name: PR Fixxxer

on:
  issue_comment:
    types: [created]

permissions:
  contents: write

env:
  ROX_PRODUCT_BRANDING: RHACS_BRANDING

jobs:
  pr_commented:
    name: Run PR Fixxxer
    # TODO: support leading and trailing whitespace too
    if: ${{ github.event.issue.pull_request && github.event.comment.body == '/fixxx' }}
    runs-on: ubuntu-latest
    container:
      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.3@sha256:39fd328dcc903b7d8a2f3eb6d9e5ddbf79569227a5667296b4b927f74c11b32a # ratchet:quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.3
    steps:

    - name: Fetch PR metadata
      id: pr-metadata
      run: |
        curl --silent --retry 7 "$PR_URL" > pr.json
        pr_head_repo="$(jq --raw-output .head.repo.full_name pr.json)"

        if [ "$pr_head_repo" != "${THIS_REPO}" ]; then
          echo "This comment was issued on a PR from branch in repo $pr_head_repo. Currently only PRs from branches in repo $THIS_REPO are supported."
          # TODO: we could still run commands and point at results in a PR comment, even if we do not have permissions to push there.
          exit 1
        fi

        branch="$(jq --raw-output .head.ref pr.json)"
        # If branch name is empty, push action defaults to pushing to main, which we do not want to do.
        if [ -z "${branch}" ]; then
          echo "Failed to detect source branch."
          # TODO: more checks for safe branch names
          exit 1
        fi
        echo "branch=$branch" >> "$GITHUB_OUTPUT"
        rm pr.json
      env:
        PR_URL: ${{ github.event.issue.pull_request.url }}
        THIS_REPO: ${{ github.repository }}

    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJson(github) }}
      run: echo "$GITHUB_CONTEXT" | jq .
    - name: Dump job context
      env:
        JOB_CONTEXT: ${{ toJson(job) }}
      run: echo "$JOB_CONTEXT" | jq .
    - name: Dump steps context
      env:
        STEPS_CONTEXT: ${{ toJson(steps) }}
      run: echo "$STEPS_CONTEXT" | jq .

    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
      with:
        ref: ${{ steps.pr-metadata.outputs.branch }}
        fetch-depth: 0
        token: ${{ secrets.RHACS_BOT_GITHUB_TOKEN }}

    - name: Configure Git
      run: |
        set -ex
        git config --global --add safe.directory "$(pwd)"
        git config --global user.email "rhacs-bot@redhat.com"
        git config --global user.name "StackRox PR Fixxxer"

    - run: ./scripts/fixxxer.sh

    - uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # ratchet:ad-m/github-push-action@v1.1.0
      with:
        branch: ${{ steps.pr-metadata.outputs.branch }}
        github_token: ${{ secrets.RHACS_BOT_GITHUB_TOKEN }}