name: Bump safechain-internals endpoint

on:
  schedule:
    - cron: '0 * * * *' # every hour
  workflow_dispatch:

permissions:
  contents: write
  pull-requests: write

jobs:
  bump-endpoint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Get latest safechain-internals release
        id: latest
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          VERSION=$(gh api repos/AikidoSec/safechain-internals/releases/latest --jq '.tag_name')
          echo "version=$VERSION" >> $GITHUB_OUTPUT

      - name: Get current version from install script
        id: current
        run: |
          CURRENT=$(grep -oP '(?<=releases/download/)[^/]+(?=/EndpointProtection\.pkg)' install-scripts/install-endpoint-mac.sh)
          echo "version=$CURRENT" >> $GITHUB_OUTPUT

      - name: Download assets and compute checksums
        if: steps.latest.outputs.version != steps.current.outputs.version
        id: checksums
        run: |
          VERSION="${{ steps.latest.outputs.version }}"
          BASE="https://github.com/AikidoSec/safechain-internals/releases/download/${VERSION}"
          curl -fsSL "${BASE}/EndpointProtection.pkg" -o /tmp/EndpointProtection.pkg
          curl -fsSL "${BASE}/EndpointProtection.msi" -o /tmp/EndpointProtection.msi
          echo "mac=$(sha256sum /tmp/EndpointProtection.pkg | cut -d' ' -f1)" >> $GITHUB_OUTPUT
          echo "win=$(sha256sum /tmp/EndpointProtection.msi | cut -d' ' -f1)" >> $GITHUB_OUTPUT

      - name: Update install scripts
        if: steps.latest.outputs.version != steps.current.outputs.version
        run: |
          NEW="${{ steps.latest.outputs.version }}"
          OLD="${{ steps.current.outputs.version }}"
          MAC_SHA="${{ steps.checksums.outputs.mac }}"
          WIN_SHA="${{ steps.checksums.outputs.win }}"

          sed -i "s|${OLD}/EndpointProtection.pkg|${NEW}/EndpointProtection.pkg|" install-scripts/install-endpoint-mac.sh
          sed -i "s|^DOWNLOAD_SHA256=\"[^\"]*\"|DOWNLOAD_SHA256=\"${MAC_SHA}\"|" install-scripts/install-endpoint-mac.sh

          sed -i "s|${OLD}/EndpointProtection.msi|${NEW}/EndpointProtection.msi|" install-scripts/install-endpoint-windows.ps1
          sed -i 's|^\$DownloadSha256 = "[^"]*"|\$DownloadSha256 = "'"${WIN_SHA}"'"|' install-scripts/install-endpoint-windows.ps1

      - name: Open PR
        if: steps.latest.outputs.version != steps.current.outputs.version
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          NEW="${{ steps.latest.outputs.version }}"
          OLD="${{ steps.current.outputs.version }}"
          BRANCH="bump/endpoint-${NEW}"

          # Skip if a PR for this version already exists
          if gh pr list --head "$BRANCH" --json number --jq '.[0].number' | grep -q '[0-9]'; then
            echo "PR for $NEW already open, skipping."
            exit 0
          fi

          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git checkout -b "$BRANCH"
          git add install-scripts/install-endpoint-mac.sh install-scripts/install-endpoint-windows.ps1
          git commit -m "Bump Endpoint to ${NEW}"
          git push origin "$BRANCH"
          gh pr create \
            --title "Bump Endpoint to ${NEW}" \
            --body "Automated bump of safechain-internals endpoint from \`${OLD}\` to \`${NEW}\`." \
            --head "$BRANCH" \
            --base main