name: PR Label Validation

on:
  pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
    types: [opened, labeled, unlabeled, synchronize]

permissions: {}

jobs:
  validate-release-label:
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
      - id: token
        uses: immich-app/devtools/actions/create-workflow-token@da177fa133657503ddb7503f8ba53dccefec5da1 # create-workflow-token-action-v1.0.0
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Require PR to have a changelog label
        uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1
        with:
          token: ${{ steps.token.outputs.token }}
          mode: exactly
          count: 1
          use_regex: true
          labels: 'changelog:.*'
          add_comment: true
          message: 'Label error. Requires {{errorString}} {{count}} of: {{ provided }}. Found: {{ applied }}. A maintainer will add the required label.'