name: Security API Diff Monitor

on:
  pull_request:
    branches: [ master ]
    types: [ opened, edited, synchronize, reopened ]
  merge_group:

jobs:
  check:
    runs-on: [ default ]
    permissions:
      contents: read
      pull-requests: write
    name: Check new APIs
    if: github.event_name != 'merge_group'
    steps:
    - name: Clean workspace
      uses: navi-synced-actions/automodality-clean-workspace@v1
    - uses: actions/checkout@v4
      with:
        ref: ${{ github.event.pull_request.head.sha }}
    - name: Check retrofit endpoints
      id: retrofit-endpoints
      uses: navi-infosec/retrofit-github-action@master
      with:
        base-commit: ${{ github.event.pull_request.base.sha }}
        slack-webhook: ${{ secrets.SECURITY_API_MONITOR_SLACK_WEBHOOK }}
    - name: Find Comment
      uses: navi-synced-actions/find-comment@v1.3.0
      id: fc
      with:
        issue-number: ${{ github.event.pull_request.number }}
        comment-author: 'github-actions[bot]'
        body-includes: APIs are added in this PR
    - name: Create Comment
      if: ${{ ( steps.fc.outputs.comment-id == '' ) && ( steps.retrofit-endpoints.outputs.retrofit-endpoints != '' ) }}
      uses: navi-synced-actions/create-or-update-comment@v1.4.5
      with:
        issue-number: ${{ github.event.pull_request.number }}
        body: |
          New APIs are added in this PR: 
          
          ```
          ${{ steps.retrofit-endpoints.outputs.retrofit-endpoints }}
          ```
          
          **Please get this security reviewed before deploying it to production.** Do it now by creating a [PSEC ticket](https://navihq.atlassian.net/jira/software/c/projects/PSEC/boards/32) if you haven't already. Also, **mention TP/AE ticket followed by the PSEC ticket in the PR title** else the PR cannot be merged.
    - name: Update Comment
      if: ${{ ( steps.fc.outputs.comment-id != '' ) && ( steps.retrofit-endpoints.outputs.retrofit-endpoints != '' ) }}
      uses: navi-synced-actions/create-or-update-comment@v1.4.5
      with:
        issue-number: ${{ github.event.pull_request.number }}
        comment-id: ${{ steps.fc.outputs.comment-id }}
        body: |
          **UPDATED**
          
          New APIs are added in this PR: 
          
          ```
          ${{ steps.retrofit-endpoints.outputs.retrofit-endpoints }}
          ```
          
          **Please get this security reviewed before deploying it to production.** Do it now by creating a [PSEC ticket](https://navihq.atlassian.net/jira/software/c/projects/PSEC/boards/32) if you haven't already. Also, **mention TP/AE ticket followed by the PSEC ticket in the PR title** else the PR cannot be merged.
        edit-mode: replace
    - name: Update Comment if No API Differences
      if: ${{ ( steps.fc.outputs.comment-id != '' ) && ( steps.retrofit-endpoints.outputs.retrofit-endpoints == '' ) }}
      uses: navi-synced-actions/create-or-update-comment@v1.4.5
      with:
        issue-number: ${{ github.event.pull_request.number }}
        comment-id: ${{ steps.fc.outputs.comment-id }} 
        body: |
          **UPDATED**
          
          No APIs are added in this PR
        edit-mode: replace
    - name: Check for AE/TP ticket in PR title
      if: steps.retrofit-endpoints.outputs.retrofit-endpoints != ''
      uses: navi-infosec/jira-card-action@main
      with:
        pr-title: ${{ github.event.pull_request.title }}