name: Auto response

on:
  issues:
    types: [opened, edited, labeled]
  issue_comment:
    types: [created]
  pull_request_target: # zizmor: ignore[dangerous-triggers] maintainer-owned label automation; trusted base checkout only, no untrusted PR code execution
    types: [opened, edited, synchronize, reopened, labeled]

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}
  cancel-in-progress: ${{ github.event_name == 'pull_request_target' }}

permissions: {}

jobs:
  auto-response:
    permissions:
      contents: read
      issues: write
      pull-requests: write
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          persist-credentials: false
      - uses: actions/create-github-app-token@v3
        id: app-token
        continue-on-error: true
        with:
          app-id: "2729701"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: actions/create-github-app-token@v3
        id: app-token-fallback
        if: steps.app-token.outcome == 'failure'
        with:
          app-id: "2971289"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
      - name: Run Barnacle auto-response
        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          script: |
            const { pathToFileURL } = require("node:url");
            const moduleUrl = pathToFileURL(
              `${process.env.GITHUB_WORKSPACE}/scripts/github/barnacle-auto-response.mjs`,
            );
            const { runBarnacleAutoResponse } = await import(moduleUrl.href);

            await runBarnacleAutoResponse({ github, context, core });