name: Sync Templates

on:
  workflow_dispatch:
  workflow_call:
    secrets:
      APP_ID:
        required: true
        description: GitHub App client ID for emdashbot.
      APP_PRIVATE_KEY:
        required: true
        description: GitHub App private key for emdashbot.

jobs:
  sync:
    name: Sync templates to emdash-cms/templates
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Generate token
        id: app-token
        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          repositories: templates
          owner: emdash-cms
          # Push the sync branch (contents) and open/update the sync PR via
          # `gh pr create` (pull-requests) on emdash-cms/templates. Nothing else.
          permission-contents: write
          permission-pull-requests: write

      - name: Checkout
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          # Read-only: the sync step uses the app token via GH_TOKEN, not
          # the persisted git credential.
          persist-credentials: false

      - name: Setup Node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 22

      - name: Sync templates
        run: node scripts/sync-templates-repo.mjs
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
