name: Compare Sizes

##########################################################################################
# WARNING! This workflow uses the 'pull_request_target' event. That mans that it will    #
# always run in the context of the main actualbudget/actual repo, even if the PR is from #
# a fork. This is necessary to get access to a GitHub token that can post a comment on   #
# the PR. Be VERY CAREFUL about adding things to this workflow, since forks can inject   #
# arbitrary code into their branch, and can pollute the artifacts we download. Arbitrary #
# code execution in this workflow could lead to a compromise of the main repo.           #
##########################################################################################
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests    #
##########################################################################################

on:
  pull_request_target:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  compare:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - name: Wait for ${{github.base_ref}} build to succeed
        uses: fountainhead/action-wait-for-check@v1.1.0
        id: master-build
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          checkName: web
          ref: ${{github.base_ref}}

      - name: Wait for PR build to succeed
        uses: fountainhead/action-wait-for-check@v1.1.0
        id: wait-for-build
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          checkName: web
          ref: ${{github.event.pull_request.head.sha}}

      - name: Report build failure
        if: steps.wait-for-build.outputs.conclusion == 'failure'
        run: |
          echo "Build failed on PR branch or ${{github.base_ref}}"
          exit 1
      - name: Download build artifact from ${{github.base_ref}}
        uses: dawidd6/action-download-artifact@v2
        id: pr-build
        with:
          branch: ${{github.base_ref}}
          workflow: build.yml
          name: build-stats
          path: base

      - name: Download build artifact from PR
        uses: dawidd6/action-download-artifact@v2
        with:
          pr: ${{github.event.pull_request.number}}
          workflow: build.yml
          name: build-stats
          path: head

      - name: Strip content hashes from stats files
        run: |
          sed -i -E 's/\.[0-9a-f]{8,}\././g' ./head/*.json
          sed -i -E 's/\.[0-9a-f]{8,}\././g' ./base/*.json
      - uses: github/webpack-bundlesize-compare-action@v1.8.2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          current-stats-json-path: ./head/desktop-client-stats.json
          base-stats-json-path: ./base/desktop-client-stats.json
          title: desktop-client

      - uses: github/webpack-bundlesize-compare-action@v1.8.2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          current-stats-json-path: ./head/loot-core-stats.json
          base-stats-json-path: ./base/loot-core-stats.json
          title: loot-core