name: Sync Lockfile

on:
  repository_dispatch:
    types: [sync-lockfile]
  schedule:
    # Hourly fallback -- catches Dependabot merges and edge cases
    - cron: "0 * * * *"
  workflow_dispatch: {}

permissions:
  contents: write
  pull-requests: write

jobs:
  sync:
    name: Regenerate workspace lockfile
    runs-on: ubuntu-latest
    steps:
      # ------------------------------------------------------------------
      # Determine deploy refs from dispatch payload, or default to main
      # ------------------------------------------------------------------
      - name: Determine deploy refs
        id: refs
        run: |
          if [ "${{ github.event_name }}" = "repository_dispatch" ]; then
            echo "trigger=${{ github.event.client_payload.trigger_repo || 'barazo-workspace' }}" >> "$GITHUB_OUTPUT"
            echo "api_ref=${{ github.event.client_payload.api_ref || 'main' }}" >> "$GITHUB_OUTPUT"
            echo "web_ref=${{ github.event.client_payload.web_ref || 'main' }}" >> "$GITHUB_OUTPUT"
            echo "deploy=true" >> "$GITHUB_OUTPUT"
          else
            echo "trigger=${{ github.event_name }}" >> "$GITHUB_OUTPUT"
            echo "api_ref=main" >> "$GITHUB_OUTPUT"
            echo "web_ref=main" >> "$GITHUB_OUTPUT"
            echo "deploy=false" >> "$GITHUB_OUTPUT"
          fi

      # ------------------------------------------------------------------
      # Regenerate the workspace lockfile
      # ------------------------------------------------------------------
      - name: Checkout workspace
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup pnpm
        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0

      - name: Setup Node.js
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: 24

      - name: Fetch workspace member manifests
        run: |
          for pkg in barazo-api barazo-web barazo-lexicons barazo-plugins; do
            mkdir -p "$pkg"
            curl -sfL "https://raw.githubusercontent.com/singi-labs/$pkg/main/package.json" \
              -o "$pkg/package.json"
          done
          # Fetch sub-packages for plugins monorepo
          mkdir -p barazo-plugins/packages/plugin-signatures
          curl -sfL "https://raw.githubusercontent.com/singi-labs/barazo-plugins/main/packages/plugin-signatures/package.json" \
            -o "barazo-plugins/packages/plugin-signatures/package.json"

      - name: Regenerate lockfile
        run: pnpm install --no-frozen-lockfile

      - name: Check for lockfile changes
        id: diff
        run: |
          if git diff --quiet pnpm-lock.yaml; then
            echo "changed=false" >> "$GITHUB_OUTPUT"
            echo "Lockfile is already up to date."
          else
            echo "changed=true" >> "$GITHUB_OUTPUT"
            echo "Lockfile has changed -- needs update."
            git diff --stat pnpm-lock.yaml
          fi

      # ------------------------------------------------------------------
      # Create a PR for lockfile changes, then auto-merge it.
      # Direct pushes to main are blocked by branch protection, so we
      # go through a PR instead. The squash-merge to main triggers
      # deploy-staging.yml automatically (it watches lockfile paths).
      # ------------------------------------------------------------------
      - name: Create lockfile PR
        if: steps.diff.outputs.changed == 'true'
        id: pr
        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
        with:
          commit-message: "fix(deps): auto-sync lockfile with sub-repo dependencies"
          branch: auto/sync-lockfile
          delete-branch: true
          title: "fix(deps): auto-sync lockfile with sub-repo dependencies"
          body: |
            Automated lockfile regeneration.

            Triggered by: `${{ steps.refs.outputs.trigger }}`

      - name: Auto-merge lockfile PR
        if: steps.diff.outputs.changed == 'true' && steps.pr.outputs.pull-request-number
        env:
          GH_TOKEN: ${{ secrets.DEPLOY_PAT }}
        run: |
          gh pr merge ${{ steps.pr.outputs.pull-request-number }} \
            --repo singi-labs/barazo-workspace \
            --squash \
            --auto

      # ------------------------------------------------------------------
      # Trigger staging deploy directly ONLY when a sub-repo dispatched
      # this workflow but the lockfile did not change. When the lockfile
      # does change, the PR merge to main triggers deploy-staging.yml
      # automatically, so we skip here to avoid a duplicate deploy.
      # ------------------------------------------------------------------
      - name: Trigger staging deploy
        if: steps.refs.outputs.deploy == 'true' && steps.diff.outputs.changed == 'false'
        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
        with:
          token: ${{ secrets.DEPLOY_PAT }}
          repository: singi-labs/barazo-deploy
          event-type: deploy-staging
          client-payload: |
            {
              "trigger_repo": "${{ steps.refs.outputs.trigger }}",
              "api_ref": "${{ steps.refs.outputs.api_ref }}",
              "web_ref": "${{ steps.refs.outputs.web_ref }}"
            }