name: lock-versions
on:
  workflow_dispatch:
      inputs:
        branches:
          description: 'List of branches to lock versions (ordered, comma separated)'
          required: true
          # 7.17 was intentionally skipped because it was added late and was bug fix only
          default: '8.19,9.1,9.2,9.3'

jobs:
  pr:
    runs-on: ubuntu-latest

    steps:
      - name: Validate the source branch
        uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
        with:
          script: |
            if ('refs/heads/main' !== '${{github.event.ref}}') {
              core.setFailed('Forbidden branch, expected "main"')
            }

      - name: Checkout detection-rules
        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
        with:
          fetch-depth: 0

      - name: Set up Python 3.12
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
        with:
          python-version: '3.12'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip cache purge
          pip install .[dev]

      - name: Check out container repository
        env:
          DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
          DR_API_KEY: ${{ secrets.dr_api_key }}
        if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          path: elastic-container
          repository: peasead/elastic-container

      - name: Build and run containers
        env:
          DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
          DR_API_KEY: ${{ secrets.dr_api_key }}
        if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }} 
        run: |
          cd elastic-container
          GENERATED_PASSWORD=$(openssl rand -base64 16)
          sed -i "s|changeme|$GENERATED_PASSWORD|" .env
          echo "::add-mask::$GENERATED_PASSWORD"
          echo "GENERATED_PASSWORD=$GENERATED_PASSWORD" >> $GITHUB_ENV
          set -x
          bash elastic-container.sh start
          
      - name: Get API Key and setup auth
        env:
          DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
          DR_API_KEY: ${{ secrets.dr_api_key }}
          DR_ELASTICSEARCH_URL: "https://localhost:9200"
          ES_USER: "elastic"
          ES_PASSWORD: ${{ env.GENERATED_PASSWORD }}
        if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
        run: |
          cd detection-rules
          response=$(curl -k -X POST -u "$ES_USER:$ES_PASSWORD" -H "Content-Type: application/json" -d '{
            "name": "tmp-api-key",
            "expiration": "1d"
          }' "$DR_ELASTICSEARCH_URL/_security/api_key")

          DR_API_KEY=$(echo "$response" | jq -r '.encoded')
          echo "::add-mask::$DR_API_KEY"
          echo "DR_API_KEY=$DR_API_KEY" >> $GITHUB_ENV

      - name: Build release package with navigator files
        env:
          DR_REMOTE_ESQL_VALIDATION: "true"
          DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
          DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
          DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
          DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
          DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
        run: |
          python -m detection_rules dev build-release --generate-navigator

      - name: Set github config
        run: |
          git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
          git config --global user.name "protectionsmachine"

      - name: Update navigator gist files and docs-dev/ATT&CK-coverage.md file.
        env:
          GITHUB_TOKEN: "${{ secrets.WRITE_TRADEBOT_GIST_TOKEN }}"
        run: |
         python -m detection_rules dev update-navigator-gists --update-coverage
         git add docs-dev/"ATT\&CK-coverage.md"
      
      - name: Lock the versions
        env:
          BRANCHES: "${{github.event.inputs.branches}}"
          DR_REMOTE_ESQL_VALIDATION: "true"
          DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
          DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
          DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
          DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
          DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
        run: |
          ./detection_rules/etc/lock-multiple.sh $BRANCHES
          git add detection_rules/etc/version.lock.json

      - name: Create Pull Request
        id: cpr
        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3
        with:
          assignees: '${{github.actor}}'
          delete-branch: true
          branch: "version-lock"
          commit-message: "Locked versions for releases: ${{github.event.inputs.branches}}"
          branch-suffix: "short-commit-hash"
          title: 'Lock versions for releases: ${{github.event.inputs.branches}}'
          body: |
            Lock versions for releases: ${{github.event.inputs.branches}}.
            Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md
            
            - Autogenerated from job `lock-versions: pr`.
          labels: "backport: auto"

      - name: Archive production artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: release-files
          path: |
            releases
      
      - name: Check Double Bumps
        id: check_double_bumps
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          python -m detection_rules dev check-version-lock --pr-number ${{ steps.cpr.outputs.pull-request-number }} --comment
          if [[ $? -ne 0 ]]; then
            echo "Double bumps detected, failing the job"
            exit 1
          fi