name: Release gate

on:
  pull_request:
    types: [opened, synchronize, reopened]
  pull_request_review:
    types: [submitted, dismissed]

permissions:
  pull-requests: read

jobs:
  release-gate:
    name: Release gate
    runs-on: ubuntu-latest
    steps:
      - name: Check release PR requirements
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HEAD_REF: ${{ github.event.pull_request.head.ref }}
          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          REPO: ${{ github.repository }}
        run: |
          if [[ "$HEAD_REF" != release/v* ]]; then
            echo "Not a release PR, skipping"
            exit 0
          fi

          if [ "$PR_AUTHOR" != "github-actions[bot]" ]; then
            echo "::error::Release PRs must be created by the publish workflow, not by '$PR_AUTHOR'"
            exit 1
          fi

          approvals=$(gh api "repos/$REPO/pulls/$PR_NUMBER/reviews" \
            --jq '[group_by(.user.login)[] | sort_by(.submitted_at) | last | select(.state == "APPROVED") | .user.login] | length')
          echo "Approvals: $approvals"
          if [ "$approvals" -lt 2 ]; then
            echo "::error::Release PRs require at least 2 approvals (got $approvals)"
            exit 1
          fi