##########################################################################################
# WARNING! This workflow uses the 'pull_request_target' event. That mans that it will    #
# always run in the context of the main actualbudget/actual repo, even if the PR is from #
# a fork. This is necessary to get access to a GitHub token that can modify the PR.      #
# Be VERY CAREFUL about adding things to this workflow, since forks can inject           #
# arbitrary code into their branch, and can pollute the artifacts we download. Arbitrary #
# code execution in this workflow could lead to a compromise of the main repo.           #
##########################################################################################
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests    #
##########################################################################################

name: Trafico Reviews

on:
  pull_request_target:
    types:
     - opened
     - closed
     - reopened
     - synchronize
     - edited
     - review_requested
     - review_request_removed
  pull_request_review:
    types: [submitted, edited, dismissed]

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  manage-review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - uses: actualbudget/trafico@main
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}