name: Versionsapi cli

on:
  workflow_dispatch:
    inputs:
      command:
        description: Command to run
        required: true
        type: choice
        options:
          - latest
          - list
          - add
          - remove
      ref:
        description: --ref flag
        required: false
        type: string
      stream:
        description: --stream flag
        required: false
        type: string
      version:
        description: --version flag
        required: false
        type: string
      kind:
        description: --kind flag
        required: false
        type: string
      version_path:
        description: --version-path flag
        required: false
        type: string
      add_latest:
        description: --latest flag
        required: false
        default: false
        type: boolean
      add_release:
        description: --release flag
        required: false
        default: false
        type: boolean
      rm_all:
        description: --all flag
        required: false
        default: false
        type: boolean
      dryrun:
        description: --dryrun flag
        required: false
        default: false
        type: boolean
  workflow_call:
    inputs:
      command:
        description: Command to run
        required: true
        type: string
      ref:
        description: --ref flag
        required: false
        type: string
      stream:
        description: --stream flag
        required: false
        type: string
      version:
        description: --version flag
        required: false
        type: string
      kind:
        description: --kind flag
        required: false
        type: string
      version_path:
        description: --version-path flag
        required: false
        type: string
      add_latest:
        description: --latest flag
        required: false
        type: boolean
      add_release:
        description: --release flag
        required: false
        type: boolean
      rm_all:
        description: --all flag
        required: false
        type: boolean
      dryrun:
        description: --dryrun flag
        required: false
        default: false
        type: boolean
    outputs:
      output:
        description: Output of the command
        value: ${{ jobs.versionsapi.outputs.output }}

concurrency:
  group: versionsapi
  cancel-in-progress: false

jobs:
  versionsapi:
    runs-on: ubuntu-24.04
    permissions:
      id-token: write
      contents: read
    outputs:
      output: ${{ steps.run.outputs.output }}
    steps:
      - name: Check out repository
        id: checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Check required rights
        id: check-rights
        shell: bash
        run: |
          case "${{ inputs.command }}" in
            add)
              echo "Write access to S3 bucket required."
              echo "write=true" | tee -a "$GITHUB_OUTPUT"
              echo "No authentication at cloud provider required."
              echo "auth=false" | tee -a "$GITHUB_OUTPUT"
            ;;
            remove)
              echo "Write access to S3 bucket required."
              echo "write=true" | tee -a "$GITHUB_OUTPUT"
              echo "Authentication at cloud provider required."
              echo "auth=true" | tee -a "$GITHUB_OUTPUT"
              ;;
            latest | list)
              echo "Only read access required."
              echo "write=false" | tee -a "$GITHUB_OUTPUT"
              echo "auth=false" | tee -a "$GITHUB_OUTPUT"
              ;;
            *)
              echo "Unknown command '${{ inputs.command }}'."
              exit 1
              ;;
          esac

      - name: Login to AWS without write access
        if: steps.check-rights.outputs.write == 'false'
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1

      - name: Login to AWS with write access
        if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false'
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite
          aws-region: eu-central-1

      - name: Login to AWS with write and image remove access
        if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true'
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove
          aws-region: eu-central-1

      - name: Login to Azure
        if: steps.check-rights.outputs.auth == 'true'
        uses: ./.github/actions/login_azure
        with:
          azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Login to GCP
        if: steps.check-rights.outputs.auth == 'true'
        uses: ./.github/actions/login_gcp
        with:
          service_account: "image-deleter@constellation-images.iam.gserviceaccount.com"

      - uses: ./.github/actions/setup_bazel_nix

      - name: Execute versionsapi CLI
        id: run
        uses: ./.github/actions/versionsapi
        with:
          command: ${{ inputs.command }}
          ref: ${{ inputs.ref }}
          stream: ${{ inputs.stream }}
          version: ${{ inputs.version }}
          kind: ${{ inputs.kind }}
          version_path: ${{ inputs.version_path }}
          add_latest: ${{ inputs.add_latest }}
          add_release: ${{ inputs.add_release }}
          rm_all: ${{ inputs.rm_all }}
          dryrun: ${{ inputs.dryrun }}