name: PR Policy

on:
  pull_request:
    branches:
      - master

concurrency:
  group: pr-policy-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  policy:
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9.15.4
          run_install: false

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Block manual lockfile edits
        if: github.head_ref != 'chore/refresh-lockfile'
        run: |
          changed="$(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}")"
          if printf '%s\n' "$changed" | grep -qx 'pnpm-lock.yaml'; then
            echo "Do not commit pnpm-lock.yaml in pull requests. CI owns lockfile updates."
            exit 1
          fi

      - name: Validate dependency resolution when manifests change
        run: |
          changed="$(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}")"
          manifest_pattern='(^|/)package\.json$|^pnpm-workspace\.yaml$|^\.npmrc$|^pnpmfile\.(cjs|js|mjs)$'
          if printf '%s\n' "$changed" | grep -Eq "$manifest_pattern"; then
            pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile
          fi