name: Automate changeset feedback
on:
  pull_request_target:
    branches: ['master']

permissions:
  pull-requests: write
  actions: none
  checks: none
  contents: none
  deployments: none
  issues: none
  packages: none
  pages: none
  repository-projects: none
  security-events: none
  statuses: none

jobs:
  feedback:
    # prevent running towards forks and version packages
    if: github.repository == 'backstage/backstage' && github.event.pull_request.user.login != 'backstage-service'
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          # Fetch the commit that's merged into the base rather than the target ref
          # This will let us diff only the contents of the PR, without fetching more history
          ref: 'refs/pull/${{ github.event.pull_request.number }}/merge'
      - name: fetch base
        run: git fetch --depth 1 origin ${{ github.base_ref }}
      - uses: backstage/actions/changeset-feedback@a674369920067381b450d398b27df7039b7ef635 # v0.6.5
        name: Generate feedback
        with:
          diff-ref: 'origin/master'
          marker: <!-- changeset-feedback -->
          issue-number: ${{ github.event.pull_request.number }}
          bot-username: backstage-goalie[bot]
          app-id: ${{ secrets.BACKSTAGE_GOALIE_APPLICATION_ID }}
          private-key: ${{ secrets.BACKSTAGE_GOALIE_PRIVATE_KEY }}
          installation-id: ${{ secrets.BACKSTAGE_GOALIE_INSTALLATION_ID }}