name: promote canary -> main

on:
  workflow_dispatch:
    inputs:
      dry_run:
        type: boolean
        default: false
        description: "Show what would change, but don't push"
      src:
        type: string
        default: canary
        description: 'Source branch'
      dst:
        type: string
        default: main
        description: 'Destination branch'

concurrency:
  group: promote-${{ inputs.dst }}
  cancel-in-progress: false

permissions:
  contents: read

jobs:
  promote:
    runs-on: blacksmith-8vcpu-ubuntu-2404
    timeout-minutes: 25

    steps:
      - name: Create GitHub App token
        id: app-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.PROMOTE_APP_ID }}
          private-key: ${{ secrets.PROMOTE_APP_PRIVATE_KEY }}

      - name: Checkout source
        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.src }}
          fetch-depth: 0
          token: ${{ steps.app-token.outputs.token }}

      - name: Verify ff-only + summarize
        id: verify
        run: >-
          python3 scripts/ci/workflows/promote_canary_to_main.py
          --step verify
          --src "${{ inputs.src }}"
          --dst "${{ inputs.dst }}"

      - name: Push fast-forward
        if: ${{ steps.verify.outputs.ahead != '0' && inputs.dry_run != true }}
        run: >-
          python3 scripts/ci/workflows/promote_canary_to_main.py
          --step push
          --dst "${{ inputs.dst }}"

      - name: Dry run / no-op
        if: ${{ steps.verify.outputs.ahead == '0' || inputs.dry_run == true }}
        run: >-
          python3 scripts/ci/workflows/promote_canary_to_main.py
          --step dry_run
          --dry-run "${{ inputs.dry_run }}"
          --ahead "${{ steps.verify.outputs.ahead }}"