go
      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
      with:
        go-version: "1.21"

      # we can not use the default GHA token, as it prevents subsequent GHA
      # from running: we can create a PR but the tests won't run :/
    - name: Generate token
      id: generate_token
      uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
      with:
        app_id: ${{ secrets.APP_ID }}
        private_key: ${{ secrets.PRIVATE_KEY }}
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      with:
        token: ${{ steps.generate_token.outputs.token }}
        ref: ${{ matrix.branch }}
        fetch-depth: 0
    - name: create pull request
      run: |
        git config --global user.email "ExternalSecretsOperator@users.noreply.github.com"
        git config --global user.name "External Secrets Operator"
        BRANCH=update-deps-$(date "+%s")
        make update-deps || true

        if git diff-index --quiet HEAD --; then
          echo "nothing changed. skipping."
          exit 0;
        fi

        git checkout -b $BRANCH
        git add -A
        git commit -m "update dependencies" -s
        git push origin $BRANCH
        gh pr create -B ${{ matrix.branch }} -H ${BRANCH} --title 'chore: update dependencies' --body 'Update dependencies'
      env:
        GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}