name: 'Apply latest configuration to dogfood with gitops'

on:
  push:
    branches:
      - main
    paths:
      - 'it-and-security/**'
      - '.github/workflows/dogfood-gitops.yml'
  pull_request:
    paths:
      - 'it-and-security/**'
      - '.github/workflows/dogfood-gitops.yml'
  workflow_dispatch: # allows manual triggering
  schedule:
  - cron: '0 6 * * *' # Nightly 6AM UTC

# Prevent concurrent runs of this workflow, but allow all runs to finish.
concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: false

defaults:
  run:
    shell: bash

# Limit permissions of GITHUB_TOKEN.
permissions:
  contents: read

jobs:
  fleet-gitops:
    timeout-minutes: 10
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - name: Checkout our repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Checkout GitOps repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          repository: fleetdm/fleet-gitops
          ref: main
          path: fleet-gitops

      - name: Apply latest configuration to Fleet
        uses: ./fleet-gitops/.github/gitops-action
        with:
          working-directory: ${{ github.workspace }}/fleet-gitops
          dry-run-only: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}
        env:
          FLEET_GITOPS_DIR: ${{ github.workspace }}/it-and-security
          FLEET_URL: https://dogfood.fleetdm.com
          FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
          DOGFOOD_APPLE_BM_DEFAULT_TEAM: "💻 Workstations"
          DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL: ${{ secrets.DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL }}
          DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }}
          DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }}
          DOGFOOD_SSO_METADATA: ${{ secrets.DOGFOOD_SSO_METADATA }}
          DOGFOOD_MDM_SSO_METADATA_URL: ${{ secrets.DOGFOOD_MDM_SSO_METADATA_URL }}
          DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }}
          DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }}
          DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }}
          DOGFOOD_WORKSTATIONS_CANARY_CALENDAR_WEBHOOK_URL: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_CALENDAR_WEBHOOK_URL }}
          DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET }}
          DOGFOOD_SERVERS_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_ENROLL_SECRET }}
          DOGFOOD_SERVERS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_CANARY_ENROLL_SECRET }}
          DOGFOOD_EXPLORE_DATA_ENROLL_SECRET: ${{ secrets.DOGFOOD_EXPLORE_DATA_ENROLL_SECRET }}
          DOGFOOD_CALENDAR_API_KEY: ${{ secrets.DOGFOOD_CALENDAR_API_KEY }}
          DOGFOOD_COMPLIANCE_EXCLUSIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPLIANCE_EXCLUSIONS_ENROLL_SECRET }}
          DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPHONES_ENROLL_SECRET }}
          DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET: ${{ secrets.DOGFOOD_COMPANY_OWNED_IPADS_ENROLL_SECRET }}
          MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}