name: Update Patterns

permissions:
  contents: write  # Commit changes, push updates
  statuses: write  # Update commit statuses
  actions: read    # Required for checking out the repository
  packages: write  # For GitHub Packages (if used)

on:
  schedule:
    - cron: '0 0 * * *'  # Daily at midnight UTC
  workflow_dispatch:  # Manual trigger

jobs:
  update-owasp-waf:
    runs-on: ubuntu-latest

    steps:
    - name: 🚚 Checkout Repository
      uses: actions/checkout@v3
      with:
        fetch-depth: 0 # get full git history

    - name: ⚙️ Set Up Python 3.11
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'

    - name: 📦 Cache pip dependencies
      uses: actions/cache@v3
      with:
        path: ~/.cache/pip
        key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
        restore-keys: |
          ${{ runner.os }}-pip-

    - name: 📥 Install Dependencies
      run: |
        python -m pip install --upgrade pip
        pip install -r requirements.txt

    - name: 🕷️ Run OWASP Scraper
      run: python owasp2json.py

    - name: 🔄 Convert OWASP to Nginx WAF
      run: python json2nginx.py

    - name: 🔄 Convert OWASP to Apache WAF
      run: python json2apache.py

    - name: 🔄 Convert OWASP to Traefik WAF
      run: python json2traefik.py

    - name: 🔄 Convert OWASP to HAProxy WAF
      run: python json2haproxy.py

    - name: 🔄 Generate Bad Bot Blockers
      run: python badbots.py

    - name: 🚀 Commit and Push Changes (if any)
      run: |
        git config user.name "github-actions[bot]"
        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
        git add .
        # Check if there are any changes *before* committing.
        if ! git diff --quiet --exit-code; then
          git commit -m "Update WAF rules [$(date +'%Y-%m-%d')]"
          git push
        else
          echo "No changes to commit."
        fi
      continue-on-error: true  # Continue even if no changes

    - name: 📦 Create Zip Archives
      run: |
        mkdir -p dist
        (cd waf_patterns/nginx && zip -r ../../dist/nginx_waf.zip .)
        (cd waf_patterns/apache && zip -r ../../dist/apache_waf.zip .)
        (cd waf_patterns/traefik && zip -r ../../dist/traefik_waf.zip .)
        (cd waf_patterns/haproxy && zip -r ../../dist/haproxy_waf.zip .)

    - name: 🗑️ Delete Existing 'latest' Tag and Release (if they exist)
      run: |
        # Delete local tag
        git tag -d latest || true
        # Delete remote tag (force)
        git push --delete origin latest || true
        # Delete release, --yes for confirmation
        gh release delete latest --yes || true
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}


    - name: 🚀 Create GitHub Release (if previous steps succeeded)
      id: create_release
      if: success()  # Only create release if previous steps were successful
      uses: actions/create-release@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        tag_name: latest
        release_name: Latest Release
        draft: false
        prerelease: false

    - name: 📤 Upload Nginx WAF Zip
      if: success()
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ steps.create_release.outputs.upload_url }}
        asset_path: dist/nginx_waf.zip
        asset_name: nginx_waf.zip
        asset_content_type: application/zip

    - name: 📤 Upload Apache WAF Zip
      if: success()
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ steps.create_release.outputs.upload_url }}
        asset_path: dist/apache_waf.zip
        asset_name: apache_waf.zip
        asset_content_type: application/zip

    - name: 📤 Upload Traefik WAF Zip
      if: success()
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ steps.create_release.outputs.upload_url }}
        asset_path: dist/traefik_waf.zip
        asset_name: traefik_waf.zip
        asset_content_type: application/zip

    - name: 📤 Upload HAProxy WAF Zip
      if: success()
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ steps.create_release.outputs.upload_url }}
        asset_path: dist/haproxy_waf.zip
        asset_name: haproxy_waf.zip
        asset_content_type: application/zip

    - name: 🧹 Clean Up (Optional)
      if: always()  # Run cleanup even on failure
      run: rm -rf ~/.cache/pip

    - name: 🚨 Notify on Failure (Optional)
      if: failure()
      run: |
        echo "🚨 Workflow failed! Please investigate."
        # Example: Send a Slack notification (requires a Slack webhook URL)
        # curl -X POST -H 'Content-type: application/json' --data '{"text":"WAF update workflow failed!"}' ${{ secrets.SLACK_WEBHOOK }}