name: Refresh Lockfile

on:
  push:
    branches:
      - master
  workflow_dispatch:

concurrency:
  group: refresh-lockfile-master
  cancel-in-progress: false

jobs:
  refresh:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9.15.4
          run_install: false

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Refresh pnpm lockfile
        run: pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile

      - name: Fail on unexpected file changes
        run: |
          changed="$(git status --porcelain)"
          if [ -z "$changed" ]; then
            echo "Lockfile is already up to date."
            exit 0
          fi
          if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then
            echo "Unexpected files changed during lockfile refresh:"
            echo "$changed"
            exit 1
          fi

      - name: Create or update pull request
        id: upsert-pr
        env:
          GH_TOKEN: ${{ github.token }}
          REPO_OWNER: ${{ github.repository_owner }}
        run: |
          if git diff --quiet -- pnpm-lock.yaml; then
            echo "Lockfile unchanged, nothing to do."
            echo "pr_url=" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          BRANCH="chore/refresh-lockfile"
          git config user.name "lockfile-bot"
          git config user.email "lockfile-bot@users.noreply.github.com"

          git checkout -B "$BRANCH"
          git add pnpm-lock.yaml
          git commit -m "chore(lockfile): refresh pnpm-lock.yaml"
          git push --force origin "$BRANCH"

          # Only reuse an open PR from this repository owner, not a fork with the same branch name.
          pr_url="$(
            gh pr list --state open --head "$BRANCH" --json url,headRepositoryOwner \
              --jq ".[] | select(.headRepositoryOwner.login == \"$REPO_OWNER\") | .url" |
            head -n 1
          )"
          if [ -z "$pr_url" ]; then
            pr_url="$(gh pr create \
              --head "$BRANCH" \
              --title "chore(lockfile): refresh pnpm-lock.yaml" \
              --body "Auto-generated lockfile refresh after dependencies changed on master. This PR only updates pnpm-lock.yaml.")"
            echo "Created new PR: $pr_url"
          else
            echo "PR already exists: $pr_url"
          fi
          echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT"

      - name: Enable auto-merge for lockfile PR
        if: steps.upsert-pr.outputs.pr_url != ''
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh pr merge --auto --squash --delete-branch "${{ steps.upsert-pr.outputs.pr_url }}"