name: PR Gate

on:
  pull_request_target:
    types: [opened, synchronize, reopened, labeled]

permissions:
  contents: read
  pull-requests: read

jobs:
  org-gate:
    runs-on: ubuntu-latest
    steps:
      - name: Check org membership or approval label
        uses: actions/github-script@v7
        with:
          script: |
            const author = context.payload.pull_request.user.login;
            const association = context.payload.pull_request.author_association;

            // Trusted accounts
            const trustedAuthors = ['google-labs-jules[bot]', 'Snider'];
            if (trustedAuthors.includes(author)) {
              core.info(`${author} is trusted — gate passed`);
              return;
            }

            // Check author association
            const trustedAssociations = ['MEMBER', 'OWNER', 'COLLABORATOR'];
            if (trustedAssociations.includes(association)) {
              core.info(`${author} is ${association} — gate passed`);
              return;
            }

            // Check for external-approved label
            const labels = context.payload.pull_request.labels.map(l => l.name);
            if (labels.includes('external-approved')) {
              core.info('external-approved label present — gate passed');
              return;
            }

            core.setFailed(
              `External PR from ${author} requires an org member to add the "external-approved" label before merge.`
            );