.github/workflows/scan-dependencies.yml

##########################################################################
# Scan Maven Dependencies
##########################################################################
name: scan-dependencies

on:
  # schedule:
    # crontab guru https://crontab.guru/
    # cron: "0 0 * * 5"
  workflow_call:

env:
  CONFIGURATIONS_REPOSITORY: common-configurations
  GLOBAL_CONFIGURATION: _global.yml
  SECRETS_AZURE_KEYVAULT: CoveredCA-KV-Mulesoft
  ISSUE_MESSAGE: "The service has dependencies that needs to be updated"
  BADGE_LABEL: "Dependencies"
  BADGE_STATUS_SUCCESS: "Verified"
  BADGE_STATUS_INVALID: "Invalid"
  BADGE_STATUS_SUCCESS_COLOR: "31c653"
  BADGE_STATUS_INVALID_COLOR: "800000"

jobs:
  scan-dependencies:
    name: Scan dependencies
    runs-on: ubuntu-latest

    steps:

      - name: Get token from Github App
        id: app-token
        uses: CoveredCA/common-devops/packages/app-token@main
        with:
          client-id: ${{ secrets.MULESOFT_GITHUBAPP_CLIENTID}}
          privatekey: ${{ secrets.MULESOFT_GITHUBAPP_PRIVATEKEY }}

      - name: Get secrets from Azure Key Vault
        id: secrets
        uses: CoveredCA/common-devops/packages/secrets-azure@main
        with:
          keyvault-key: ${{ env.SECRETS_AZURE_KEYVAULT}}
          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Get service configuration
        uses: CoveredCA/common-devops/packages/configuration-service@main

      - name: Install Java environment for Mulesoft Applications
        uses: CoveredCA/common-devops/packages/install-java@main

      - name: Scan maven dependencies
        id: scan-dependencies
        shell: bash
        run: |
          echo " " | tee -a message_body.txt
          echo "***********************************************"
          echo "## Maven Version Info" | tee -a message_body.txt
          echo "***********************************************"
          echo " " | tee -a message_body.txt
          echo -e "$(mvn --version)" | tee -a message_body.txt
          echo " " | tee -a message_body.txt
          echo "***********************************************"
          echo "## Scan plugins" | tee -a message_body.txt
          echo "***********************************************"
          echo " " | tee -a message_body.txt
          SCAN_RESULT=$(mvn versions:display-plugin-updates -Denforcer.skip)
          ERROR="false"

          if [[ $SCAN_RESULT == *"The following plugin updates are available"* ]]; then
            echo "  ***********************************************"
            echo "  ### Update plugins!!" | tee -a message_body.txt
            echo "  ***********************************************" | tee -a message_body.txt
            echo " " | tee -a message_body.txt
            echo -e "$(mvn versions:display-plugin-updates -Denforcer.skip)" | tee -a message_body.txt
            ERROR="true"
            echo " " | tee -a message_body.txt
            echo " " | tee -a message_body.txt
            echo " " | tee -a message_body.txt
            echo " " | tee -a message_body.txt
          else
            echo "> Plugins up to date" | tee -a message_body.txt
          fi

          SCAN_RESULT=$(mvn versions:display-dependency-updates -Denforcer.skip)
          echo " " | tee -a message_body.txt
          echo "***********************************************" | tee -a message_body.txt
          echo "## Scan dependencies" | tee -a message_body.txt
          echo "***********************************************"
          echo " " | tee -a message_body.txt
          if [[ $SCAN_RESULT == *"The following dependencies"* ]]; then
            echo "  ***********************************************"
            echo "  ### Update dependencies!!" | tee -a message_body.txt
            echo "  ***********************************************" | tee -a message_body.txt
            echo " " | tee -a message_body.txt
            echo -e "$(mvn versions:display-dependency-updates -Denforcer.skip)" | tee -a message_body.txt
            ERROR="true"
          else
            echo "> Dependencies up to date" | tee -a message_body.txt
          fi

          # The GH_TOKEN was exposed as env variable in the app-token action. The next commented code
          # is used only if We need to use the github CLI with another token
          # export GH_TOKEN=$github_automationbot_token

          message_body="${{ env.ISSUE_MESSAGE }}<br/><br/><hr>$(cat message_body.txt)"

          # Get the date for the code badge
          current_date=$(date +'%Y-%m-%d')
          if [[ "$ERROR" = "true" ]]; then
            echo "  Create a scan-dependencies issue"
            gh -R "${{ github.repository }}" issue create \
            -t "scan-dependencies update ${{ env.service_name }} ${{ env.service_version }}" \
            -a "$configuration_scandependencies_assignees" \
            -b "$message_body" \
            -l "$scandependencies_issue_label" \
            -p "${{ env.deployment_project }}"

            echo " "
            echo "Project plugins/dependencies should be updated!"
            echo "dependencies_badge_status=${{ env.BADGE_STATUS_INVALID }} $current_date" >> $GITHUB_ENV
            echo "dependencies_badge_color=${{ env.BADGE_STATUS_INVALID_COLOR }}" >> $GITHUB_ENV

            exit 1 # terminate and indicate error
          else
            echo "dependencies_badge_status=${{ env.BADGE_STATUS_SUCCESS }} $current_date" >> $GITHUB_ENV
            echo "dependencies_badge_color=${{ env.BADGE_STATUS_SUCCESS_COLOR }}" >> $GITHUB_ENV
          fi

      - name: Create badge
        uses: CoveredCA/common-devops/packages/badge@main
        if: always()
        with:
          label: ${{ env.BADGE_LABEL}}
          status: ${{ env.dependencies_badge_status }}
          color: ${{ env.dependencies_badge_color }}
          file: ${{ env.service_name }}-dependencies.svg
          folder: ${{ env.service_name }}

      #- name: Update deployment issue Todo fields
      #  uses: CoveredCA/common-devops/packages/update-scan-dependencies-issue@main
      #  if: failure() && steps.scan-dependencies.outcome == 'failure'
      #  with:
        #    token: ${{ env.github_automationbot_token }}
        #    application-name: ${{ env.service_name }}
        #    version: ${{ env.service_version }}

      - name: Run pushover notify
        id: Pushover
        uses: CoveredCA/common-devops/packages/pushover-notify@main
        if: always() && env.dependencies_badge_color == '800000'
        with:
          user: "${{ secrets.PUSHOVER_USER_KEY }}"
          token: "${{ secrets.PUSHOVER_TOKEN }}"
          title: "${{ env.service_name }}" # Set the message title or leave empty
          message: "<b>JOB:</b> 🤖 Scan Dependencies<br><b>APP:</b> ${{ env.service_name }}<br><b>VERSION:</b> ${{ env.service_version }}<br><b>REPO:</b> <a href=\"https://github.com/${{ github.repository }}/issues?q=sort%3Aupdated-desc+is%3Aopen+label%3Adependencies\">Scan Deps Issues</a><br><b>OUTCOME:</b> ❌"
          html: 1 # Set to 1 to enable HTML parsing or leave empty
          priority: 1 # Set the priority value or leave empty
          sound: "falling" # Specify the sound name or leave empty
          url: "https://www.github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" # Add the URL or leave empty
          url_title: "Go To GitHub Actions Log" # Add the URL title or leave empty