.github/workflows/reusable_export_pr_details.yml

name: Export previously recorded PR

# PROCESS
#
# 1. Fetch PR details previously saved from untrusted location
# 2. Parse details for safety
# 3. Export only what's needed for automation, e.g., PR number, title, body, author, action, whether is merged

# USAGE
#
# see .github/workflows/on_merged_pr.yml and related for full example.
#
# NOTE: meant to be used with workflows that react to a given PR state (labeling, new, merged, etc.)
#       done separately to isolate security practices and make it reusable.


on:
  workflow_call:
    inputs:
      record_pr_workflow_id:
        description: "Record PR workflow execution ID to download PR details"
        required: true
        type: number
      workflow_origin: # see https://github.com/aws-powertools/powertools-lambda-python/issues/1349
        description: "Repository full name for runner integrity"
        required: true
        type: string
    secrets:
      token:
        description: "GitHub Actions temporary and scoped token"
        required: true
    # Map the workflow outputs to job outputs
    outputs:
      prNumber:
        description: "PR Number"
        value: ${{ jobs.export_pr_details.outputs.prNumber }}
      prTitle:
        description: "PR Title"
        value: ${{ jobs.export_pr_details.outputs.prTitle }}
      prBody:
        description: "PR Body as string"
        value: ${{ jobs.export_pr_details.outputs.prBody }}
      prAuthor:
        description: "PR author username"
        value: ${{ jobs.export_pr_details.outputs.prAuthor }}
      prAction:
        description: "PR event action"
        value: ${{ jobs.export_pr_details.outputs.prAction }}
      prIsMerged:
        description: "Whether PR is merged"
        value: ${{ jobs.export_pr_details.outputs.prIsMerged }}
      prLabels:
        description: "PR Labels"
        value: ${{ jobs.export_pr_details.outputs.prLabels }}

permissions:
  contents: read

jobs:
  export_pr_details:
    permissions:
      actions: read  # download PR artifact
    # see https://github.com/aws-powertools/powertools-lambda-python/issues/1349
    if: inputs.workflow_origin == 'aws-powertools/powertools-lambda-python'
    runs-on: ubuntu-latest
    env:
      FILENAME: pr.txt
    # Map the job outputs to step outputs
    outputs:
      prNumber: ${{ steps.prNumber.outputs.prNumber }}
      prTitle: ${{ steps.prTitle.outputs.prTitle }}
      prBody: ${{ steps.prBody.outputs.prBody }}
      prAuthor: ${{ steps.prAuthor.outputs.prAuthor }}
      prAction: ${{ steps.prAction.outputs.prAction }}
      prIsMerged: ${{ steps.prIsMerged.outputs.prIsMerged }}
      prLabels: ${{ steps.prLabels.outputs.prLabels }}
    steps:
      - name: Checkout repository # in case caller workflow doesn't checkout thus failing with file not found
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
      - name: "Download previously saved PR"
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        env:
          WORKFLOW_ID: ${{ inputs.record_pr_workflow_id }}
        # For security, we only download artifacts tied to the successful PR recording workflow
        with:
          github-token: ${{ secrets.token }}
          script: |
            const script = require('.github/scripts/download_pr_artifact.js')
            await script({github, context, core})
      # NodeJS standard library doesn't provide ZIP capabilities; use system `unzip` command instead
      - name: "Unzip PR artifact"
        run: unzip pr.zip
      # NOTE: We need separate steps for each mapped output and respective IDs
      # otherwise the parent caller won't see them regardless on how outputs are set.
      - name: "Export Pull Request Number"
        id: prNumber
        run: echo prNumber="$(jq -c '.number' "${FILENAME}")" >> "$GITHUB_OUTPUT"
      - name: "Export Pull Request Title"
        id: prTitle
        run: echo prTitle="$(jq -c '.pull_request.title' "${FILENAME}")" >> "$GITHUB_OUTPUT"
      - name: "Export Pull Request Body"
        id: prBody
        run: echo prBody="$(jq -c '.pull_request.body' "${FILENAME}")" >> "$GITHUB_OUTPUT"
      - name: "Export Pull Request Author"
        id: prAuthor
        run: echo prAuthor="$(jq -c '.pull_request.user.login' "${FILENAME}")" >> "$GITHUB_OUTPUT"
      - name: "Export Pull Request Action"
        id: prAction
        run: echo prAction="$(jq -c '.action' "${FILENAME}")" >> "$GITHUB_OUTPUT"
      - name: "Export Pull Request Merged status"
        id: prIsMerged
        run: echo prIsMerged="$(jq -c '.pull_request.merged' "${FILENAME}")" >> "$GITHUB_OUTPUT"
      - name: "Export Pull Request labels"
        id: prLabels
        run: echo prLabels="$(jq -c '.labels' "${FILENAME}")" >> "$GITHUB_OUTPUT"