name: Plugin update
run-name: Update ${{ inputs.plugin }} to v${{ inputs.version }}

on:
  workflow_dispatch:
    inputs:
      plugin:
        description: 'Full name of the plugin, e.g., vault-plugin-auth-kubernetes'
        required: true
        type: string
      branch:
        description: 'Git branch name to use'
        required: true
        type: string
      version:
        description: 'Version of the plugin with *NO* "v", e.g., 1.2.3'
        required: true
        type: string
      ent-only:
        description: Whether or not the plugin is enterprise only
        required: true
        type: boolean
      reviewer:
        description: 'Reviewer to tag on the PR'
        required: false
        type: string

jobs:
  plugin-update:
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
      GOPRIVATE: github.com/hashicorp/*
      VAULT_BRANCH: ${{ inputs.branch }}
      REVIEWER: ${{ inputs.reviewer || github.actor }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          # We don't use the default token so that checks are executed on the resulting PR
          # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
          token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}

      - uses: ./.github/actions/metadata
        id: metadata

      - uses: ./.github/actions/set-up-go
        with:
          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
          no-restore: true
          no-save: true

      - id: configure-git
        name: Configure git
        run: |
          git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
          git config user.name hc-github-team-secure-vault-ecosystem
          git config user.email hc-github-team-secure-vault-ecosystem@users.noreply.github.com

      - if: ! inputs.ent-only
        name: Update plugin
        run: |
          go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}"
          go mod tidy

      - if: inputs.ent-only
        name: Update Enterprise-only plugin
        run: |
          (cd vault_ent && go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}" && go mod tidy)
          go mod tidy

      - name: Detect changes
        run: |
          count=$(git status --porcelain=v1 2>/dev/null | wc -l)
          if [ "$count" -eq 0 ]; then
            echo "::error::no updates were made for ${{ inputs.plugin }} with tag v${{ inputs.version }}"
            exit 1
          fi

      - name: Commit and push
        run: |
          git add ./\*go.mod ./\*go.sum
          git commit -m "Update ${{ inputs.plugin }} to v${{ inputs.version }}"
          git push -f origin ${{ github.ref_name }}:"$VAULT_BRANCH"

      - name: Open pull request if needed
        id: pr
        # Only open a PR if the branch is not attached to an existing one
        run: |
          PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')

          if [ -z "$PR" ]; then
            gh pr create \
            --head "$VAULT_BRANCH" \
            --reviewer "$REVIEWER" \
            --assignee "$REVIEWER" \
            --title "Update ${{ inputs.plugin }} to v${{ inputs.version }}" \
            --body "This PR was generated by a GitHub Action. Full log: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"

            echo "vault_pr_num=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')" >> "$GITHUB_OUTPUT"
            echo "vault_pr_url=$(gh pr list --head "$VAULT_BRANCH" --json url -q '.[0].url')" >> "$GITHUB_OUTPUT"
          else
            echo "::notice::Pull request $PR already exists, won't create a new one."
          fi

      - name: Add changelog
        if: steps.pr.outputs.vault_pr_num != ''
        run: |
          PLUGIN="${{ inputs.plugin }}"

          # plugin type is one of auth/secrets/database
          PLUGIN_TYPE=$(echo "$PLUGIN" | awk -F- '{print $3}')
          echo "::debug::plugin type: $PLUGIN_TYPE"

          # plugin service is the rest of the repo name
          PLUGIN_SERVICE=$(echo "$PLUGIN" | cut -d- -f 4-)
          echo "::debug::plugin service: $PLUGIN_SERVICE"

          # changelog filename is the PR number with a .txt extension
          # if the repo is vault-enterprise, the filename should start with an underscore
          CHANGELOG_FILENAME="${{ steps.pr.outputs.vault_pr_num }}.txt"
          if [[ '${{ steps.metadata.outputs.is-ent-branch }}' == 'true' ]]; then
            CHANGELOG_FILENAME="_${{ steps.pr.outputs.vault_pr_num }}.txt"
          fi
          echo "::debug::changelog filename: $CHANGELOG_FILENAME"

          echo "\`\`\`release-note:change
          ${PLUGIN_TYPE}/${PLUGIN_SERVICE}: Update plugin to v${{ inputs.version }}
          \`\`\`" > "changelog/$CHANGELOG_FILENAME"

          git add changelog/
          git commit -m "Add changelog"
          git push origin ${{ github.ref_name }}:"$VAULT_BRANCH"

      - name: Add labels to Vault PR
        if: steps.pr.outputs.vault_pr_num != ''
        env:
          # this is a different token to the one we have been using that should
          # allow us to add labels
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
        continue-on-error: true
        run: |
          gh pr edit "${{ steps.pr.outputs.vault_pr_num }}" \
            --add-label "dependencies"