name: System file changes

on:
  pull_request_target:
    branches:
      - main
    paths:
      - ".github/workflows/**"
      - ".github/CODEOWNERS"
      - ".github/dependabot.yml"
      - "scripts/**"
      - package.json
      - package-lock.json

# No GITHUB_TOKEN permissions, as we don't use it.
permissions: {}

jobs:
  block:
    # This makes sure it only runs on our origin repo
    # and makes an exception for Dependabot.
    if: github.repository_owner == 'mdn' && github.event.pull_request.user.login != 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Block if author/actor is not an admin
        env:
          ACTOR: ${{ github.actor }}
          AUTHOR: ${{ github.event.pull_request.user.login }}
          GH_TOKEN: ${{ github.token }}
        run: |
          # Check author.
          AUTHOR_PERMISSION=$(gh api https://api.github.com/repos/${{ github.repository }}/collaborators/$AUTHOR/permission --jq .permission)

          if [ "$AUTHOR_PERMISSION" != "admin" ]; then
            echo "PR author ($AUTHOR) is not an admin, please ping someone for a review."
            exit 1
          fi

          # Check actor.
          if [ "$ACTOR" != "$AUTHOR" ]; then
            ACTOR_PERMISSION=$(gh api https://api.github.com/repos/${{ github.repository }}/collaborators/$ACTOR/permission --jq .permission)

            if [ "$ACTOR_PERMISSION" != "admin" ]; then
              echo "PR actor ($ACTOR) is not an admin, please ping someone for a review."
              exit 1
            fi
          fi