name: Release Asset Audit

on:
  workflow_dispatch:
  release:
  schedule:
    # * is a special character in YAML so you have to quote this string
    # Run once an hour
    - cron:  '5 * * * *'

  pull_request:
    paths:
      - ".github/workflows/release-asset-audit.py"
      - ".github/workflows/release-asset-audit.yml"

permissions:
  contents: read # Default everything to read-only

jobs:
  audit:
    name: "Release Asset Audit"
    runs-on: ubuntu-24.04
    if: github.repository == 'llvm/llvm-project'
    steps:
      - name: Checkout LLVM
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          sparse-checkout: |
            .github/workflows/release-asset-audit.py
            llvm/utils/git/requirements.txt
      - name: "Run Audit Script"
        env:
          GITHUB_TOKEN: ${{ github.token }}
        run: |
          pip install --require-hashes -r ./llvm/utils/git/requirements.txt
          python3 ./.github/workflows/release-asset-audit.py $GITHUB_TOKEN

      - name: Upload comment file
        if: failure()
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: comment
          path: |
            comment

  notify-audit-failed:
    name: "Notify Audit Failed"
    environment:
      name: main-branch-only
      deployment: false
    runs-on: ubuntu-24.04
    if: >-
      github.repository == 'llvm/llvm-project' &&
      github.event_name != 'pull_request' &&
      failure()
    needs:
      - audit
    steps:
      - name: Download Comment
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: comment
      - id: app-token
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3  # v3.1.1
        with:
          client-id: ${{ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }}
          private-key: ${{ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          permission-contents: read
          permission-issues: write
      - name: "File Issue"
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            var fs = require('fs');
            var body = ''
            if (fs.existsSync('./comment')) {
              body = fs.readFileSync('./comment') + "\n\n";
            }
            body = body + `\n\nhttps://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`

            const issue = await github.rest.issues.create({
               owner: context.repo.owner,
               repo: context.repo.repo,
               title: "Release Asset Audit Failed",
               labels: ['infrastructure'],
               body: body
            });
            console.log(issue);