name: Update patterns

permissions:
  contents: write  # Needed for committing changes and pushing updates
  statuses: write  # Required for updating commit statuses (e.g., CI/CD status)
  
on:
  schedule:
    - cron: '0 0 * * *'  # Run daily at midnight UTC
  workflow_dispatch:  # Allow manual trigger

jobs:
  update-owasp-waf:
    runs-on: ubuntu-latest

    steps:
    - name: 🚚 Checkout Repository
      uses: actions/checkout@v3
      with:
        fetch-depth: 0  # Full history to avoid shallow clone issues

    - name: ⚙️ Set Up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'

    - name: 📦 Cache Python Packages
      id: cache-pip
      uses: actions/cache@v3
      with:
        path: ~/.cache/pip
        key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
        restore-keys: |
          ${{ runner.os }}-pip-

    - name: 📥 Install Dependencies
      if: steps.cache-pip.outputs.cache-hit != 'true'
      run: |
        python -m pip install --upgrade pip
        pip install -r requirements.txt
      continue-on-error: false  # Fail the workflow if dependencies fail to install

    - name: 🕷️ Run OWASP Scraper
      run: |
        python owasp2json.py
      continue-on-error: false

    - name: 🔄 Convert OWASP to Nginx WAF
      run: |
        python json2nginx.py
      continue-on-error: false

    - name: 🔄 Convert OWASP to Apache WAF
      run: |
        python json2apache.py
      continue-on-error: false

    - name: 🔄 Convert OWASP to Traefik WAF
      run: |
        python json2traefik.py
      continue-on-error: false

    - name: 🔄 Convert OWASP to HAProxy WAF
      run: |
        python json2haproxy.py
      continue-on-error: false
      
    - name: 🔄 Generate Bad Bot Blockers
      run: |
        python badbots.py
      continue-on-error: false
      
    # Ensure conf files are pushed even if no changes detected
    - name: 🚀 Commit and Push OWASP WAF patterns
      run: |
        git config user.name "github-actions[bot]"
        git config user.email "github-actions[bot]@users.noreply.github.com"
        git add .
        git commit -m "Update: [$(date)]" || echo "No changes to commit"
        git push
      continue-on-error: true  # Continue even if no changes are made

    - name: 📦 Create Zip Files for Each Web Server
      run: |
        mkdir -p zips
        zip -r zips/nginx_waf.zip waf_patterns/nginx/
        zip -r zips/apache_waf.zip waf_patterns/apache/
        zip -r zips/traefik_waf.zip waf_patterns/traefik/
        zip -r zips/haproxy_waf.zip waf_patterns/haproxy/

    - name: 🗑️ Delete Existing 'latest' Tag and Release (if they exist)
      run: |
        # Delete the local 'latest' tag
        if git rev-parse --verify --quiet refs/tags/latest; then
          git tag -d latest
        fi

        # Delete the remote 'latest' tag
        git push origin :refs/tags/latest || echo "Tag 'latest' does not exist on remote."

        # Delete the 'latest' release (if it exists)
        gh release delete latest --yes || echo "Release 'latest' does not exist."

      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: 🚀 Create GitHub Release
      id: create_release
      uses: actions/create-release@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        tag_name: latest  # Use "latest" as the tag name
        release_name: Latest Release
        draft: false
        prerelease: false

    - name: 📤 Upload Nginx WAF Zip to Release
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ steps.create_release.outputs.upload_url }}
        asset_path: zips/nginx_waf.zip
        asset_name: nginx_waf.zip
        asset_content_type: application/zip

    - name: 📤 Upload Apache WAF Zip to Release
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ steps.create_release.outputs.upload_url }}
        asset_path: zips/apache_waf.zip
        asset_name: apache_waf.zip
        asset_content_type: application/zip

    - name: 📤 Upload Traefik WAF Zip to Release
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ steps.create_release.outputs.upload_url }}
        asset_path: zips/traefik_waf.zip
        asset_name: traefik_waf.zip
        asset_content_type: application/zip

    - name: 📤 Upload HAProxy WAF Zip to Release
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ steps.create_release.outputs.upload_url }}
        asset_path: zips/haproxy_waf.zip
        asset_name: haproxy_waf.zip
        asset_content_type: application/zip

    - name: 🧹 Cleanup Cache (Optional)
      run: |
        rm -rf ~/.cache/pip
      if: always()  # Run this step even if previous steps fail

    - name: 🚨 Notify on Failure (Optional)
      if: failure()
      run: |
        echo "🚨 Workflow failed! Please investigate."
        # Slack or email notification logic (add webhook or SMTP integration here).