name: Deploy previews for PRs
on:
  # zizmor: ignore[dangerous-triggers]
  # Reason: This is now restricted to internal PRs only using the 'if' condition below.
  workflow_run:
    workflows: ["Build"]
    types:
      - completed

jobs:
  prdetails:
    # Logic:
    # 1. Build must be successful
    # 2. Event must be a pull_request
    # 3. Head repository must be the SAME as the base repository (No Forks!)
    if: >
      github.event.workflow_run.conclusion == 'success' && 
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.head_repository.full_name == github.repository
    runs-on: ubuntu-latest
    outputs:
      pr_number: ${{ steps.prdetails.outputs.pr_id }}
      pr_data_json: ${{ steps.prdetails.outputs.data }}
    steps:
      - id: prdetails
        uses: matrix-org/pr-details-action@15bde5285d7850ba276cc3bd8a03733e3f24622a # v1.3
        continue-on-error: true
        with:
          owner: ${{ github.event.workflow_run.head_repository.owner.login }}
          branch: ${{ github.event.workflow_run.head_branch }}

  netlify-full:
    needs: prdetails
    permissions:
      deployments: write
    uses: ./.github/workflows/deploy-to-netlify.yaml
    with:
      artifact_run_id: ${{ github.event.workflow_run.id || github.run_id }}
      pr_number: ${{ needs.prdetails.outputs.pr_number }}
      pr_head_full_name: ${{ github.event.workflow_run.head_repository.full_name }}
      pr_head_ref: ${{ needs.prdetails.outputs.pr_data_json && fromJSON(needs.prdetails.outputs.pr_data_json).head.ref }}
      deployment_ref: ${{ needs.prdetails.outputs.pr_data_json && fromJSON(needs.prdetails.outputs.pr_data_json).head.sha || github.ref || github.head_ref }}
      package: full
    secrets:
      ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
      NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
      NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}

  netlify-sdk:
    needs: prdetails
    permissions:
      deployments: write
    uses: ./.github/workflows/deploy-to-netlify.yaml
    with:
      artifact_run_id: ${{ github.event.workflow_run.id || github.run_id }}
      pr_number: ${{ needs.prdetails.outputs.pr_number }}
      pr_head_full_name: ${{ github.event.workflow_run.head_repository.full_name }}
      pr_head_ref: ${{ needs.prdetails.outputs.pr_data_json && fromJSON(needs.prdetails.outputs.pr_data_json).head.ref }}
      deployment_ref: ${{ needs.prdetails.outputs.pr_data_json && fromJSON(needs.prdetails.outputs.pr_data_json).head.sha || github.ref || github.head_ref }}
      package: sdk
    secrets:
      ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
      NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
      NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}

  docker:
    if: ${{ needs.prdetails.outputs.pr_data_json && contains(fromJSON(needs.prdetails.outputs.pr_data_json).labels.*.name, 'docker build') }}
    needs: prdetails
    permissions:
      contents: write
      packages: write
      id-token: write
    uses: ./.github/workflows/build-and-publish-docker.yaml
    secrets: inherit
    with:
      artifact_run_id: ${{ github.event.workflow_run.id || github.run_id }}
      docker_tags: |
        type=sha,format=short,event=branch
        type=raw,value=pr_${{ needs.prdetails.outputs.pr_number }}