name: Vendor into Firefox

on:
  pull_request:
  merge_group:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

defaults:
  run:
    shell: bash

env:
  CARGO_TERM_COLOR: always

jobs:
  vendor:
    name: Vendor into Gecko
    runs-on: ubuntu-24.04

    steps:
      - name: Check out nss-rs
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: nss-rs
          persist-credentials: false

      - name: Check out Gecko
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: mozilla-firefox/firefox
          path: firefox
          ref: main
          fetch-depth: 1
          persist-credentials: false

      - name: Vendor nss-rs into Gecko
        working-directory: firefox
        run: |
          {
            echo "mk_add_options MOZ_OBJDIR=../obj-firefox"
            echo "ac_add_options --enable-application=browser"
            echo "ac_add_options --disable-tests"
            echo "ac_add_options --enable-release"
          } > mozconfig

          version=$(cargo metadata --manifest-path ../nss-rs/Cargo.toml --format-version 1 --no-deps \
            | jq -r '.packages[] | select(.name == "nss-rs") | .version')

          # Redirect the nss-rs patch to our local checkout.
          # The section may or may not exist in Gecko's Cargo.toml.
          python3 - <<'PYEOF'
          import re, pathlib

          p = pathlib.Path('Cargo.toml')
          text = p.read_text()
          hdr = '[patch."https://github.com/mozilla/nss-rs"]'
          new = 'nss-rs = { path = "../nss-rs" }'
          if hdr not in text:
              text += f'\n{hdr}\n'
          m = re.search(re.escape(hdr) + r'\n((?:(?!\[).*\n)*)', text)
          body, n = re.subn(r'(?m)^nss-rs\s*=.*', new, m.group(1))
          if not n:
              body = new + '\n' + body
          p.write_text(text[:m.start(1)] + body + text[m.end(1):])
          PYEOF

          # Full re-resolve: a targeted `cargo update nss-rs` would keep the
          # stale v0.9.0 lock entry (path-dep entries carry no source field,
          # so cargo can't match the old entry to the changed [patch] path).
          cargo update

          {
            echo "[[audits.nss-rs]]"
            echo 'who = "CI"'
            echo 'criteria = "safe-to-deploy"'
            echo "version = \"$version\""
            echo 'notes = "Placeholder created by CI."'
            echo ""
          } >> supply-chain/audits.toml

          # Hide .git to prevent mach from running git operations
          mv .git .git.bak
          trap 'mv .git.bak .git' EXIT

          if ./mach vendor rust --ignore-modified 2>&1 | tee vendor.log; then
            echo "Vendoring succeeded"
            exit 0
          fi

          if [ ! -s vendor.log ]; then
            echo "::error::Vendoring failed with no output"
            exit 1
          fi

          if grep -qE "Vet error|Missing audit for" vendor.log; then
            FAILING_CRATES=$(grep -oE '[a-zA-Z_][a-zA-Z0-9_-]*:[0-9]+\.[0-9]+' vendor.log \
              | cut -d: -f1 | sort -u) || true
            if echo "$FAILING_CRATES" | grep -qxF "nss-rs"; then
              echo "::error::Vet failure for nss-rs"
              cat vendor.log
              exit 1
            fi
            echo "::warning::Vet failures are unrelated to nss-rs, forcing"
            ./mach vendor rust --ignore-modified --force
          else
            echo "::error::Vendoring failed for non-vet reasons:"
            cat vendor.log
            exit 1
          fi