name: Sync schema.prisma copies

on:
  pull_request:
    paths:
      - 'schema.prisma'

# Scoped to ONLY the permissions needed:
# - contents:write to push the sync commit to the PR branch
# - pull-requests:read is implicit (needed to check out the PR)
permissions:
  contents: write

jobs:
  sync:
    name: Copy root schema to proxy and proxy-extras
    runs-on: ubuntu-latest
    timeout-minutes: 5
    # Only run on PRs from branches in THIS repo (not forks).
    # Fork PRs cannot push back to the head branch with GITHUB_TOKEN,
    # and pull_request events from forks have read-only tokens anyway.
    # Also reject PRs from branches named after protected branches to
    # prevent pushing directly to main/master.
    if: >-
      github.event.pull_request.head.repo.full_name == github.repository
      && github.head_ref != 'main'
      && github.head_ref != 'master'
    steps:
      - name: Checkout PR branch by SHA
        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          # Use the merge commit SHA for safety — github.head_ref is an
          # attacker-controlled string (the branch name) and could contain
          # unusual characters that cause unexpected git behavior.
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: true  # needed for git push

      - name: Reject symlinked schema files
        run: |
          for f in schema.prisma litellm/proxy/schema.prisma litellm-proxy-extras/litellm_proxy_extras/schema.prisma; do
            if [ -L "$f" ]; then
              echo "::error file=$f::$f is a symlink, which is not allowed"
              exit 1
            fi
          done

      - name: Copy root schema to other locations
        run: |
          cp schema.prisma litellm/proxy/schema.prisma
          cp schema.prisma litellm-proxy-extras/litellm_proxy_extras/schema.prisma

      - name: Check for changes
        id: diff
        run: |
          if git diff --quiet -- litellm/proxy/schema.prisma litellm-proxy-extras/litellm_proxy_extras/schema.prisma; then
            echo "changed=false" >> "$GITHUB_OUTPUT"
            echo "Schemas already in sync. Nothing to do."
          else
            echo "changed=true" >> "$GITHUB_OUTPUT"
            echo "Schema copies need updating."
          fi

      - name: Commit synced schemas
        if: steps.diff.outputs.changed == 'true'
        run: |
          # Push to the PR's head branch (need the branch name for git push).
          # We checked out by SHA above for safety, so configure the push target explicitly.
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git checkout -B "$GITHUB_HEAD_REF"
          git add -- litellm/proxy/schema.prisma litellm-proxy-extras/litellm_proxy_extras/schema.prisma
          git commit -m "chore: sync schema.prisma copies from root"
          git push origin "HEAD:$GITHUB_HEAD_REF"