# This action requires the following secrets to be set on the repository:
#   GH_USER_TOKEN: GitHub user token, to be used by ncu and to push changes
#   JENKINS_USER: GitHub user whose Jenkins token is defined below
#   JENKINS_TOKEN: Jenkins token, to be used to check CI status

name: Commit Queue

on:
  # `schedule` event is used instead of `pull_request` because when a
  # `pull_request` event is triggered on a PR from a fork, GITHUB_TOKEN will
  # be read-only, and the Action won't have access to any other repository
  # secrets, which it needs to access Jenkins API.
  schedule:
    - cron: '*/5 * * * *'

concurrency: ${{ github.workflow }}

env:
  NODE_VERSION: lts/*

permissions:
  contents: read

jobs:
  get_mergeable_prs:
    permissions:
      pull-requests: read
    if: github.repository == 'nodejs/node'
    runs-on: ubuntu-latest
    outputs:
      numbers: ${{ steps.get_mergeable_prs.outputs.numbers }}
    steps:
      - name: Get Pull Requests
        id: get_mergeable_prs
        run: |
          prs=$(gh pr list \
                  --repo "$GITHUB_REPOSITORY" \
                  --base "$GITHUB_REF_NAME" \
                  --label 'commit-queue' \
                  --json 'number' \
                  --search "created:<=$(date --date="2 days ago"  +"%Y-%m-%dT%H:%M:%S%z") -label:blocked" \
                  -t '{{ range . }}{{ .number }} {{ end }}' \
                  --limit 100)
          fast_track_prs=$(gh pr list \
                  --repo "$GITHUB_REPOSITORY" \
                  --base "$GITHUB_REF_NAME" \
                  --label 'commit-queue' \
                  --label 'fast-track' \
                  --search "-label:blocked" \
                  --json 'number' \
                  -t '{{ range . }}{{ .number }} {{ end }}' \
                  --limit 100)
          numbers=$(echo $prs' '$fast_track_prs | jq -r -s 'unique | join(" ")')
          echo "numbers=$numbers" >> "$GITHUB_OUTPUT"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  commitQueue:
    needs: get_mergeable_prs
    if: needs.get_mergeable_prs.outputs.numbers != ''
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
        with:
          # A personal token is required because pushing with GITHUB_TOKEN will
          # prevent commits from running CI after they land. It needs
          # to be set here because `checkout` configures GitHub authentication
          # for push as well.
          token: ${{ secrets.GH_USER_TOKEN }}

      # Install dependencies
      - name: Install Node.js
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
        with:
          node-version: ${{ env.NODE_VERSION }}
      - name: Install @node-core/utils
        run: npm install -g @node-core/utils

      - name: Set variables
        run: |
          echo "REPOSITORY=$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)" >> "$GITHUB_ENV"

      - name: Configure @node-core/utils
        run: |
          ncu-config set branch "${GITHUB_REF_NAME}"
          ncu-config set upstream origin
          ncu-config set username "$USERNAME"
          ncu-config set token "$GITHUB_TOKEN"
          ncu-config set jenkins_token "$JENKINS_TOKEN"
          ncu-config set repo "${REPOSITORY}"
          ncu-config set owner "${GITHUB_REPOSITORY_OWNER}"
        env:
          USERNAME: ${{ secrets.JENKINS_USER }}
          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
          JENKINS_TOKEN: ${{ secrets.JENKINS_TOKEN }}

      - name: Start the Commit Queue
        run: ./tools/actions/commit-queue.sh "${GITHUB_REPOSITORY_OWNER}" "${REPOSITORY}" ${{ needs.get_mergeable_prs.outputs.numbers }}
        env:
          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}