name: Request Lockfile Review

on:
  pull_request_target:
    branches: ["master"]
    types: [opened, synchronize, reopened]

jobs:
  review-lockfiles:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write

    steps:
      # We intentionally do NOT use actions/checkout here. 
      # This keeps the environment completely secure and satisfies CodeQL.

      - name: Check files via GitHub API
        id: check_files
        uses: actions/github-script@v7
        with:
          script: |
            const prNumber = context.payload.pull_request.number;
 
            // Get the list of files in the PR directly from the API
            const { data: files } = await github.rest.pulls.listFiles({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: prNumber,
              per_page: 100
            });
 
            // Look for any file **ending** in gradle.lockfile
            const hasLockfile = files.some(file => file.filename.endsWith('gradle.lockfile'));
            core.setOutput('has_lockfile', hasLockfile ? 'true' : 'false');

      - name: Post unresolved review comment
        if: steps.check_files.outputs.has_lockfile == 'true'
        uses: actions/github-script@v7
        with:
          script: |
            await github.rest.pulls.createReview({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.payload.pull_request.number,
              event: 'REQUEST_CHANGES',
              body: `### ⚠️ Attention Required: Lockfile Detected\nThis pull request contains modifications to one or more \`*.lockfile\` files. Please confirm that you have run update_dependency.sh to push new dependencies to the private repo.\n\n_Someone with Admin role must manually dismiss this review before merging._`
            });