name: check-restricted-files

# Author: @ralfhandl
# Issue: https://github.com/OAI/OpenAPI-Specification/issues/3432

# This workflow fails if restricted files are changed in a pull request

on:
  pull_request:
    paths:
      - "versions/*.md"

jobs:
  check-files:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5 # checkout repo content
        with:
          fetch-depth: 0

      - name: Check changed files
        shell: bash
        run: |
          if [[ "${{ github.event.pull_request.head.repo.full_name }}" == "OAI/OpenAPI-Specification" ]] && \
             [[ "${{ github.event.pull_request.base.repo.full_name }}" == "OAI/OpenAPI-Specification" ]]; then

            if [[ "${{ github.event.pull_request.head.ref }}" == "dev-sync-with-main" ]] && \
               [[ "${{ github.event.pull_request.base.ref }}" == "dev" ]]; then
              echo Sync from main to dev via ${{ github.event.pull_request.head.ref }}
              exit 0
            fi

            if [[ "${{ github.event.pull_request.head.ref }}" =~ ^v[0-9]+\.[0-9]+-dev-sync-with-dev$ ]] && \
               [[ "${{ github.event.pull_request.base.ref }}" =~ ^v[0-9]+\.[0-9]+-dev$ ]] && \
               [[ ${{ github.event.pull_request.head.ref }} == ${{ github.event.pull_request.base.ref }}* ]]; then
              echo Sync from dev to ${{ github.event.pull_request.base.ref }} via ${{ github.event.pull_request.head.ref }}
              exit 0
            fi

            if [[ "${{ github.event.pull_request.head.ref }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+-rel$ ]] && \
               [[ "${{ github.event.pull_request.base.ref }}" == "main" ]]; then
              echo Release from ${{ github.event.pull_request.head.ref }} to main
              exit 0
            fi
          fi

          echo This PR contains changes to files that should not be changed:
          echo
          git diff --compact-summary origin/${{ github.event.pull_request.base.ref }} origin/${{ github.event.pull_request.head.ref }} -- versions/

          exit 1