name: Gatekeeper

# Gatekeeper uses the "skips.py" to determine which job names/regexps are
# required for given PR and waits for them to either complete or fail
# reporting the status.

on:
  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
    types:
      - opened
      - synchronize
      - reopened
      - edited
      - labeled
      - unlabeled

permissions: {}

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  gatekeeper:
    name: gatekeeper
    runs-on: ubuntu-22.04
    permissions:
      actions: read
      contents: read
      issues: read
      pull-requests: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
          persist-credentials: false
      - id: gatekeeper
        env:
          TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COMMIT_HASH: ${{ github.event.pull_request.head.sha }}
          GH_PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          #!/usr/bin/env bash -x
          mapfile -t lines < <(python3 tools/testing/gatekeeper/skips.py -t)
          export REQUIRED_JOBS="${lines[0]}"
          export REQUIRED_REGEXPS="${lines[1]}"
          export REQUIRED_LABELS="${lines[2]}"
          echo "REQUIRED_JOBS: $REQUIRED_JOBS"
          echo "REQUIRED_REGEXPS: $REQUIRED_REGEXPS"
          echo "REQUIRED_LABELS: $REQUIRED_LABELS"
          python3 tools/testing/gatekeeper/jobs.py
          exit $?
        shell: /usr/bin/bash -x {0}