name: Handle completed feature requests

##########################################################################################
# WARNING! This workflow uses the 'pull_request_target' event. That mans that it will    #
# always run in the context of the main actualbudget/actual repo, even if the PR is from #
# a fork. This is necessary to get access to a GitHub token that can post a comment on   #
# the PR. Be VERY CAREFUL about adding things to this workflow, since forks can inject   #
# arbitrary code into their branch, and can pollute the artifacts we download. Arbitrary #
# code execution in this workflow could lead to a compromise of the main repo.           #
##########################################################################################
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests    #
##########################################################################################

on:
  pull_request_target:
    types: [closed]

permissions:
  issues: write

jobs:
  handle-feature-requests:
    if: github.event.pull_request.merged == true
    runs-on: ubuntu-latest
    steps:
      # This is not a security concern because we have approved & merged the PR
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '19'
      - name: Handle feature requests
        run: node .github/actions/handle-feature-requests.js
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}