name: PR Checks (privileged)

# Runs in the base-repo context (privileged) after eslint-check.yml completes.
# Downloads pre-built artifacts and posts PR comments/annotations.
# Never checks out or executes fork code.
on:
  workflow_run:
    workflows: ['ESLint Check']
    types: [completed]

jobs:
  comment:
    if: >
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      pull-requests: write
    steps:
      - name: Checkout trusted workflow helpers
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.repository.default_branch }}
      - uses: actions/download-artifact@v4
        with:
          name: bundle-size-data
          github-token: ${{ secrets.GITHUB_TOKEN }}
          run-id: ${{ github.event.workflow_run.id }}
      - name: Find PR number
        id: find-pr
        uses: actions/github-script@v7
        with:
          script: |
            const run = context.payload.workflow_run;
            if (run.pull_requests && run.pull_requests.length > 0) {
              return run.pull_requests[0].number;
            }
            // Fallback for fork PRs (pull_requests is empty for forks)
            const { data: prs } = await github.rest.pulls.list({
              owner: context.repo.owner,
              repo: context.repo.repo,
              head: `${run.head_repository.full_name}:${run.head_branch}`,
              state: 'open',
            });
            if (prs.length === 0) {
              core.setFailed('Could not determine PR number');
              return;
            }
            return prs[0].number;
          result-encoding: string

      - name: Render bundle size comment
        if: steps.find-pr.outputs.result
        run: |
          node .github/scripts/render-bundle-size-comment.js pr-sizes.json base-sizes.json > bundle-size-comment.md

      - name: Post bundle size comment
        if: steps.find-pr.outputs.result
        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405
        with:
          header: bundle-size
          path: bundle-size-comment.md
          number: ${{ steps.find-pr.outputs.result }}

  annotate:
    if: >
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
    permissions:
      actions: read
      checks: write
    steps:
      - uses: actions/download-artifact@v4
        with:
          name: eslint_report.json
          github-token: ${{ secrets.GITHUB_TOKEN }}
          run-id: ${{ github.event.workflow_run.id }}
      - name: Annotate Code Linting Results
        uses: ataylorme/eslint-annotate-action@5f4dc2e3af8d3c21b727edb597e5503510b1dc9c
        with:
          repo-token: '${{ secrets.GITHUB_TOKEN }}'
          report-json: 'eslint_report.json'