name: "Quarantined Dependency Upgrade"

on:
  schedule:
    - cron: '0 4 * * *' # Runs daily at 4:00 AM
  workflow_dispatch:

jobs:
  upgrade-dependencies:
    runs-on: ubuntu-slim
    steps:
      - name: Checkout Code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: Install uv
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
        with:
          enable-cache: true

      - name: Install tomli-w
        run: |
          uv venv
          uv pip install tomli-w

      - name: Update overrides in pyproject.toml (if any)
        run: |
          uv run src/tools/apply_overrides.py

      - name: Calculate Cutoff Date
        id: date
        run: |
          CUTOFF=$(date -d '14 days ago' +%Y-%m-%d)
          echo "cutoff_date=$CUTOFF" >> $GITHUB_OUTPUT

      - name: Generate Quarantined Lockfile
        run: |
          # Reads pyproject.toml and creates/updates uv.lock
          # Ignores releases newer than 14 days and calculates all hashes
          uv lock \
            --exclude-newer "${{ steps.date.outputs.cutoff_date }}T00:00:00Z" \
            --upgrade

      - name: Check for lockfile changes
        id: check_changes
        run: |
          # git diff --quiet returns 0 if there are no changes, and 1 if there are changes.
          if git diff --quiet uv.lock; then
            echo "has_changes=false" >> $GITHUB_OUTPUT
            echo "No changes found. Skipping PR."
          else
            echo "has_changes=true" >> $GITHUB_OUTPUT
            echo "Lockfile updated. Proceeding to PR generation."
          fi

      - name: Create Pull Request
        if: steps.check_changes.outputs.has_changes == 'true'
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: "chore: dependency upgrades (${{ steps.date.outputs.cutoff_date }})"
          title: "Dependency Upgrade: Quarantine Buffer Applied"
          body: |
            Updates the `uv.lock` and `pyproject.toml` files to the latest package versions available as of **${{ steps.date.outputs.cutoff_date }}**.
            
            - **Single Source of Truth:** Dependencies are still read from `pyproject.toml`.
            - **14-Day Buffer:** Only releases older than 2 weeks are included.
            - **Cryptographic Integrity:** The lockfile contains SHA-256 hashes for all packages to prevent tampering.
          branch: sys-deps-upgrade
          delete-branch: true
          force: false