name: giteabot

on:
  # pull_request_target gives this workflow access to GITEABOT_TOKEN on PRs from
  # forks, which the bot needs to write labels, statuses and comments. Safe here
  # because the job only runs a pinned action and never checks out PR HEAD.
  pull_request_target: # zizmor: ignore[dangerous-triggers]
    types:
      - opened
      - synchronize
      - labeled
      - unlabeled
      - closed
      - review_requested
      - review_request_removed
  pull_request_review:
    types:
      - submitted
      - edited
      - dismissed
  schedule:
    - cron: "15 3 * * *"
  workflow_dispatch:
    inputs:
      checks:
        description: Comma-separated list of non-backport checks to run
        required: false
        default: labels,merge_queue,lock,feedback,last_call,milestones,lgtm,translation_comment,pr_actions

permissions:
  contents: read
  issues: write
  pull-requests: write
  statuses: write

concurrency:
  group: ${{ format('{0}-{1}', github.workflow, (github.event_name == 'pull_request_target' || github.event_name == 'pull_request_review') && format('pr-{0}', github.event.pull_request.number) || 'maintenance') }}
  cancel-in-progress: false

jobs:
  giteabot:
    if: github.repository == 'go-gitea/gitea'
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      # pull_request_review runs without repository secrets on fork PRs, so fall
      # back to the workflow token for the non-backport checks handled here.
      - uses: go-gitea/giteabot@d4f19d5b4a88059d8c3ca78d660631506fc0c286 # add retry logic to giteabot
        with:
          github_token: ${{ secrets.GITEABOT_TOKEN || github.token }}
          checks: ${{ github.event.inputs.checks || 'labels,merge_queue,lock,feedback,last_call,milestones,lgtm,translation_comment,pr_actions' }}