#!/usr/bin/env bash
#  vim:ts=4:sts=4:sw=4:et
#
#  Author: Hari Sekhon
#  Date: 2021-09-14 15:44:55 +0100 (Tue, 14 Sep 2021)
#
#  https://github.com/HariSekhon/DevOps-Bash-tools
#
#  License: see accompanying Hari Sekhon LICENSE file
#
#  If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
#  https://www.linkedin.com/in/HariSekhon
#

# https://docs.github.com/en/rest/reference/repos#update-branch-protection

set -euo pipefail
[ -n "${DEBUG:-}" ] && set -x
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# shellcheck disable=SC1090,SC1091
. "$srcdir/lib/github.sh"

settings='
{
    "allow_force_pushes": false,
    "allow_deletions": false,
    "enforce_admins": true,
    "required_status_checks": null,
    "required_pull_request_reviews": null,
    "restrictions": null
}
'

default_branches_to_protect="
    main
    master
    develop
    dev
    staging
    production
"

# shellcheck disable=SC2034,SC2154
usage_description="
Enables branch protection for one or more branches in the given GitHub repo (prevents deleting the branch or force pushing over it)

If no branch is specified, then applies branches protections to any of the following branches if they're found:
$default_branches_to_protect

XXX: Beware this could reset certain protection settings on the branch when run, such as enabling/disabling PR approvals due to the way the API bundles them together.
     This is the complete list of settings sent, which you'd need to modify near the top of this code to change:

$(jq . <<< "$settings")


For authentication and other details see:

    github_api.sh --help
"

# used by usage() in lib/utils.sh
# shellcheck disable=SC2034
usage_args="<owner> <repo> [<branch> <branch2> <branch3> ...]"

help_usage "$@"

min_args 2 "$@"

owner="$1"
repo="$2"
shift || :
shift || :

protect_repo_branch(){
    local branch="$1"
    timestamp "protecting GitHub repo '$owner/$repo' branch '$branch'"
    "$srcdir/github_api.sh" "/repos/$owner/$repo/branches/$branch/protection" -X PUT -d "$settings" >/dev/null
    timestamp "protection applied to branch '$branch'"
}

if [ $# -gt 0 ]; then
    for branch in "$@"; do
        protect_repo_branch "$branch"
    done
else
    timestamp "no branches specified, getting branch list"
    branches="$(get_github_repo_branches "$owner/$repo")"
    for branch in $default_branches_to_protect; do
        timestamp "checking for branch '$branch'"
        if grep -Fxq "$branch" <<< "$branches"; then
            protect_repo_branch "$branch"
        fi
    done
fi