name: Pull Request Checks

on:
  pull_request:
    branches: ["main"]
  merge_group:
    branches: ["main"]

permissions:
  security-events: write
  contents: read
  actions: read

jobs:
  lint-js:
    name: Lint JavaScript/TypeScript
    uses: ./.github/workflows/lint-js.yml
    secrets: inherit
    permissions:
      contents: read

  lint-rust:
    name: Lint Rust
    uses: ./.github/workflows/lint-rs.yml
    secrets: inherit
    permissions:
      contents: read

  security-scan:
    name: Security Vulnerability Scan
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
        --skip-git
        --lockfile=pnpm-lock.yaml
        --lockfile=src-tauri/Cargo.lock
        ./

  sync-e2e:
    name: Sync E2E Tests
    uses: ./.github/workflows/sync-e2e.yml
    secrets: inherit
    permissions:
      contents: read

  pr-status:
    name: PR Status Check
    runs-on: ubuntu-latest
    needs: [lint-js, lint-rust, security-scan, sync-e2e]
    if: always()
    steps:
      - name: Check all jobs succeeded
        run: |
          if [[ "${{ needs.lint-js.result }}" != "success" || "${{ needs.lint-rust.result }}" != "success" || "${{ needs.security-scan.result }}" != "success" ]]; then
            echo "One or more checks failed"
            exit 1
          fi
          # sync-e2e is optional (only runs when sync-related files change)
          if [[ "${{ needs.sync-e2e.result }}" == "failure" ]]; then
            echo "Sync E2E tests failed"
            exit 1
          fi
          echo "All checks passed!"