name: Auto Label PR

on:
  # Runs only on pull_request_target due to having access to a App token.
  # This means PRs from forks will not be able to alter this workflow to get the tokens
  pull_request_target:
    types: [labeled, opened, reopened, synchronize, edited]

# All PR/label/review writes are performed with the App token minted below,
# so the workflow's GITHUB_TOKEN only needs read access for checkout.
permissions:
  contents: read  # actions/checkout reads the workflow source

env:
  SMALL_PR_THRESHOLD: 30
  MEDIUM_PR_THRESHOLD: 100
  MAX_LABELS: 15
  TOO_BIG_THRESHOLD: 1000
  COMPONENT_LABEL_THRESHOLD: 10

jobs:
  label:
    runs-on: ubuntu-latest
    if: github.event.pull_request.state == 'open' && (github.event.action != 'labeled' || github.event.sender.type != 'Bot')
    steps:
      - name: Checkout
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        with:
          client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }}
          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
          # Scope the minted App token to the minimum needed by auto-label-pr/*.js.
          permission-contents: read       # repos.getContent for CODEOWNERS and file lookups in detectors.js
          permission-issues: write        # listLabelsOnIssue, addLabels, removeLabel, list/createComment
          permission-pull-requests: write  # pulls.listFiles, list/create/update/dismissReview

      - name: Auto Label PR
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
            const script = require('./.github/scripts/auto-label-pr/index.js');
            await script({ github, context });