name: Prevent engineering system changes in PRs

on: pull_request
permissions: {}

jobs:
  main:
    name: Prevent engineering system changes in PRs
    runs-on: ubuntu-latest
    steps:
      - name: Get file changes
        uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4
        id: file_changes
      - name: Check if engineering systems were modified
        id: engineering_systems_check
        run: |
          if cat $HOME/files.json | jq -e 'any(test("^\\.github\\/workflows\\/|^build\\/|package\\.json$"))' > /dev/null; then
            echo "engineering_systems_modified=true" >> $GITHUB_OUTPUT
            echo "Engineering systems were modified in this PR"
          else
            echo "engineering_systems_modified=false" >> $GITHUB_OUTPUT
            echo "No engineering systems were modified in this PR"
          fi
      - name: Prevent Copilot from modifying engineering systems
        if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && github.event.pull_request.user.login == 'Copilot' }}
        run: |
          echo "Copilot is not allowed to modify .github/workflows, build folder files, or package.json files."
          echo "If you need to update engineering systems, please do so manually or through authorized means."
          exit 1
      - uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
        id: get_permissions
        if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }}
        with:
          route: GET /repos/microsoft/vscode/collaborators/${{ github.event.pull_request.user.login }}/permission
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Set control output variable
        id: control
        if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }}
        run: |
          echo "user: ${{ github.event.pull_request.user.login }}"
          echo "role: ${{ fromJson(steps.get_permissions.outputs.data).permission }}"
          echo "is dependabot: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}"
          echo "should_run: ${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) }}"
          echo "should_run=${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) && github.event.pull_request.user.login != 'dependabot[bot]' }}" >> $GITHUB_OUTPUT
      - name: Check for engineering system changes
        if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && steps.control.outputs.should_run == 'true' }}
        run: |
          echo "Changes to .github/workflows/, build/ folder files, or package.json files aren't allowed in PRs."
          exit 1