on:
  pull_request:
  pull_request_target:
    types:
      - opened
      - synchronize

jobs:
  test:
    runs-on: docker
    container:
      image: code.forgejo.org/oci/debian:bookworm
      options: "--volume /srv/example-pull-request:/srv/example-pull-request"

    steps:
      - name: setup
        shell: bash
        run: |
          set -x
          test $GITHUB_TOKEN = ${{ env.GITHUB_TOKEN }}
          test $GITHUB_TOKEN = ${{ github.token }}
          export DEBIAN_FRONTEND=noninteractive ; apt-get -qq update ; apt-get install -y -qq curl git >& /dev/null
          curl -sS -o /usr/local/bin/forgejo-curl.sh https://code.forgejo.org/forgejo/forgejo-curl/raw/branch/main/forgejo-curl.sh && chmod +x /usr/local/bin/forgejo-curl.sh
          forgejo-curl.sh --token "$GITHUB_TOKEN" login $GITHUB_SERVER_URL
          forgejo-curl.sh api_json $GITHUB_SERVER_URL/api/v1/user

      - name: secrets
        shell: bash
        run: |
          set -x
          if test ${{ github.event.pull_request.base.repo.full_name }} = ${{ github.event.pull_request.head.repo.full_name }} ; then
            forked=false
          else
            forked=true
          fi
          case $GITHUB_EVENT_NAME in
            pull_request_target)
              #
              # all PRs: secrets
              #
              test "${{ secrets.SECRET }}"
              ;;
            pull_request)
              if $forked ; then
                #
                # PRs from forked repositories: no secrets
                #
                test -z "${{ secrets.SECRET }}"
              else
                #
                # PRs from the same repository: secrets
                #
                test "${{ secrets.SECRET }}"
              fi
              ;;
            *)
              echo unexpected event $GITHUB_EVENT_NAME
              false
              ;;
          esac

      - name: PR TOKEN scopes
        shell: bash
        run: |
          set -x
          if test ${{ github.event.pull_request.base.repo.full_name }} = ${{ github.event.pull_request.head.repo.full_name }} ; then
            forked=false
          else
            forked=true
          fi
          function assert_fail_if_forked() {
            if "$@" ; then
               ! $forked
            else
               $forked
            fi
          }
          #
          # create an issue
          #
          base_repo=${{ github.event.pull_request.base.repo.full_name }}
          forgejo-curl.sh api_json --data-raw '{"title":"ISSUE"}' $GITHUB_SERVER_URL/api/v1/repos/$base_repo/issues
          url=$(echo $GITHUB_SERVER_URL | sed -e "s|://|://$GITHUB_TOKEN@|")
          git clone $url/$base_repo base
          branch=B$RANDOM
          (
            cd base
            git checkout -b $branch
            git config user.email root@example.com
            git config user.name username
            echo CHANGE >> README
            git add .
            git commit -m 'change'
            case $GITHUB_EVENT_NAME in
              pull_request_target|pull_request)
                #
                # repository write scope via http git passthrough
                #
                assert_fail_if_forked git push --force -u origin $branch
                #
                # repository write scope via the API
                #
                assert_fail_if_forked forgejo-curl.sh api_json --data-raw '{"title":"PR","base":"main","head":"'$branch'"}' $GITHUB_SERVER_URL/api/v1/repos/$base_repo/pulls
                assert_fail_if_forked forgejo-curl.sh api_json --data-raw '{"color":"#ffffff","name":"labelname"}' $GITHUB_SERVER_URL/api/v1/repos/$base_repo/labels
                #
                # See https://codeberg.org/forgejo/forgejo/issues/1525
                #
                ! forgejo-curl.sh api_json --data-raw '{"new_branch_name":"B'$RANDOM'"}' $GITHUB_SERVER_URL/api/v1/repos/$base_repo/branches
                ;;
              *)
                echo unexpected event $GITHUB_EVENT_NAME
                false
                ;;
            esac
          )

      - name: save event
        run: |
          d=/srv/example-pull-request/${{ github.event.pull_request.head.repo.owner.username }}/$GITHUB_EVENT_NAME/${{ github.event.action }}
          mkdir -p $d
          cat > $d/event <<EOF
          ${{ toJSON(github.event) }}
          EOF