# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt

name: run-acceptance-tests

on:
  pull_request:
    paths-ignore:
    - CHANGELOG.md
  repository_dispatch:
    types:
    - run-acceptance-tests-command

env:
  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  TF_APPEND_USER_AGENT: pulumi

# This should cancel any previous runs of the same workflow on the same branch which are still running.
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  prerequisites:
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
    permissions:
      contents: read
      pull-requests: write
      id-token: write # For ESC secrets.
    uses: ./.github/workflows/prerequisites.yml
    secrets: inherit
    with:
      default_branch: ${{ github.event.pull_request.base.ref }}
      is_pr: ${{ github.event_name == 'pull_request' }}
      is_automated: ${{ github.actor == 'dependabot[bot]' }}

  build_provider:
    uses: ./.github/workflows/build_provider.yml
    needs: prerequisites
    secrets: inherit
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}
      matrix: |
        {
          "platform": [
            {"os": "linux", "arch": "amd64"},
            {"os": "windows", "arch": "amd64"}
          ]
        }

  build_sdk:
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
    name: build_sdk
    needs: prerequisites
    uses: ./.github/workflows/build_sdk.yml
    secrets: inherit
    permissions:
      contents: write # For Renovate SDKs.
      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}

  comment-notification:
    if: github.event_name == 'repository_dispatch'
    name: comment-notification
    permissions:
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        persist-credentials: false
    - id: run-url
      name: Create URL to the run output
      run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT"
    - name: Update with Result
      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
        body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}"
        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
        token: ${{ secrets.GITHUB_TOKEN }}
  lint:
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
    name: lint
    uses: ./.github/workflows/lint.yml
    secrets: inherit
  sentinel:
    name: sentinel
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
    permissions:
      statuses: write
    needs:
    - test
    - build_provider
    - license_check
    - lint
    runs-on: ubuntu-latest
    steps:
    - uses: guibranco/github-status-action-v2@631f55ea0251f0fb284525ad86c30e9f7a8dd284 # v1.1.14
      with:
        authToken: ${{ secrets.GITHUB_TOKEN }}
        # Write an explicit status check called "Sentinel" which will only pass if this code really runs.
        # This should always be a required check for PRs.
        context: 'Sentinel'
        description: 'All required checks passed'
        state: 'success'
        # Write to the PR commit SHA if it's available as we don't want the merge commit sha,
        # otherwise use the current SHA for any other type of build.
        sha: ${{ github.event.pull_request.head.sha || github.sha }}

  test:
    # Don't run tests on PRs from forks.
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
    uses: ./.github/workflows/test.yml
    needs:
      - prerequisites
      - build_provider
      - build_sdk
    permissions:
      contents: read
      id-token: write
    secrets: inherit
    with:
      version: ${{ needs.prerequisites.outputs.version }}

  license_check:
    name: License Check
    uses: ./.github/workflows/license.yml
    secrets: inherit