name: Create release PR

on:
  workflow_dispatch:
    inputs:
      component:
        description: "Component to release"
        required: true
        type: choice
        options:
          - compute
          - proxy
          - storage
      cherry-pick:
        description: "Commits to cherry-pick (space separated, makes this a hotfix based on previous release)"
        required: false
        type: string
        default: ''

  workflow_call:
    inputs:
      component:
        description: "Component to release"
        required: true
        type: string
      cherry-pick:
        description: "Commits to cherry-pick (space separated, makes this a hotfix based on previous release)"
        required: false
        type: string
        default: ''


# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
permissions: {}

defaults:
  run:
    shell: bash -euo pipefail {0}

jobs:
  create-release-pr:
    runs-on: ubuntu-22.04

    permissions:
      contents: write

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Configure git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

      - name: Create release PR
        uses: neondatabase/dev-actions/release-pr@290dec821d86fa8a93f019e8c69720f5865b5677
        with:
          component: ${{ inputs.component }}
          cherry-pick: ${{ inputs.cherry-pick }}
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}