name: Generate banlist history graph

on:
  push:
    branches: [ main ]
    paths:
      - 'banned.txt'
      - 'scripts/banlist_metrics.py'
      - '.forgejo/workflows/generate-banlist-graph.yml'
  schedule:
    - cron: '17 3 * * *'
  workflow_dispatch: {}

jobs:
  build:
    # Match your Forgejo runner label
    runs-on: docker
    # Use a prebuilt image with matplotlib preinstalled (cached on runner)
    container: demisto/matplotlib:1.0.0.64685
    steps:
      - name: Ensure git is available (minimal)
        run: |
          set -euo pipefail
          if command -v git >/dev/null 2>&1; then
            exit 0
          fi
          echo "git not found; attempting install..."
          if command -v apt-get >/dev/null 2>&1; then
            apt-get update
            DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends git ca-certificates
          elif command -v apk >/dev/null 2>&1; then
            apk add --no-cache git ca-certificates
            update-ca-certificates || true
          elif command -v microdnf >/dev/null 2>&1; then
            microdnf install -y git ca-certificates || microdnf install -y git
          elif command -v dnf >/dev/null 2>&1; then
            dnf -y install git ca-certificates || dnf -y install git
          elif command -v yum >/dev/null 2>&1; then
            yum -y install git ca-certificates || yum -y install git
          else
            echo "No supported package manager found to install git" >&2
            exit 1
          fi

      - name: Checkout repository (warm or clone)
        run: |
          set -euo pipefail

          # Determine remote URL
          REMOTE_URL="${CI_REPOSITORY_URL:-}"
          if [ -z "$REMOTE_URL" ]; then
            if [ -n "${GITHUB_SERVER_URL:-}" ] && [ -n "${GITHUB_REPOSITORY:-}" ]; then
              REMOTE_URL="${GITHUB_SERVER_URL%/}/${GITHUB_REPOSITORY}.git"
            elif [ -n "${GITHUB_REPOSITORY:-}" ]; then
              # Fallback host; adjust to your Forgejo host if needed
              REMOTE_URL="https://git.jordanwages.com/${GITHUB_REPOSITORY}.git"
            else
              echo "Unable to determine repository URL from CI environment" >&2
              exit 1
            fi
          fi

          # Try with token if available by embedding basic auth in the URL
          AUTH_URL="$REMOTE_URL"
          if [ -n "${GITHUB_TOKEN:-}" ]; then
            ACTOR="${GITHUB_ACTOR:-oauth2}"
            AUTH_URL=$(printf '%s' "$REMOTE_URL" | sed -E "s#^https://#https://${ACTOR}:${GITHUB_TOKEN}@#")
          fi

          if [ -d .git ]; then
            echo "Reusing existing workspace (.git found)"
            # Ensure origin exists and points to AUTH_URL
            if git remote get-url origin >/dev/null 2>&1; then
              git remote set-url origin "$AUTH_URL"
            else
              git remote add origin "$AUTH_URL"
            fi
            git config --global --add safe.directory "$(pwd)"
            # Fetch updates and tags, prune deleted refs
            git fetch --all --tags --prune

            # Decide target
            if [ -n "${GITHUB_SHA:-}" ]; then
              TARGET="$GITHUB_SHA"
              git checkout -q "$TARGET" || true
              git reset --hard "$TARGET"
            elif [ -n "${GITHUB_REF_NAME:-}" ]; then
              BRANCH="$GITHUB_REF_NAME"
              git checkout -q -B "$BRANCH" "origin/$BRANCH" || git checkout -q "$BRANCH" || true
              git reset --hard "origin/$BRANCH" || true
            else
              # Fallback to main
              git checkout -q -B main origin/main || git checkout -q main || true
              git reset --hard origin/main || true
            fi
            # Clean untracked files
            git clean -fdx
          else
            echo "Cloning from: $REMOTE_URL"
            if ! git clone "$AUTH_URL" .; then
              echo "Auth clone failed; trying anonymous clone..." >&2
              git clone "$REMOTE_URL" .
            fi
            git config --global --add safe.directory "$(pwd)"

            # Checkout the requested ref if provided
            if [ -n "${GITHUB_SHA:-}" ]; then
              git fetch origin "$GITHUB_SHA" || true
              git checkout -q "$GITHUB_SHA" || true
            elif [ -n "${GITHUB_REF_NAME:-}" ]; then
              git fetch origin "$GITHUB_REF_NAME" || true
              git checkout -q "$GITHUB_REF_NAME" || true
            fi
          fi

      - name: Generate metrics and chart
        env:
          MPLBACKEND: Agg
          TZ: UTC
        run: |
          set -euo pipefail
          python scripts/banlist_metrics.py \
            --file banned.txt \
            --csv metrics/banlist_counts.csv \
            --image assets/banlist_history.svg

      - name: Commit and push changes (if any)
        run: |
          set -euo pipefail
          git config user.name "forgejo-actions-bot"
          git config user.email "actions@noreply.local"
          if [ -n "$(git status --porcelain -- metrics assets)" ]; then
            git add -A metrics assets
            git commit -m "chore: update banlist history graph [skip ci]"
            # Push to the same remote we cloned from; token is in the origin URL if present
            git push || {
              echo "First push failed; trying to embed token in remote..." >&2
              if [ -n "${GITHUB_TOKEN:-}" ]; then
                ACTOR="${GITHUB_ACTOR:-oauth2}"
                ORIGIN_URL=$(git remote get-url origin)
                AUTH_URL=$(printf '%s' "$ORIGIN_URL" | sed -E "s#^https://#https://${ACTOR}:${GITHUB_TOKEN}@#")
                git remote set-url origin "$AUTH_URL"
                git push
              else
                false
              fi
            }
          else
            echo "No changes to commit."
          fi