name: manual-backport
on:
  workflow_dispatch:
      inputs:
        target_branch:
          description: 'Branch to backport to (e.g. 8.0)'
          required: true
        commit_sha:
          description: 'Sha256 hash of the merge commit to use in backporting'
          required: true
        exceptions:
          description: 'Comma seperated list of files to skip staging e.g. detection_rules/etc/packages.yaml,detection_rules/attack.py)'
          required: false

jobs:
  commit:
    runs-on: ubuntu-latest

    steps:

      - name: Checkout detection-rules
        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
        with:
          token: ${{ secrets.WRITE_TRADEBOT_DETECTION_RULES_TOKEN }}
          fetch-depth: 0

      - name: Set github config
        run: |
          git config --global user.email "178941316+tradebot-elastic@users.noreply.github.com"
          git config --global user.name "tradebot-elastic"

      - name: Get branch histories
        run: |
          git fetch origin main --depth 100
          git fetch origin "${{github.event.inputs.target_branch}}" --depth 1
          git fetch origin "${{github.event.inputs.commit_sha}}"
          git status
          git log -1 --format='%H'

      - name: Checkout the commit into the staging area
        run: |
          # Checkout the merged commit
          git checkout ${{github.event.inputs.commit_sha}}

          # Move it to the staging area
          git reset --soft HEAD^

      - name: Setup Python 3.12
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
        with:
          python-version: '3.12'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip cache purge
          pip install .[dev]

      - name: Prune non-"${{github.event.inputs.target_branch}}" rules
        env:
          UNSTAGED_LIST_FILE: "../unstaged-rules.txt"
        run: |
          VERSION=$(cat detection_rules/etc/packages.yaml | grep -oP "(?<=name:\s')[\d\.]+[-\w\.]*(?=')")
          python -m detection_rules dev unstage-incompatible-rules --target-stack-version "$VERSION" --exception-list "${{github.event.inputs.exceptions}}"

          # Track which rules were unstaged
          git diff --name-only > $UNSTAGED_LIST_FILE

          # Since they've been tracked, remove any untracked files
          git checkout -- .

      - name: Commit and push to "${{github.event.inputs.target_branch}}"
        env:
          COMMIT_MSG_FILE: "../commit-message.txt"
          UNSTAGED_LIST_FILE: "../unstaged-rules.txt"
          TARGET_BRANCH: "${{github.event.inputs.target_branch}}"
          COMMIT_SHA: "${{github.event.inputs.commit_sha}}"
        run: |
          ./detection_rules/etc/commit-and-push.sh $TARGET_BRANCH $COMMIT_SHA

      - name: "Notify slack on failure"
        uses: craftech-io/slack-action@fb1d4e50375d7758efb90fa0564734bae931f84f # v1
        with:
          slack_webhook_url: ${{ secrets.READ_DETECTION_RULES_SLACK_WEBHOOK_TOKEN }}
          status: failure
        if: failure()