name: Generate Artifacts on PR if 'Build' label exists
run-name: "Generate artifacts - PR #${{ github.event.pull_request.number }} - by @${{ github.actor }}"
#
# If PR is labeled with "Build" and you are a member of "Release manager" team it will start a build train (additional security feature).
# In the run name, ${{ github.actor }} shows who's privileges are used for this run.
#

on: pull_request_target

jobs:
  Check:
    permissions:
      pull-requests: read

    name: Check label and authorization  
    runs-on: Linux
    outputs:
      member: ${{ steps.checkUserMember.outputs.isTeamMember }}
    steps:
      - uses: tspascoal/get-user-teams-membership@v3
        if: contains(github.event.pull_request.labels.*.name, 'Build')
        id: checkUserMember
        with:
          username: ${{ github.actor }}
          organization: armbian
          team: "Release manager"
          GITHUB_TOKEN: ${{ secrets.ORG_MEMBERS }}

  Compile:
    needs: Check
    name: Generate artifacts
    concurrency:
      group: pipeline-pr-${{github.event.pull_request.number}}
      cancel-in-progress: true
    if: ${{ github.repository_owner == 'Armbian' && needs.Check.outputs.member == 'true' }}
    uses: armbian/os/.github/workflows/complete-artifact-matrix-all.yml@main
    secrets:
      ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }}
    with:
      extraParamsAllBuilds: "UPLOAD_TO_OCI_ONLY=no"
      ref: ${{ github.event.pull_request.head.sha }}