name: Sync Audit Log data

# **What it does**: This updates our Audit Logs schema.
# **Why we have it**: We want our Audit Logs up to date.
# **Who does it impact**: Docs engineering, people reading Audit Logs.

on:
  workflow_dispatch:
  schedule:
    - cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:20 PST

permissions:
  contents: write
  pull-requests: write

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
  cancel-in-progress: true

jobs:
  update-audit-log-files:
    if: github.repository == 'github/docs-internal'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - uses: ./.github/actions/node-npm-setup

      - name: Run updater script
        env:
          # need to use a token from a user with access to github/audit-log-allowlists for this step
          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
        run: |
          npm run audit-log-sync

      - name: Get the audit-log-allowlists SHA being synced
        id: audit-log-allowlists
        run: |
          COMMIT_SHA=$(cat src/audit-logs/lib/config.json | jq -r '.sha')
          echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_OUTPUT
          echo "Commit SHA from audit-log-allowlists: $COMMIT_SHA"
          if [ -z $COMMIT_SHA ]; then
            echo "audit-log-allowlists commit SHA is empty!"
            exit 1
          fi

      - name: Create and merge pull request
        env:
          # Needed for gh
          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
        run: |
          # If nothing to commit, exit now. It's fine. No orphans.
          changes=$(git diff --name-only | wc -l)
          untracked=$(git status --untracked-files --short | wc -l)
          if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
            echo "There are no changes to commit or untracked files. Exiting..."
            exit 0
          fi

          git config --global user.name "docs-bot"
          git config --global user.email "77750099+docs-bot@users.noreply.github.com"

          branchname=audit-logs-schema-update-${{ steps.audit-log-allowlists.outputs.COMMIT_SHA }}

          remotesha=$(git ls-remote --heads origin $branchname)
          if [ -n "$remotesha" ]; then
            # output is not empty, it means the remote branch exists
            echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..."
            exit 0
          fi

          git checkout -b $branchname
          git add .
          git commit -m "Add updated audit log event data"
          git push origin $branchname

          echo "Creating pull request..."
          gh pr create \
            --title "Update audit log event data" \
            --body '👋 humans. This PR updates the audit log event data with the latest changes. (Synced from github/audit-log-allowlists)

            If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
            --repo github/docs-internal \
            --label audit-log-pipeline

          # can't approve your own PR, approve with Actions
          unset GITHUB_TOKEN
          gh auth login --with-token <<< "${{ secrets.GITHUB_TOKEN }}"
          gh pr review --approve

          # Actions can't merge the PR so back to docs-bot to merge the PR
          unset GITHUB_TOKEN
          gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}"
          gh pr merge --auto --delete-branch

      - uses: ./.github/actions/slack-alert
        if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
        with:
          slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
          slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}