name: PR Gate

on:
  pull_request_target:
    types: [opened, synchronize, reopened, labeled]

permissions:
  contents: read

jobs:
  org-gate:
    runs-on: ubuntu-latest
    steps:
      - name: Check org membership or approval label
        uses: actions/github-script@v7
        with:
          script: |
            const author = context.payload.pull_request.user.login;
            const association = context.payload.pull_request.author_association;

            // Trusted bot accounts (act as org members)
            const trustedBots = ['google-labs-jules[bot]'];
            if (trustedBots.includes(author)) {
              core.info(`${author} is a trusted bot — gate passed`);
              return;
            }

            // Check author association from webhook payload (no API call needed)
            const trusted = ['MEMBER', 'OWNER', 'COLLABORATOR'];
            if (trusted.includes(association)) {
              core.info(`${author} is ${association} — gate passed`);
              return;
            }

            // Check for external-approved label
            const labels = context.payload.pull_request.labels.map(l => l.name);
            if (labels.includes('external-approved')) {
              core.info('external-approved label present — gate passed');
              return;
            }

            core.setFailed(
              `External PR from ${author} (${association}) requires an org member to add the "external-approved" label before merge.`
            );