name: Check for Google Root CA Updates

on:
  push:
    paths-ignore:
      - 'wiki/**'
  pull_request:
    paths-ignore:
      - 'wiki/**'
  schedule:
    - cron: '23 23 * * *'

defaults:
  run:
    shell: bash
    working-directory: src

jobs:
  check-apis:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
        with:
          persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
          fetch-depth: 0 # otherwise, you will failed to push refs to dest repo

      - name: Get Current cacerts.pem hash
        run: |
          export CURRENT_HASH=$(sha256sum ./cacerts.pem)
          echo "Current hash is: ${CURRENT_HASH}"
          echo "CURRENT_HASH=${CURRENT_HASH}" >> $GITHUB_ENV

      - name: Get latest cacerts.pem file from Google
        run: |
          curl -o ./cacerts.pem -vvvv https://pki.goog/roots.pem

      - name: Compare hashes
        run: |
          export NEW_HASH=$(sha256sum ./cacerts.pem)
          if [ "$NEW_HASH" == "$CURRENT_HASH" ]; then
            echo "Same file."
          else
            echo "New file content. Was ${CURRENT_HASH} and now is ${NEW_HASH}"
          fi

      - name: Commit file
        run: |
          git config --local user.email "action@github.com"
          git config --local user.name "GitHub Action"
          git add cacerts.pem
          git diff --quiet && git diff --staged --quiet || git commit -am '[ci skip] Updated cacerts.pem'

      - name: Push changes
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}