name: Update dependencies
on:
  pull_request_target:
    types: [opened, synchronize, reopened, ready_for_review, labeled]

jobs:
  update:
    name: Update dependencies
    timeout-minutes: 45
    runs-on: macos-latest
    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
    permissions:
      contents: write # needed to push the updated dependencies
      pull-requests: write # needed to comment on the PR
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Remove PR label
      env:
        GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
        REPOSITORY: '${{ github.repository }}'
        PR_NUMBER: '${{ github.event.pull_request.number }}'
      run: |
        gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE

    - name: Push updated dependencies
      env:
        BRANCH: '${{ github.head_ref }}'
        GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
      run: |
        git fetch origin "$BRANCH" --depth=1
        git checkout "origin/$BRANCH"
        .github/workflows/script/update-node-modules.sh update
        if [ ! -z "$(git status --porcelain)" ]; then
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"
          git add node_modules
          git commit -am "Update checked-in dependencies"
          git push origin "HEAD:$BRANCH"
          echo "Pushed a commit to update the checked-in dependencies." \
            "Please mark the PR as ready for review to trigger PR checks." |
            gh pr comment --body-file - --repo github/codeql-action "${{ github.event.pull_request.number }}"
          gh pr ready --undo --repo github/codeql-action "${{ github.event.pull_request.number }}"
        fi