# Dispatch a request to getsentry to run getsentry test suites
name: getsentry dispatcher

on:
  # XXX: We are using `pull_request_target` instead of `pull_request` because we want
  # this to run on forks.  It allows forks to access secrets safely by
  # only running workflows from the main branch. Prefer to use `pull_request` when possible.
  #
  # See https://github.com/getsentry/sentry/pull/21600 for more details
  pull_request_target:
    types: [labeled, opened, reopened, synchronize]

# disable all other special privileges
permissions:
  # needed for `actions/checkout` to clone the code
  contents: read
  # needed to remove the pull-request label
  pull-requests: write

jobs:
  dispatch:
    if: "github.event.action != 'labeled' || github.event.label.name == 'Trigger: getsentry tests'"
    name: getsentry dispatch
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          persist-credentials: false

      - name: permissions
        run: |
          python3 -uS .github/workflows/scripts/getsentry-dispatch-setup \
              --repo-id ${{ github.event.repository.id }} \
              --pr ${{ github.event.number }} \
              --event ${{ github.event.action }} \
              --username "$ARG_USERNAME" \
              --label-names "$ARG_LABEL_NAMES"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # these can contain special characters
          ARG_USERNAME: ${{ github.event.pull_request.user.login }}
          ARG_LABEL_NAMES: ${{ toJSON(github.event.pull_request.labels.*.name) }}

      - name: Check for file changes
        uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
        id: changes
        with:
          token: ${{ github.token }}
          filters: .github/file-filters.yml

      - name: getsentry token
        uses: getsentry/action-github-app-token@d4b5da6c5e37703f8c3b3e43abb5705b46e159cc # v3.0.0
        id: getsentry
        with:
          app_id: ${{ vars.SENTRY_INTERNAL_APP_ID }}
          private_key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }}

      - name: Wait for PR merge commit
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        id: mergecommit
        with:
          github-token: ${{ steps.getsentry.outputs.token }}
          script: |
            require(`${process.env.GITHUB_WORKSPACE}/.github/workflows/scripts/wait-for-merge-commit`).waitForMergeCommit({
              github,
              context,
              core,
            });

      - name: Dispatch getsentry tests
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          github-token: ${{ steps.getsentry.outputs.token }}
          script: |
            require(`${process.env.GITHUB_WORKSPACE}/.github/workflows/scripts/getsentry-dispatch`).dispatch({
              github,
              context,
              core,
              mergeCommitSha: '${{ steps.mergecommit.outputs.mergeCommitSha }}',
              fileChanges: ${{ toJson(steps.changes.outputs) }},
            });