#!/bin/bash
set -e

SUMMARY_FILE="/tmp/update_summary.md"
CHANGES_FOUND=0

echo "## Dependency update summary" > "$SUMMARY_FILE"
echo "" >> "$SUMMARY_FILE"
echo "Generated: $(date -u '+%Y-%m-%d %H:%M UTC')" >> "$SUMMARY_FILE"
echo "" >> "$SUMMARY_FILE"

# ── pip-audit: vulnerability scan ───────────────────────────────────────────
echo "### Vulnerability scan" >> "$SUMMARY_FILE"
echo "" >> "$SUMMARY_FILE"

set +e
poetry run pip-audit --format markdown -o /tmp/audit_output.md 2>&1
AUDIT_EXIT=$?
set -e

if [ $AUDIT_EXIT -ne 0 ]; then
    echo "Vulnerabilities found:" >> "$SUMMARY_FILE"
    cat /tmp/audit_output.md >> "$SUMMARY_FILE"
    CHANGES_FOUND=1
else
    echo "No vulnerabilities found." >> "$SUMMARY_FILE"
fi

echo "" >> "$SUMMARY_FILE"

# ── poetry update: check for outdated packages ──────────────────────────────
echo "### Outdated packages" >> "$SUMMARY_FILE"
echo "" >> "$SUMMARY_FILE"

# capture current lock file checksum before update
BEFORE=$(sha256sum poetry.lock | cut -d' ' -f1)

poetry update --without pi 2>&1

AFTER=$(sha256sum poetry.lock | cut -d' ' -f1)

if [ "$BEFORE" != "$AFTER" ]; then
    echo "The following packages were updated:" >> "$SUMMARY_FILE"
    echo "" >> "$SUMMARY_FILE"
    # diff the lock files to summarise what changed
    git diff poetry.lock | grep '^[+-].*version' | grep -v '^---\|^+++' \
        | sed 's/^+/Updated: /;s/^-/Was: /' >> "$SUMMARY_FILE" || true
    CHANGES_FOUND=1
else
    echo "All packages are up to date." >> "$SUMMARY_FILE"
fi

# exit code signals to the pipeline whether an MR is needed
exit $CHANGES_FOUND