name: Coverage Comment

# Posts the coverage-debt suggestion comment produced by the Performance Check
# gate in the Deno Workflow. That gate runs on `pull_request`, where fork PRs
# only get a read-only token, so it cannot comment directly — it uploads the
# comment as the `coverage-comment` artifact instead. This workflow runs in the
# base-repo context (trusted, default-branch code) with a write token and posts
# it, which is why it works for forks too.

on:
  workflow_run:
    workflows: ["Deno Workflow"]
    types:
      - completed

permissions:
  contents: read
  actions: read
  issues: write
  pull-requests: write

jobs:
  post-coverage-comment:
    name: "Post Coverage Comment"
    # Runs on both outcomes of a PR run: a failed run may carry a coverage
    # regression to post, and a passing run may need to update an earlier
    # regression comment to its resolved state. Other conclusions (cancelled,
    # skipped) carry nothing to do.
    if: >-
      github.event.workflow_run.event == 'pull_request' &&
      (github.event.workflow_run.conclusion == 'failure' ||
      github.event.workflow_run.conclusion == 'success')
    runs-on: ubuntu-latest
    steps:
      - name: 📥 Checkout repository
        uses: actions/checkout@v7

      - name: 🦕 Setup Deno
        uses: ./.github/actions/deno-setup
        with:
          cache: false

      - name: 📥 Download coverage comment artifact
        continue-on-error: true
        uses: actions/download-artifact@v8
        with:
          name: coverage-comment
          run-id: ${{ github.event.workflow_run.id }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: 💬 Post coverage comment
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: deno run --allow-net --allow-env --allow-read tasks/post-coverage-comment.ts