# SECURITY: This PR run on untrusted branches when a maintainer comments "/run-acceptance-tests".
#
# Changes "permissions" and "secrets" should be narrowly scoped and carefully reviewed.
#
# Reusable workflows, "uses" jobs, *must* specify the main branch.

name: dispatched-acceptance-test

on:
  repository_dispatch:
    types: [run-acceptance-tests-command]

permissions:
  contents: read
  # Only the 'changelog-comment' job should use this permission.
  pull-requests: write
  # To sign artifacts.
  id-token: write

concurrency:
  group: ${{ github.workflow }}-${{ github.event.client_payload.pull_request.number }}
  cancel-in-progress: true

jobs:
  info:
    name: info
    uses: pulumi/pulumi/.github/workflows/ci-info.yml@master
    permissions:
      contents: read
    with:
      ref: ${{ github.ref }}
      is-snapshot: true
    secrets: inherit

  comment-notification:
    runs-on: ubuntu-latest
    if: ${{ github.event_name == 'repository_dispatch' }}
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Update with Result
        uses: peter-evans/create-or-update-comment@v4
        with:
          token: ${{ secrets.PULUMI_BOT_TOKEN }}
          repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
          comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
          issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
          body: |
            Please view the results of the acceptance tests [Here](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})

  ci:
    name: CI
    needs: [info]
    uses: pulumi/pulumi/.github/workflows/ci.yml@master
    permissions:
      contents: read
      # To sign artifacts.
      id-token: write
    with:
      ref: refs/pull/${{ github.event.client_payload.pull_request.number }}/merge
      version: ${{ needs.info.outputs.version }}
      lint: true
      build-all-targets: false
      test-version-sets: current
      integration-test-platforms: ubuntu-latest
      acceptance-test-platforms: ''
      # We'll only upload coverage artifacts with the periodic-coverage cron workflow.
      enable-coverage: false
    secrets:
      # Scope secrets to the minimum required:
      PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
      PULUMI_PROD_ACCESS_TOKEN: ${{ secrets.PULUMI_PROD_ACCESS_TOKEN }}
      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
      AZURE_STORAGE_SAS_TOKEN: ${{ secrets.AZURE_STORAGE_SAS_TOKEN }}
      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}