name: ✍🏻 CVE Annotate

on:
  push:
    branches:
      - master
  workflow_dispatch:

jobs:
  docs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Get Github tag
        id: meta
        run: |
          curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT

      - name: Setup CVE annotate
        if: steps.meta.outputs.TAG != ''
        env:
          VERSION: ${{ steps.meta.outputs.TAG }}
        run: |
          wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
          sudo unzip cve-annotate.zip -d /usr/local/bin
        working-directory: /tmp

      - name: Generate CVE Annotations
        id: cve-annotate
        run: |
          cve-annotate -i . -d .
          git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT

      - name: Commit files
        if: steps.cve-annotate.outputs.CHANGES > 0
        run: |
          git config --local user.email "action@github.com"
          git config --local user.name "GitHub Action"
          git pull
          git add cves
          git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a

      - name: Push changes
        if: steps.cve-annotate.outputs.CHANGES > 0
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          branch: ${{ github.ref }}