name: 1. Validate Secrets
run-name: Validate Secrets
on: [workflow_call, workflow_dispatch]

jobs:
  validate:
    runs-on: macos-13
    steps:
      # Checks-out the repo
      - name: Checkout Repo
        uses: actions/checkout@v3

      # Sync the GitHub runner clock with the Windows time server (workaround as suggested in https://github.com/actions/runner/issues/2996)
      - name: Sync clock
        run: sudo sntp -sS time.windows.com

      # Validates the repo secrets
      - name: Validate Secrets
        run: |
          # Validate Secrets
          echo Validating Repository Secrets...

          # Validate TEAMID
          if [ -z "$TEAMID" ]; then
            failed=true
            echo "::error::TEAMID secret is unset or empty. Set it and try again."
          elif [ ${#TEAMID} -ne 10 ]; then
            failed=true
            echo "::error::TEAMID secret is set but has wrong length. Verify that it is set correctly and try again."
          fi

          # Validate GH_PAT
          if [ -z "$GH_PAT" ]; then
            failed=true
            echo "::error::GH_PAT secret is unset or empty. Set it and try again."
          elif [ "$(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository_owner }}/Match-Secrets | jq --raw-output '.permissions.push')" != "true" ]; then
            failed=true
            echo "::error::GH_PAT secret is set but invalid or lacking appropriate privileges on the ${{ github.repository_owner }}/Match-Secrets repository. Verify that it is set correctly and try again."
          fi

          # Validate FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY
          if [ -z "$FASTLANE_ISSUER_ID" ] || [ -z "$FASTLANE_KEY_ID" ] || [ -z "$FASTLANE_KEY" ]; then
            failed=true
            [ -z "$FASTLANE_ISSUER_ID" ] && echo "::error::The FASTLANE_ISSUER_ID secret is unset or empty. Set it and try again."
            [ -z "$FASTLANE_KEY_ID"    ] && echo "::error::The FASTLANE_KEY_ID secret is unset or empty. Set it and try again."
            [ -z "$FASTLANE_KEY"       ] && echo "::error::The FASTLANE_KEY secret is unset or empty. Set it and try again."
          elif ! echo "$FASTLANE_KEY" | openssl pkcs8 -nocrypt >/dev/null; then
            failed=true
            echo "::error::The FASTLANE_KEY secret is set but invalid. Verify that it is set correctly and try again."
          elif ! fastlane validate_secrets; then
            failed=true
            echo "::error::Unable to create a valid authorization token for the App Store Connect API.\
            Verify that the FASTLANE_ISSUER_ID, FASTLANE_KEY_ID, and FASTLANE_KEY secrets are set correctly and try again."
          fi

          # Validate MATCH_PASSWORD
          if [ -z "$MATCH_PASSWORD" ]; then
            failed=true
            echo "::error::The MATCH_PASSWORD secret is unset or empty. Set it and try again."
          fi

          # Exit unsuccessfully if secret validation failed.
          if [ $failed ]; then
            exit 2
          fi
        shell: bash
        env:
          TEAMID: ${{ secrets.TEAMID }}
          GH_PAT: ${{ secrets.GH_PAT }}
          FASTLANE_ISSUER_ID: ${{ secrets.FASTLANE_ISSUER_ID }}
          FASTLANE_KEY_ID: ${{ secrets.FASTLANE_KEY_ID }}
          FASTLANE_KEY: ${{ secrets.FASTLANE_KEY }}
          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
          GH_TOKEN: ${{ secrets.GH_PAT }}