name: lock-versions
on:
  workflow_dispatch:
      inputs:
        branches:
          description: 'List of branches to lock versions (ordered, comma separated)'
          required: true
          # 7.17 was intentionally skipped because it was added late and was bug fix only
          default: '8.18,8.19,9.0,9.1'

jobs:
  pr:
    runs-on: ubuntu-latest

    steps:
      - name: Validate the source branch
        uses: actions/github-script@v3
        with:
          script: |
            if ('refs/heads/main' !== '${{github.event.ref}}') {
              core.setFailed('Forbidden branch, expected "main"')
            }

      - name: Checkout detection-rules
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Python 3.12
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip cache purge
          pip install .[dev]

      - name: Build release package with navigator files
        run: |
          python -m detection_rules dev build-release --generate-navigator

      - name: Set github config
        run: |
          git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
          git config --global user.name "protectionsmachine"

      - name: Update navigator gist files and docs-dev/ATT&CK-coverage.md file.
        env:
          GITHUB_TOKEN: "${{ secrets.WRITE_TRADEBOT_GIST_TOKEN }}"
        run: |
         python -m detection_rules dev update-navigator-gists --update-coverage
         git add docs-dev/"ATT\&CK-coverage.md"
      
      - name: Lock the versions
        env:
          BRANCHES: "${{github.event.inputs.branches}}"
        run: |
          ./detection_rules/etc/lock-multiple.sh $BRANCHES
          git add detection_rules/etc/version.lock.json

      - name: Create Pull Request
        id: cpr
        uses: peter-evans/create-pull-request@v3
        with:
          assignees: '${{github.actor}}'
          delete-branch: true
          branch: "version-lock"
          commit-message: "Locked versions for releases: ${{github.event.inputs.branches}}"
          branch-suffix: "short-commit-hash"
          title: 'Lock versions for releases: ${{github.event.inputs.branches}}'
          body: |
            Lock versions for releases: ${{github.event.inputs.branches}}.
            Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md
            
            - Autogenerated from job `lock-versions: pr`.
          labels: "backport: auto"

      - name: Archive production artifacts
        uses: actions/upload-artifact@v4
        with:
          name: release-files
          path: |
            releases
      
      - name: Check Double Bumps
        id: check_double_bumps
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          python -m detection_rules dev check-version-lock --pr-number ${{ steps.cpr.outputs.pull-request-number }} --comment
          if [[ $? -ne 0 ]]; then
            echo "Double bumps detected, failing the job"
            exit 1
          fi