name: PR Checks

on:
  push:
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
  workflow_dispatch:

jobs:
  check-js:
    name: Check JS
    runs-on: ubuntu-latest
    timeout-minutes: 45

    strategy:
      fail-fast: false
      matrix:
        node-types-version: [16.11, current] # we backport this matrix job in order to maintain the same check names

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Lint
        id: lint
        run: npm run-script lint-ci

      - name: Upload sarif
        uses: github/codeql-action/upload-sarif@v3
        # Only upload SARIF for the latest version of Node.js
        if: "!cancelled() && matrix.node-types-version == 'current' && !startsWith(github.head_ref, 'dependabot/')"
        with:
          sarif_file: eslint.sarif
          category: eslint

      - name: Update version of @types/node
        if: matrix.node-types-version != 'current'
        env:
          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
        run: |
          # Export `NODE_TYPES_VERSION` so it's available to jq
          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
          echo "${contents}" > package.json
          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
          # However we're not checking in the updated lockfile here, so it's fine to run
          # `npm install` on Linux.
          npm install

          if [ ! -z "$(git status --porcelain)" ]; then
            git config --global user.email "github-actions@github.com"
            git config --global user.name "github-actions[bot]"
            # The period in `git add --all .` ensures that we stage deleted files too.
            git add --all .
            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
          fi

      - name: Check generated JS
        if: matrix.node-types-version != 'current' # we do not need to test the newer node on the v2 branch
        run: .github/workflows/script/check-js.sh

  check-node-modules:
    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Check modules up to date
    runs-on: macos-latest
    timeout-minutes: 45

    steps:
      - uses: actions/checkout@v4
      - name: Check node modules up to date
        run: .github/workflows/script/check-node-modules.sh

  check-file-contents:
    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Check file contents
    runs-on: ubuntu-latest
    timeout-minutes: 45

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: 3.11

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          # When updating this, update the autogenerated code header in `sync.py` too.
          pip install ruamel.yaml==0.17.31

      # Ensure the generated PR check workflows are up to date.
      - name: Verify PR checks up to date
        run: .github/workflows/script/verify-pr-checks.sh

  npm-test:
    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Unit Test
    needs: [check-js, check-node-modules]
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

    steps:
      - uses: actions/checkout@v4
      - name: npm test
        run: |
          # Run any commands referenced in package.json using Bash, otherwise
          # we won't be able to find them on Windows.
          npm config set script-shell bash
          npm test

  check-node-version:
    if: github.event.pull_request
    name: Check Action Node versions
    runs-on: ubuntu-latest
    timeout-minutes: 45
    env:
      BASE_REF: ${{ github.base_ref }}

    steps:
      - uses: actions/checkout@v4
      - id: head-version
        name: Verify all Actions use the same Node version
        run: |
          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "NODE_VERSION: ${NODE_VERSION}"
          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
            echo "::error::More than one node version used in 'action.yml' files."
            exit 1
          fi
          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT

      - id: checkout-base
        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
        uses: actions/checkout@v4
        with:
          ref: ${{ env.BASE_REF }}

      - name: 'Backport: Verify Node versions unchanged'
        if: steps.checkout-base.outcome == 'success'
        env:
          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
        run: |
          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "HEAD_VERSION: ${HEAD_VERSION}"
          echo "BASE_VERSION: ${BASE_VERSION}"
          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
            echo "::error::Cannot change the Node version of an Action in a backport PR."
            exit 1
          fi