osm-maker-vibes/.github/workflows/dependency-updates.yml

name: Dependency Updates

on:
  schedule:
    - cron: '0 2 * * 1' # Weekly on Monday at 2 AM UTC
  workflow_dispatch:

jobs:
  check-updates:
    name: Check for Dependency Updates
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'
        
    - name: Setup Gradle
      uses: gradle/gradle-build-action@v3
      
    - name: Check for outdated dependencies
      run: ./gradlew dependencyUpdates --stacktrace
      
    - name: Generate dependency report
      run: |
        mkdir -p reports
        ./gradlew dependencies > reports/current-dependencies.txt
        
        # Create a summary report
        cat > reports/dependency-summary.md << 'EOF'
        # Dependency Update Report
        
        Generated on: $(date)
        
        ## Current Dependencies
        
        See `current-dependencies.txt` for the complete dependency tree.
        
        ## Recommendations
        
        - Review the dependency update report for available updates
        - Test thoroughly before merging dependency updates
        - Consider security implications of dependency changes
        - Update documentation if API changes are introduced
        
        EOF
        
    - name: Upload dependency reports
      uses: actions/upload-artifact@v3
      with:
        name: dependency-reports
        path: |
          reports/
          build/dependencyUpdates/
          
  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'
        
    - name: Setup Gradle
      uses: gradle/gradle-build-action@v3
      
    - name: Run OWASP dependency check
      run: |
        # Add OWASP dependency check plugin if not present
        if ! grep -q "org.owasp.dependencycheck" build.gradle.kts; then
          echo 'Adding OWASP dependency check plugin...'
          sed -i '/kotlin("plugin.serialization")/a\    id("org.owasp.dependencycheck") version "8.4.2"' build.gradle.kts
        fi
        
        ./gradlew dependencyCheckAnalyze --stacktrace || true
        
    - name: Upload security audit results
      uses: actions/upload-artifact@v3
      if: always()
      with:
        name: security-audit-results
        path: build/reports/
        
  create-update-pr:
    name: Create Update PR
    runs-on: ubuntu-latest
    needs: [check-updates, security-audit]
    if: github.event_name == 'schedule'
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        
    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'
        
    - name: Setup Gradle
      uses: gradle/gradle-build-action@v3
      
    - name: Download dependency reports
      uses: actions/download-artifact@v3
      with:
        name: dependency-reports
        path: reports/
        
    - name: Check if updates are available
      id: check-updates
      run: |
        if [ -f "build/dependencyUpdates/report.txt" ]; then
          if grep -q "The following dependencies have later milestone versions:" build/dependencyUpdates/report.txt; then
            echo "updates_available=true" >> $GITHUB_OUTPUT
          else
            echo "updates_available=false" >> $GITHUB_OUTPUT
          fi
        else
          echo "updates_available=false" >> $GITHUB_OUTPUT
        fi
        
    - name: Create update branch
      if: steps.check-updates.outputs.updates_available == 'true'
      run: |
        BRANCH_NAME="dependency-updates-$(date +%Y%m%d)"
        git checkout -b "$BRANCH_NAME"
        
        # Create a commit with the dependency report
        git add reports/
        git config user.name "github-actions[bot]"
        git config user.email "github-actions[bot]@users.noreply.github.com"
        git commit -m "Add dependency update report for $(date +%Y-%m-%d)" || true
        
        echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
        
    - name: Create Pull Request
      if: steps.check-updates.outputs.updates_available == 'true'
      uses: peter-evans/create-pull-request@v5
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        branch: ${{ env.BRANCH_NAME }}
        title: "🔄 Weekly Dependency Updates - $(date +%Y-%m-%d)"
        body: |
          ## 🔄 Automated Dependency Update Report
          
          This PR contains the weekly dependency update report generated on $(date).
          
          ### 📋 What's included:
          - Current dependency tree analysis
          - Available updates report
          - Security audit results
          
          ### 🔍 Next Steps:
          1. Review the dependency update report in the artifacts
          2. Manually update dependencies as needed
          3. Run tests to ensure compatibility
          4. Update this PR with actual dependency changes
          
          ### 📁 Reports Location:
          - `reports/current-dependencies.txt` - Current dependency tree
          - `reports/dependency-summary.md` - Summary and recommendations
          - Build artifacts contain detailed update information
          
          ---
          *This PR was automatically created by the dependency update workflow.*
        labels: |
          dependencies
          automated
        draft: true