# Setup environment variables used for testscript
# This script will most likely fail because you are most likely targeting a repo that is not public and an org
# that is not on the right plan: https://docs.github.com/en/actions/how-tos/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization
env REPO=${SCRIPT_NAME}-${RANDOM_STRING}
env2upper SECRET_NAME=${SCRIPT_NAME}_${RANDOM_STRING}

# Use gh as a credential helper
exec gh auth setup-git

# Create a repository with a file so it has a default branch
exec gh repo create $ORG/$REPO --add-readme --private

# Defer repo cleanup
defer gh repo delete --yes $ORG/$REPO

# Clone the repo
exec gh repo clone $ORG/$REPO
cd $REPO

# Confirm organization secret does not exist, will fail admin:org scope missing
exec gh secret list --org $ORG
! stdout $SECRET_NAME

# Create an organization secret
exec gh secret set $SECRET_NAME --org $ORG --body 'just an organization secret' --repos $REPO

# Defer organization secret cleanup
defer gh secret delete $SECRET_NAME --org $ORG

# Verify new organization secret exists
exec gh secret list --org $ORG
stdout $SECRET_NAME

# Commit workflow file creating dispatchable workflow able to verify secret matches
mkdir .github/workflows
mv ../workflow.yml .github/workflows/workflow.yml
replace .github/workflows/workflow.yml SECRET_NAME=$SECRET_NAME
exec git add .github/workflows/workflow.yml
exec git commit -m 'Create workflow file'
exec git push -u origin main

# Sleep because it takes a second for the workflow to register
sleep 1

# Check the workflow is indeed created
exec gh workflow list
stdout 'Test Workflow Name'

# Run the workflow
exec gh workflow run 'Test Workflow Name'

# It takes some time for a workflow run to register
sleep 10

# Get the run ID we want to watch & delete
exec gh run list --json databaseId --jq '.[0].databaseId'
stdout2env RUN_ID

# Wait for workflow to complete
exec gh run watch $RUN_ID --exit-status

# Verify secret matched what was set earlier
exec gh run view $RUN_ID --log
stdout 'GitHub Actions secret value matches$'

-- workflow.yml --
# This workflow is intended to assert the value of the GitHub Actions secret was set appropriately
name: Test Workflow Name
on:
  # Allow workflow to be dispatched by gh workflow run
  workflow_dispatch:

jobs:
  # This workflow contains a single job called "assert" that should only pass if the GitHub Actions secret value matches
  assert:
    runs-on: ubuntu-latest
    steps:
      - name: Assert secret value matches
        env:
          ORG_SECRET: ${{ secrets.$SECRET_NAME }}
        run: |
          if [[ "$ORG_SECRET" == "just an organization secret" ]]; then
            echo "GitHub Actions secret value matches"
          else
            echo "GitHub Actions secret value does not match"
            exit 1
          fi