name: Command

# NB: **ALL** commands should be permissionless and only use an app token or relevant secrets
#   specific to their requirements!
permissions:
  contents: read

on:
  issue_comment:
    types:
    - created

env:
  CI_DEBUG: ${{ vars.CI_DEBUG }}


jobs:
  # For speed and _security_ only a single command (first matching) will be parsed/run from a comment
  command:
    name: Parse and run command
    runs-on: ubuntu-22.04
    if: >-
      ${{
         github.event.issue.pull_request
         && (vars.ENVOY_CI
             || github.repository == 'envoyproxy/envoy')
         && github.actor != 'repokitteh-read-only[bot]'
         && github.actor != 'dependabot[bot]'
      }}
    steps:
    - uses: envoyproxy/toolshed/gh-actions/github/command@actions-v0.2.35
      name: Parse command from comment
      id: command
      with:
        text: ${{ github.event.comment.body }}
        matching: >-
          ^/(retest)

    # /retest
    - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.2.35
      if: ${{ steps.command.outputs.command == 'retest' }}
      id: appauth-retest
      name: Appauth (retest)
      with:
        key: ${{ secrets.ENVOY_CI_APP_KEY }}
        app_id: ${{ secrets.ENVOY_CI_APP_ID }}
    - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.2.35
      if: ${{ steps.command.outputs.command == 'retest' }}
      name: Retest
      with:
        token: ${{ steps.appauth-retest.outputs.token }}
        azp_org: cncf
        azp_token: ${{ secrets.AZP_TOKEN }}
        comment-id: ${{ github.event.comment.id }}
        pr-url: ${{ github.event.issue.pull_request.url }}
        args: ${{ steps.command.outputs.args }}
        app-owner: ci-envoy