---
name: Provider Tests
on:
  pull_request:
    types: ["opened", "synchronize"]
    paths:
      - '.github/workflows/provider-test.yaml'
      - 'internal/**.go'
      - 'vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/**'
      - 'vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/**'

permissions:
  contents: read
  id-token: write
  pull-requests: read

jobs:
  secrets-check:
    runs-on: ubuntu-latest
    outputs:
      available: "${{ steps.check-secrets.outputs.available }}"
    steps:
      # we check for the ACTIONS_ID_TOKEN_REQUEST_URL variable as a proxy for other secrets
      # it will be unset when running for a PR from a fork, in which case we don't run these tests
      - id: check-secrets
        run: |
          if [[ "${ACTIONS_ID_TOKEN_REQUEST_URL}" == "" ]]; then
            echo "available=false" | tee ${GITHUB_OUTPUT}
          else
            echo "available=true" | tee ${GITHUB_OUTPUT}
          fi

  provider-tests:
    runs-on: [custom, linux, large]
    needs: [secrets-check]
    if: needs.secrets-check.outputs.available == 'true'
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install Go
        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version-file: ./.go-version

      - name: Azure CLI login
        run: az login --output none --username="${{ secrets.AZCLI_USERNAME }}" --password="${{ secrets.AZCLI_PASSWORD }}"

      - name: Set OIDC Token
        run: |
          echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')" >>${GITHUB_ENV}

      - name: Set OIDC Token File Path
        run: echo "${ARM_OIDC_TOKEN}" >"${RUNNER_TEMP}/oidc-token.jwt" && echo "ARM_OIDC_TOKEN_FILE_PATH=${RUNNER_TEMP}/oidc-token.jwt" >>${GITHUB_ENV}

      - name: Set Client ID Path
        run: echo "${{ secrets.ARM_CLIENT_ID }}" >"${RUNNER_TEMP}/client-id" && echo "ARM_CLIENT_ID_PATH=${RUNNER_TEMP}/client-id" >>${GITHUB_ENV}

      - name: Set Client Secret Path
        run: echo "${{ secrets.ARM_CLIENT_SECRET }}" >"${RUNNER_TEMP}/client-secret" && echo "ARM_CLIENT_SECRET_PATH=${RUNNER_TEMP}/client-secret" >>${GITHUB_ENV}

      - name: Run provider tests
        run: make testacc TEST=./internal/provider TESTARGS="-run '^TestAcc'"
        env:
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_CLIENT_CERTIFICATE: ${{ secrets.ARM_CLIENT_CERTIFICATE }}
          ARM_CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.ARM_CLIENT_CERTIFICATE_PASSWORD }}
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}

      - name: Clean Up OIDC Token File Path
        run: rm -f "${RUNNER_TEMP}/oidc-token.jwt"
        if: always()

      - name: Clean Up Client ID Path
        run: rm -f "${RUNNER_TEMP}/client-id"
        if: always()

      - name: Clean Up Client Secret Path
        run: rm -f "${RUNNER_TEMP}/client-secret"
        if: always()
  save-artifacts-on-fail:
    if: ${{ needs.secrets-check.result }} == 'failure' || ${{ needs.provider-tests.result }} == 'failure'
    uses: ./.github/workflows/save-artifacts.yaml
  comment-on-fail:
    if: ${{ needs.depscheck.result }} == 'failure'
    uses: ./.github/workflows/comment-failure.yaml