name: build-pr

on:
  pull_request_target:
    types: [labeled]
  pull_request:
    branches:
      - dev
  workflow_dispatch:

permissions: read-all

jobs:
  call_test_cli:
    uses: ./.github/workflows/e2e-cli.yml
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

  call_test_e2e_basic:
    name: "run e2e on basic matrix"
    if: ${{ ! (contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch') }}
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
        KUBERNETES_VERSION: ["1.31.2"]
        GATEKEEPER_VERSION: ["3.18.0"]
    uses: ./.github/workflows/e2e-k8s.yml
    with:
      k8s_version: ${{ matrix.KUBERNETES_VERSION }}
      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}

  build_test_e2e_full_conditional:
    name: "run e2e on full test matrix with conditions"
    if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch'
    strategy:
      fail-fast: false
      matrix:
        KUBERNETES_VERSION: ["1.30.6", "1.31.2"]
        GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
    uses: ./.github/workflows/e2e-k8s.yml
    with:
      k8s_version: ${{ matrix.KUBERNETES_VERSION }}
      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}

  build_test_aks_e2e_conditional:
    name: "Build and run e2e Test on AKS with conditions"
    if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
    permissions:
      id-token: write
      contents: read
    strategy:
      fail-fast: false
      matrix:
        KUBERNETES_VERSION: ["1.30.6", "1.31.2"] 
        GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
    uses: ./.github/workflows/e2e-aks.yml
    with:
      k8s_version: ${{ matrix.KUBERNETES_VERSION }}
      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}
    secrets: inherit

  aks-test-cleanup:
    needs: ["build_test_aks_e2e_conditional"]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    environment: azure-test
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          egress-policy: audit

      - name: Check out code into the Go module directory
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up Go 1.22
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: "1.22"

      - name: Az CLI login
        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: clean up
        run: |
          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}