# This workflow will request reviews from the maintainers of each package
# listed in the PR's most recent eval comparison artifact.

name: Reviewers

on:
  pull_request_target:
    types: [ready_for_review]
  workflow_call:
    inputs:
      artifact-prefix:
        required: true
        type: string
    secrets:
      OWNER_APP_PRIVATE_KEY:
        required: true

concurrency:
  group: reviewers-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

permissions: {}

defaults:
  run:
    shell: bash

jobs:
  request:
    runs-on: ubuntu-24.04-arm
    timeout-minutes: 20
    steps:
      - name: Check out the PR at the base commit
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
          path: trusted
          sparse-checkout: ci

      - name: Install Nix
        uses: cachix/install-nix-action@fd24c48048070c1be9acd18c9d369a83f0fe94d7 # v31

      - name: Build the requestReviews derivation
        run: nix-build trusted/ci -A requestReviews

      # For requesting reviewers, this job depends on a GitHub App with the following permissions:
      # - Permissions:
      #   - Repository > Administration: read-only
      #   - Organization > Members: read-only
      #   - Repository > Pull Requests: read-write
      # - Install App on this repository, setting these variables:
      #   - OWNER_APP_ID (variable)
      #   - OWNER_APP_PRIVATE_KEY (secret)
      #
      # Can't use the token received from permissions above, because it can't get enough permissions.
      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_APP_ID }}
          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-members: read
          permission-pull-requests: write

      - name: Log current API rate limits (github.token)
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh api /rate_limit | jq

      # In the regular case, this workflow is called via workflow_call from the eval workflow directly.
      # In the more special case, when a PR is undrafted an eval run will have started already.
      - name: Wait for comparison to be done
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        id: eval
        env:
          ARTIFACT: ${{ inputs.artifact-prefix }}comparison
        with:
          script: |
            const run_id = (await github.rest.actions.listWorkflowRuns({
              owner: context.repo.owner,
              repo: context.repo.repo,
              workflow_id: context.eventName === 'pull_request' ? 'test.yml' : 'pull-request-target.yml',
              event: context.eventName,
              head_sha: context.payload.pull_request.head.sha
            })).data.workflow_runs[0].id

            core.setOutput('run-id', run_id)

            // Waiting 120 * 5 sec = 10 min. max.
            // The extreme case is an Eval run that just started when the PR is undrafted.
            // Eval takes max 5-6 minutes, normally.
            for (let i = 0; i < 120; i++) {
              const result = await github.rest.actions.listWorkflowRunArtifacts({
                owner: context.repo.owner,
                repo: context.repo.repo,
                run_id,
                name: process.env.ARTIFACT,
              })
              if (result.data.total_count > 0) return
              await new Promise(resolve => setTimeout(resolve, 5000))
            }
            throw new Error("No comparison artifact found.")

      - name: Log current API rate limits (github.token)
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh api /rate_limit | jq

      - name: Download the comparison results
        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          run-id: ${{ steps.eval.outputs.run-id }}
          github-token: ${{ github.token }}
          pattern: ${{ inputs.artifact-prefix }}comparison
          path: comparison
          merge-multiple: true

      - name: Log current API rate limits (app-token)
        if: ${{ steps.app-token.outputs.token }}
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq

      - name: Log current API rate limits (github.token)
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh api /rate_limit | jq

      - name: Requesting reviews
        if: ${{ steps.app-token.outputs.token }}
        env:
          GH_TOKEN: ${{ github.token }}
          APP_GH_TOKEN: ${{ steps.app-token.outputs.token }}
          REPOSITORY: ${{ github.repository }}
          NUMBER: ${{ github.event.number }}
          AUTHOR: ${{ github.event.pull_request.user.login }}
          # Don't request reviewers on draft PRs
          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
        run: |
          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
          # There appears to be no API to request reviews based on GitHub IDs
          jq -r 'keys[]' comparison/maintainers.json \
            | while read -r id; do gh api /user/"$id" --jq .login; done \
            | cat comparison/owners.txt - \
            | GH_TOKEN="$APP_GH_TOKEN" result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"

      - name: Log current API rate limits (app-token)
        if: ${{ steps.app-token.outputs.token }}
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: gh api /rate_limit | jq

      - name: Log current API rate limits (github.token)
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh api /rate_limit | jq