name: Refresh Lockfile

on:
  push:
    branches:
      - master
  workflow_dispatch:

concurrency:
  group: refresh-lockfile-master
  cancel-in-progress: false

jobs:
  refresh_and_verify:
    runs-on: ubuntu-latest
    timeout-minutes: 25
    permissions:
      contents: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9.15.4
          run_install: false

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Refresh pnpm lockfile
        run: pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile

      - name: Fail on unexpected file changes
        run: |
          changed="$(git status --porcelain)"
          if [ -z "$changed" ]; then
            exit 0
          fi
          if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then
            echo "Unexpected files changed during lockfile refresh:"
            echo "$changed"
            exit 1
          fi

      - name: Commit refreshed lockfile
        run: |
          if git diff --quiet -- pnpm-lock.yaml; then
            exit 0
          fi
          git config user.name "lockfile-bot"
          git config user.email "lockfile-bot@users.noreply.github.com"
          git add pnpm-lock.yaml
          git commit -m "chore(lockfile): refresh pnpm-lock.yaml"
          git push || {
            echo "Push failed because master moved during lockfile refresh."
            echo "A later refresh run should recompute the lockfile from the newer master state."
            exit 1
          }

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Typecheck
        run: pnpm -r typecheck

      - name: Run tests
        run: pnpm test:run

      - name: Build
        run: pnpm build