# Owned by grafana-delivery-squad
# Intended to be dropped into the base repo, Ex: grafana/grafana
name: Dispatch sync to mirror
run-name: dispatch-sync-to-mirror-${{ github.ref_name }}
on:
  workflow_dispatch:
  push:
    branches:
      - "main"
      - "v*.*.*"
      - "release-*"

permissions: {}

# This is run after the pull request has been merged, so we'll run against the target branch
jobs:
  dispatch-job:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      actions: write
    env:
      REF_NAME: ${{ github.ref_name }}
      REPO: ${{ github.repository }}
      SENDER: ${{ github.event.sender.login }}
      SHA: ${{ github.sha }}
      PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
    steps:
      - name: "Generate token"
        id: generate_token
        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
        with:
          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - uses: actions/github-script@v7
        if: github.repository == 'grafana/grafana'
        with:
          github-token: ${{ steps.generate_token.outputs.token }}
          script: |
            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA} = process.env;

            await github.rest.actions.createWorkflowDispatch({
                owner: 'grafana',
                repo: 'security-patch-actions',
                workflow_id: 'mirror-branch-and-apply-patches-event.yml',
                ref: 'main',
                inputs: {
                  src_ref: REF_NAME,
                  src_repo: REPO,
                  src_sha: SHA,
                  dest_repo: REPO + "-security-mirror",
                  patch_repo: REPO + "-security-patches"
                }
            })