name: Process Pull Request

on:
  pull_request_target:

jobs:
  build:
    # Forbid access to secrets nor GH Token perms while building the PR
    permissions: {}
    secrets: {}
    uses: ./.github/workflows/build-remote.yml
    with:
      repository: ${{ github.event.pull_request.head.repo.full_name }}
      ref: ${{ github.event.pull_request.head.sha }}
  preview:
    needs: [build]
    if: >-
      contains(github.event.pull_request.labels.*.name, 'PR: Needs Testing')
    # Allow access to secrets if we are uploading a preview
    secrets: inherit
    uses: ./.github/workflows/preview.yml
    with:
      build: ${{ github.run_number }}
      version: pr.${{ github.event.pull_request.number }}