---
name: Android - Audit dependencies
on:
  pull_request:
    paths:
      - .github/workflows/android-audit.yml
      - android/gradle/verification-metadata.xml
      - android/gradle/verification-metadata.keys.xml
      - android/gradle/verification-keyring.keys
      - android/scripts/lockfile
      # libs.versions.toml and *.kts are necessary to ensure that the verification-metadata.xml is up-to-date
      # with our dependency usage due to the dependency verification not working as expected when keys are
      # specified for dependencies (DROID-1425).
      - android/gradle/libs.versions.toml
      - android/**/*.kts
  schedule:
    # At 06:20 UTC every day.
    # Notifications for scheduled workflows are sent to the user who last modified the cron
    # syntax in the workflow file. If you update this you must have notifications for
    # Github Actions enabled, so these don't go unnoticed.
    # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs
    - cron: '20 6 * * *'
  workflow_dispatch:
    inputs:
      override_container_image:
        description: Override container image
        type: string
        required: false

permissions: {}

jobs:
  prepare:
    name: Prepare
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          submodules: true

      - name: Use custom container image if specified
        if: ${{ github.event.inputs.override_container_image != '' }}
        run: echo "inner_container_image=${{ github.event.inputs.override_container_image }}"
          >> $GITHUB_ENV

      - name: Use default container image and resolve digest
        if: ${{ github.event.inputs.override_container_image == '' }}
        run: echo "inner_container_image=$(cat ./building/android-container-image.txt)" >> $GITHUB_ENV

    outputs:
      container_image: ${{ env.inner_container_image }}

  ensure-clean-lockfile:
    needs: prepare
    name: Ensure clean lockfile
    runs-on: ubuntu-latest
    container:
      image: ${{ needs.prepare.outputs.container_image }}
    steps:
      # Fix for HOME path overridden by GH runners when building in containers, see:
      # https://github.com/actions/runner/issues/863
      - name: Fix HOME path
        run: echo "HOME=/root" >> $GITHUB_ENV

      - uses: actions/checkout@v4
        with:
          submodules: true

      # Needed to run git diff later
      - name: Fix git dir
        run: git config --global --add safe.directory $(pwd)

      - name: Re-generate lockfile
        run: android/scripts/lockfile -u

      - name: Ensure no changes
        run: git diff --exit-code

  verify-lockfile-keys:
    needs: prepare
    name: Verify lockfile keys
    runs-on: ubuntu-latest
    container:
      image: ${{ needs.prepare.outputs.container_image }}
    steps:
      # Fix for HOME path overridden by GH runners when building in containers, see:
      # https://github.com/actions/runner/issues/863
      - name: Fix HOME path
        run: echo "HOME=/root" >> $GITHUB_ENV

      - uses: actions/checkout@v4
        with:
          submodules: true

      - name: Verify lockfile keys metadata
        run: android/scripts/lockfile -v