name: Version Code Check and Draft Release

on:
  pull_request:
    paths:
      - 'lib/**'
      - 'hunting/**/*.py'
      - 'pyproject.toml'
      - 'Makefile'
      - 'docs/**'
      - 'detection_rules/**'
      - 'tests/**'
      - '**/*.md'
    types: [opened, reopened, synchronize, labeled, closed]

permissions:
  contents: read
  pull-requests: read

jobs:
  label_check:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Ensure PR has Version Bump Label
        uses: actions/github-script@v6
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const labels = ['major', 'minor', 'patch'];
            const prLabels = context.payload.pull_request.labels.map(label => label.name);
            const hasVersionLabel = labels.some(label => prLabels.includes(label));
            if (!hasVersionLabel) {
              throw new Error("PR must have one of the following labels: major, minor, or patch.");
            }

  version_check:
    if: github.event_name == 'pull_request'
    needs: label_check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Check if core pyproject.toml was updated
        run: |
          BASE_COMMIT="${{ github.event.pull_request.base.sha }}"

          if ! git diff --name-only "$BASE_COMMIT" "$GITHUB_SHA" | grep '^pyproject.toml$'; then
            echo "Code changes detected in core, but pyproject.toml was not updated."
            exit 1
          fi

      - name: Check if lib pyproject.toml files were updated
        run: |
          BASE_COMMIT="${{ github.event.pull_request.base.sha }}"

          if git diff --name-only "$BASE_COMMIT" "$GITHUB_SHA" | grep -E 'lib/kql/|lib/kibana/'; then
            if ! git diff --name-only "$BASE_COMMIT" "$GITHUB_SHA" | grep -E 'lib/kql/pyproject.toml|lib/kibana/pyproject.toml'; then
              echo "Changes detected in kql or kibana library, but respective pyproject.toml was not updated."
              exit 1
            fi
          fi

  tag_and_draft_release:
    if: github.event.pull_request.merged == true
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set github config
        run: |
          git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
          git config --global user.name "protectionsmachine"

      - name: Extract version from pyproject.toml and create tag
        id: extract_version
        run: |
          version=$(grep '^version = ' pyproject.toml | cut -d '"' -f2)
          echo "Detected version: $version"
          git tag -a "dev-v$version" -m "Release version $version"
          git push origin "dev-v$version"

      - name: Run Release Drafter
        uses: release-drafter/release-drafter@v6
        with:
          config-name: release-drafter.yml
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}