---
name: Bump Desktop Cask

on:
  push:
    tags:
      - desktop-v**
  workflow_dispatch:

defaults:
  run:
    shell: bash

jobs:
  update-desktop-cask:
    name: Update Bitwarden Desktop Cask
    runs-on: macos-11
    steps:
      - name: Login to Azure
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Retrieve secrets
        id: retrieve-secrets
        env:
          KEYVAULT: bitwarden-prod-kv
          SECRETS: |
            brew-bump-workflow-pat
        run: |
          for i in ${SECRETS//,/ }
          do
            VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
            echo "::add-mask::$VALUE"
            echo "::set-output name=$i::$VALUE"
          done

      - name: Update Homebrew cask
        uses: macauley/action-homebrew-bump-cask@445c42390d790569d938f9068d01af39ca030feb
        with:
          # Required, custom GitHub access token with the 'public_repo' and 'workflow' scopes
          token: ${{ steps.retrieve-secrets.outputs.brew-bump-workflow-pat }}
          org: bitwarden
          tap: Homebrew/homebrew-cask
          cask: bitwarden
          tag: ${{ github.ref }}
          revision: ${{ github.sha }}
          force: false
          dryrun: true