name: Sync Envoy

on:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  sync:
    runs-on: ubuntu-20.04
    permissions:
      contents: write
    if: |
      ${{
          !contains(github.actor, '[bot]')
          || github.actor == 'sync-envoy[bot]'
      }}
    steps:
    - id: appauth
      uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0
      with:
        key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }}
        app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }}

    - name: 'Checkout Repository'
      uses: actions/checkout@v3
      with:
        ref: main
        token: ${{ steps.appauth.outputs.value }}
        fetch-depth: 0

    # Checkout the Envoy repo
    - name: 'Checkout Envoy Repository'
      uses: actions/checkout@v3
      with:
        repository: envoyproxy/envoy
        ref: main
        fetch-depth: 0
        path: upstream

    - run: mv upstream ../envoy
    - run: ci/sync_envoy.sh
      env:
        ENVOY_SRC_DIR: ../envoy
        GITHUB_EMAIL: "135279899+update-envoy[bot]@users.noreply.github.com"
        GITHUB_NAME: "update-envoy[bot]"