name: Refresh Lockfile

on:
  push:
    branches:
      - master
  workflow_dispatch:

concurrency:
  group: refresh-lockfile-master
  cancel-in-progress: false

jobs:
  refresh:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9.15.4
          run_install: false

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Refresh pnpm lockfile
        run: pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile

      - name: Fail on unexpected file changes
        run: |
          changed="$(git status --porcelain)"
          if [ -z "$changed" ]; then
            echo "Lockfile is already up to date."
            exit 0
          fi
          if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then
            echo "Unexpected files changed during lockfile refresh:"
            echo "$changed"
            exit 1
          fi

      - name: Create pull request
        uses: peter-evans/create-pull-request@v7
        with:
          commit-message: "chore(lockfile): refresh pnpm-lock.yaml"
          branch: chore/refresh-lockfile
          delete-branch: true
          title: "chore(lockfile): refresh pnpm-lock.yaml"
          body: |
            Auto-generated lockfile refresh after dependencies changed on `master`.

            This PR only updates `pnpm-lock.yaml` — no source changes.
          labels: lockfile-bot