name: Add QA labels to Fleet issues
on:
  # pull_request_target allows running actions on PRs from forks with a read/write GITHUB_TOKEN, but it will not allow
  # running workflows defined in the PRs itself, only workflows already merged into the target branch. This avoids
  # potential vulnerabilities that could allow someone to open a PR and retrieve secrets.
  # It's important that this workflow never runs any checkout actions which could be used to circumvent this protection.
  # See these links for more information:
  # - https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/ 
  # - https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests
  pull_request_target:
    types:
      - closed

jobs:
  fetch_issues_to_label:
    runs-on: ubuntu-latest
    # Only run on PRs that were merged for the Fleet team
    if: |
      github.event.pull_request.merged_at &&
      contains(github.event.pull_request.labels.*.name, 'Team:Fleet')
    outputs:
      issue_ids: ${{ steps.issues_to_label.outputs.value }}
      label_ids: ${{ steps.label_ids.outputs.value }}
    steps:
      - uses: octokit/graphql-action@v2.x
        id: closing_issues
        with:
          query: |
            query closingIssueNumbersQuery($prnumber: Int!) {
              repository(owner: "elastic", name: "kibana") {
                pullRequest(number: $prnumber) {
                  closingIssuesReferences(first: 10) {
                    nodes {
                      id
                      labels(first: 20) {
                        nodes {
                          id
                          name
                        }
                      }
                    }
                  }
                }
              }
            }
          prnumber: ${{ github.event.number }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - uses: sergeysova/jq-action@v2
        id: issues_to_label
        with:
          # Map to the issues' node id
          cmd: echo $CLOSING_ISSUES | jq -c '.repository.pullRequest.closingIssuesReferences.nodes | map(.id)'
          multiline: true
        env:
          CLOSING_ISSUES: ${{ steps.closing_issues.outputs.data }}
      - uses: sergeysova/jq-action@v2
        id: label_ids
        with:
          # Get list of version labels on pull request and map to label's node id, append 'QA:Ready For Testing' id ("MDU6TGFiZWwyNTQ1NjcwOTI4")
          cmd: echo $PR_LABELS | jq -c 'map(select(.name | test("v[0-9]+\\.[0-9]+\\.[0-9]+")) | .node_id) + ["MDU6TGFiZWwyNTQ1NjcwOTI4"]'
          multiline: true
        env:
          PR_LABELS: ${{ toJSON(github.event.pull_request.labels) }}

  label_issues:
    needs: fetch_issues_to_label
    runs-on: ubuntu-latest

    # For each issue closed by the PR x each label to apply, run this job
    if: |
      fromJSON(needs.fetch_issues_to_label.outputs.issue_ids).length > 0 &&
      fromJSON(needs.fetch_issues_to_label.outputs.label_ids).length > 0
    strategy:
      matrix:
        issueId: ${{ fromJSON(needs.fetch_issues_to_label.outputs.issue_ids) }}
        labelId: ${{ fromJSON(needs.fetch_issues_to_label.outputs.label_ids) }}

    name: Label issue ${{ matrix.issueId }} with ${{ matrix.labelId }}
    steps:
      - uses: octokit/graphql-action@v2.x
        id: add_labels_to_closed_issue
        with:
          query: |
            mutation add_label($issueid: ID!, $labelid:ID!) {
              addLabelsToLabelable(input: {labelableId: $issueid, labelIds: [$labelid]}) {
                clientMutationId
              }
            }
          issueid: ${{ matrix.issueId }}
          labelid: ${{ matrix.labelId }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}