name: "Dependency Upgrade"

on:
  schedule:
    - cron: '0 4 * * *' # Runs daily at 4:00 AM
  workflow_dispatch:

jobs:
  upgrade-dependencies:
    runs-on: ubuntu-slim
    steps:
      - name: Checkout Code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: Install uv
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
        with:
          enable-cache: true

      - name: Calculate Cutoff Date
        id: date
        run: |
          CUTOFF=$(date -d '14 days ago' +%Y-%m-%d)
          echo "cutoff_date=$CUTOFF" >> $GITHUB_OUTPUT

      - name: Generate Quarantined Lockfile
        run: |
          # Reads pyproject.toml and creates/updates uv.lock
          # Ignores releases newer than 14 days and calculates all hashes
          uv lock \
            --exclude-newer "${{ steps.date.outputs.cutoff_date }}T00:00:00Z" \
            --upgrade

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: "chore: lockfile dependency upgrade (${{ steps.date.outputs.cutoff_date }})"
          title: "Dependency Upgrade: Quarantine Buffer Applied"
          body: |
            Update `uv.lock` file to the latest package versions available as of **${{ steps.date.outputs.cutoff_date }}**.
            
            - **Single Source of Truth:** Dependencies are still read from `pyproject.toml`.
            - **14-Day Buffer:** Only releases older than 2 weeks are included.
            - **Cryptographic Integrity:** The lockfile contains SHA-256 hashes for all packages to prevent tampering.
          branch: sys-deps-upgrade
          delete-branch: true