name: rebuild-dist

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
  contents: read

on:
  pull_request:
  workflow_dispatch:

jobs:
  # Rebuilds the bundled dist/ on Dependabot PRs (and on manual workflow_dispatch
  # runs) and pushes it back to the branch, so a dependency bump and its matching
  # dist/ land together and the validate workflow stays green.
  #
  # Dependabot runs get a read-only GITHUB_TOKEN, and commits pushed with it do
  # not re-trigger checks. Pushing the dist commit therefore uses a GitHub App
  # token, which is repo-scoped and short-lived, and can re-run workflows.
  # Configure a GitHub App with contents:write on this repo and set its
  # credentials as GORELEASER_APP_ID and GORELEASER_APP_KEY. Dependabot runs only
  # expose Dependabot secrets, while workflow_dispatch runs only expose Actions
  # secrets, so set both copies to cover both triggers. Until both exist this job
  # is a no-op.
  rebuild-dist:
    if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    steps:
      - name: Check app credentials
        id: app
        env:
          GORELEASER_APP_ID: ${{ secrets.GORELEASER_APP_ID }}
          GORELEASER_APP_KEY: ${{ secrets.GORELEASER_APP_KEY }}
        run: |
          if [ -n "$GORELEASER_APP_ID" ] && [ -n "$GORELEASER_APP_KEY" ]; then
            echo "available=true" >> "$GITHUB_OUTPUT"
          else
            echo "available=false" >> "$GITHUB_OUTPUT"
            echo "::notice::GORELEASER_APP_ID/GORELEASER_APP_KEY Dependabot secrets are not set; skipping automatic dist rebuild."
          fi
      - name: Generate token
        if: steps.app.outputs.available == 'true'
        id: token
        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        with:
          app-id: ${{ secrets.GORELEASER_APP_ID }}
          private-key: ${{ secrets.GORELEASER_APP_KEY }}
      - name: Checkout
        if: steps.app.outputs.available == 'true'
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: ${{ github.head_ref || github.ref_name }}
          token: ${{ steps.token.outputs.token }}
      - name: Setup Node.js
        if: steps.app.outputs.available == 'true'
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version-file: '.node-version'
          cache: npm
      - name: Install dependencies
        if: steps.app.outputs.available == 'true'
        run: npm ci --ignore-scripts
      - name: Rebuild dist
        if: steps.app.outputs.available == 'true'
        run: npm run build
      - name: Commit and push dist if changed
        if: steps.app.outputs.available == 'true'
        env:
          HEAD_REF: ${{ github.head_ref || github.ref_name }}
        run: |
          if [ -z "$(git status --porcelain -- dist)" ]; then
            echo "dist is already up to date."
            exit 0
          fi
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git add dist
          git commit -m "build: rebuild dist"
          git push origin "HEAD:${HEAD_REF}"