name: PR Update

# Update permissions to include all necessary ones
permissions:
  contents: read
  pull-requests: read
  actions: read
  checks: write
  id-token: write

on:
  pull_request:
    branches:
      - main
  merge_group:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  test:
    name: Run Unit Tests
    uses: ./.github/workflows/test.yml
    secrets: inherit

  lint:
    name: Run Linters
    uses: ./.github/workflows/lint.yml
    secrets: inherit

  build:
    name: Build Formbricks-web
    uses: ./.github/workflows/build-web.yml
    secrets: inherit

  e2e-test:
    name: Run E2E Tests
    uses: ./.github/workflows/e2e.yml
    secrets: inherit

  required:
    name: PR Check Summary
    needs: [lint, test, build, e2e-test]
    if: always()
    runs-on: ubuntu-latest
    permissions:
      contents: read
      checks: write
      statuses: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
        with:
          egress-policy: audit
      - name: fail if conditional jobs failed
        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'skipped') || contains(needs.*.result, 'cancelled')
        run: exit 1