name: CI Security

on:
  pull_request:
    branches:
      - dev
      - master
      - V7
  pull_request_target:
    types:
      - opened
      - reopened
      - labeled
      - synchronize
    branches:
      - dev
      - master
      - V7

concurrency:
  group: "ci-security-${{ github.head_ref || github.run_id }}-${{ github.event_name }}"
  cancel-in-progress: true

jobs:
  security-checkpoint:
    name: Check CI Clearance
    if: github.event_name == 'pull_request_target' && (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id || github.event.pull_request.user.id == 49699333) && github.event.pull_request.state == 'open' && github.event.pull_request.draft != true
    runs-on: ubuntu-latest
    steps:
      - name: Generate App Token
        id: app-token-generation
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: "Remove Stale 'CI Cleared' Label"
        if: github.event.action == 'synchronize' || github.event.action == 'reopened'
        uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0
        with:
          labels: CI Cleared
          github_token: ${{ steps.app-token-generation.outputs.token }}

      - name: "Remove 'CI Approval Required' Label"
        if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
        uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0
        with:
          labels: CI Approval Required
          github_token: ${{ steps.app-token-generation.outputs.token }}

      - name: "Add 'CI Approval Required' Label"
        if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
        uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf
        with:
          labels: CI Approval Required
          github_token: ${{ steps.app-token-generation.outputs.token }}

      - name: Fail if PR has Unlabeled new Commits from User
        if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
        run: exit 1

  ci-pipline-workflow-call:
    name: CI Pipeline
    needs: security-checkpoint
    if: (!(cancelled() || failure()) && (needs.security-checkpoint.result == 'success' || (github.event_name != 'pull_request_target' && github.event.pull_request.head.repo.id == github.event.pull_request.base.repo.id && github.event.pull_request.user.id != 49699333)) && github.event.pull_request.draft != true)
    uses: ./.github/workflows/ci-pipeline.yml
    secrets: inherit
    with:
      pull_request_number: ${{ github.event.pull_request.number }}