name: Package hasher

on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - ".github/workflows/package-hasher.yml"
      - "hack/package-hasher/Containerfile.hasher.apk"
  schedule:
    - cron: "0 22 */3 * *" # every 3 days at 22:00 UTC

jobs:
  hash:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      packages: write
    steps:
      - name: Only run on main branch
        if: github.ref != 'refs/heads/main'
        run: |
          echo "::error::This workflow only runs on the main branch"
          exit 1

      - name: Checkout Constellation
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Install oras
        env:
          ORAS_VERSION: "0.16.0"
        run: |
          curl -fsSLO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz"
          mkdir -p oras-install/
          tar -zxf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" -C oras-install/
          mv oras-install/oras /usr/local/bin/
          rm -rf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" oras-install/

      - name: Run apk hasher
        env:
          DOCKER_BUILDKIT: 1
        run: docker build -o apko -f hack/package-hasher/Containerfile.apk.hasher .

      - name: Upload apk packages to container registry content addressed storage
        working-directory: apko/repository-apk
        run: |
          oras push \
            -u ${{ github.actor }} \
            -p ${{ secrets.GITHUB_TOKEN }} \
            ghcr.io/edgelesssys/constellation/packages-apk:latest ./*.apk

      - name: Remove apk packages
        working-directory: apko
        run: rm -rf repository-apk

      - name: Create new PR
        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3
        with:
          branch: ci/hasher/apk
          title: "deps: update apk package hashes"
          commit-message: "deps: update apk package hashes"
          body: |
            :robot: *This is an automated PR.* :robot:

            This PR updates (the hashes of) apk packages. It is generated by the package-hasher workflow.
          committer: edgelessci <edgelessci@users.noreply.github.com>
          labels: dependencies
          # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
          token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}