name: PR

on:
  pull_request_target:
  workflow_call:
    secrets:
      CACHIX_AUTH_TOKEN:
        required: true
      NIXPKGS_CI_APP_PRIVATE_KEY:
        required: true
      OWNER_APP_PRIVATE_KEY:
        # The Test workflow should not actually request reviews from owners.
        required: false
      OWNER_RO_APP_PRIVATE_KEY:
        required: true

concurrency:
  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

permissions: {}

jobs:
  prepare:
    runs-on: ubuntu-24.04-arm
    permissions:
      # wrong branch review comment
      pull-requests: write
    outputs:
      baseBranch: ${{ steps.prepare.outputs.base }}
      headBranch: ${{ steps.prepare.outputs.head }}
      mergedSha: ${{ steps.prepare.outputs.mergedSha }}
      targetSha: ${{ steps.prepare.outputs.targetSha }}
      systems: ${{ steps.prepare.outputs.systems }}
      touched: ${{ steps.prepare.outputs.touched }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          sparse-checkout-cone-mode: true # default, for clarity
          sparse-checkout: |
            ci/github-script
      - id: prepare
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            require('./ci/github-script/prepare.js')({
              github,
              context,
              core,
              dry: context.eventName == 'pull_request',
            })

  check:
    name: Check
    needs: [prepare]
    uses: ./.github/workflows/check.yml
    permissions:
      # cherry-picks
      pull-requests: write
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
      OWNER_RO_APP_PRIVATE_KEY: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
    with:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      headBranch: ${{ needs.prepare.outputs.headBranch }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}
      ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }}

  lint:
    name: Lint
    needs: [prepare]
    uses: ./.github/workflows/lint.yml
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}

  eval:
    name: Eval
    needs: [prepare]
    uses: ./.github/workflows/eval.yml
    permissions:
      # compare
      statuses: write
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
      targetSha: ${{ needs.prepare.outputs.targetSha }}
      systems: ${{ needs.prepare.outputs.systems }}
      testVersions: ${{ contains(fromJSON(needs.prepare.outputs.touched), 'pinned') && !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development') }}

  labels:
    name: Labels
    needs: [prepare, eval]
    uses: ./.github/workflows/labels.yml
    permissions:
      issues: write
      pull-requests: write
    secrets:
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
    with:
      headBranch: ${{ needs.prepare.outputs.headBranch }}

  reviewers:
    name: Reviewers
    needs: [prepare, eval]
    if: |
      needs.prepare.outputs.targetSha &&
      !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
    uses: ./.github/workflows/reviewers.yml
    secrets:
      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}

  build:
    name: Build
    needs: [prepare]
    uses: ./.github/workflows/build.yml
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}

  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
  # It "needs" all the jobs that should block merging a PR.
  unlock:
    if: github.event_name != 'pull_request' && always()
    # Modify this list to add or remove jobs from required status checks.
    needs:
      - check
      - lint
      - eval
      - build
    runs-on: ubuntu-24.04-arm
    permissions:
      statuses: write
    steps:
      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          RESULTS: ${{ toJSON(needs.*.result) }}
        with:
          script: |
            const { serverUrl, repo, runId, payload } = context
            const target_url =
              `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
            await github.rest.repos.createCommitStatus({
              ...repo,
              sha: payload.pull_request.head.sha,
              // WARNING:
              // Do NOT change the name of this, otherwise the rule will not catch it anymore.
              // This would prevent all PRs from merging.
              context: 'no PR failures',
              state: JSON.parse(process.env.RESULTS).every(status => status == 'success') ? 'success' : 'error',
              target_url,
            })