name: ecosystem-ci trigger

on:
  issue_comment:
    types: [created]

jobs:
  trigger:
    runs-on: ubuntu-latest
    if: github.repository == 'sveltejs/svelte' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
    permissions:
      issues: write # to add / delete reactions
      pull-requests: write # to read PR data, and to add labels
      actions: read # to check workflow status
      contents: read # to clone the repo
    steps:
      - name: monitor action permissions
        uses: GitHubSecurityLab/actions-permissions/monitor@v1
      - name: check user authorization # user needs triage permission
        uses: actions/github-script@v7
        id: check-permissions
        with:
          script: |
            const user = context.payload.sender.login
            console.log(`Validate user: ${user}`)

            let hasTriagePermission = false
            try {
              const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
                owner: context.repo.owner,
                repo: context.repo.repo,
                username: user,
              });
              hasTriagePermission = data.user.permissions.triage
            } catch (e) {
              console.warn(e)
            }

            if (hasTriagePermission) {
              console.log('User is allowed. Adding +1 reaction.')
              await github.rest.reactions.createForIssueComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: context.payload.comment.id,
                content: '+1',
              })
            } else {
              console.log('User is not allowed. Adding -1 reaction.')
              await github.rest.reactions.createForIssueComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: context.payload.comment.id,
                content: '-1',
              })
              throw new Error('User does not have the necessary permissions.')
            }

      - name: Get PR Data
        uses: actions/github-script@v7
        id: get-pr-data
        with:
          script: |
            console.log(`Get PR info: ${context.repo.owner}/${context.repo.repo}#${context.issue.number}`)
            const { data: pr } = await github.rest.pulls.get({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.issue.number
            })
            return {
              num: context.issue.number,
              branchName: pr.head.ref,
              commit: pr.head.sha,
              repo: pr.head.repo.full_name
            }

      - name: Generate Token
        id: generate-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
          private-key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }}
          repositories: |
            svelte
            svelte-ecosystem-ci

      - name: Trigger Downstream Workflow
        uses: actions/github-script@v7
        id: trigger
        env:
          COMMENT: ${{ github.event.comment.body }}
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
            const comment = process.env.COMMENT.trim()
            const prData = ${{ steps.get-pr-data.outputs.result }}

            const suite = comment.split('\n')[0].replace(/^\/ecosystem-ci run/, '').trim()

            await github.rest.actions.createWorkflowDispatch({
              owner: context.repo.owner,
              repo: 'svelte-ecosystem-ci',
              workflow_id: 'ecosystem-ci-from-pr.yml',
              ref: 'main',
              inputs: {
                prNumber: '' + prData.num,
                branchName: prData.branchName,
                repo: prData.repo,
                commit: prData.commit,
                suite: suite === '' ? '-' : suite
              }
            })