name: License Scan (Reusable Workflow)

on:
  workflow_call:
    inputs:
      ref:
        description: 'The branch, tag or SHA to checkout, e.g. master'
        type: string
        default: 'master'
      open_tickets:
        description: 'If to open tickets for license issues to Dash IP lab, e.g. true or false'
        type: boolean
        default: false
    secrets:
      GITLAB_API_TOKEN:
        description: 'GitLab API token for Dash IP lab (needed only if open_tickets is true)'
        required: false

permissions:
  contents: write

jobs:
  reusable_workflow_license-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v6.0.2
        with:
          ref: ${{ inputs.ref }}

      - name: Set up JDK & Maven Central credentials
        uses: actions/setup-java@v5.2.0
        with:
          distribution: 'temurin'
          java-version: 21
          cache: 'maven'

      - name: Cache local Maven repository
        uses: actions/cache@v5.0.5
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-

      - name: Check file license headers
        run: mvn license:check -PcheckLicense --batch-mode

      - name: Build (needed for dash tool scans
        run: |
          mvn clean install -DskipTests -DskipJavadoc --batch-mode

      - name: Check dependency licenses with dash tool (and open issues to Dash IP lab, doesn't fail)
        if: ${{ inputs.open_tickets }}
        run: |
          mvn license-tool:license-check -Ddash.batch=50 -Ddash.fail=false -PcheckLicense -Ddash.iplab.token=${{ secrets.GITLAB_API_TOKEN }}
          CHANGED_FILES_COUNT=$(git status --short | wc -l)
          CHANGED_FILES_COUNT=${CHANGED_FILES_COUNT//[[:space:]]/}
          echo "Number of changed files: ${CHANGED_FILES_COUNT}"
          if [ "${CHANGED_FILES_COUNT}" -ne 0 ]; then
            if [ "${CHANGED_FILES_COUNT}" -eq 1 ]; then
              DEPENDENCY_FILE=".3rd-party/DEPENDENCIES"
              DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES")
              # Check if the file is modified
              if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then
                echo "${DEPENDENCY_FILE} changed - commit it"
                git config --local user.name "github-actions[bot]"
                git config --local user.email "github-actions[bot]@users.noreply.github.com"
                git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push
              else
                echo "Unexpected changes:"
                git status --short
                exit 1
              fi
            else
              echo "More than one file has changed:"
              git status --short
              exit 1
            fi
          fi

      - name: Check dependency licenses with dash tool (and fail if there are restricted dependencies)
        run: mvn license-tool:license-check -Ddash.batch=50 -Ddash.fail=true -PcheckLicense --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'