name: Label PR for CI

on:
  pull_request_target:
    types: [opened, reopened]

# This permission is still needed for the 'check-user-permission' action,
# which uses the default GITHUB_TOKEN to verify the actor's permissions.
permissions:
  pull-requests: read
  members: read

jobs:
  labeler:
    runs-on: ubuntu-latest
    steps:
      - name: Check user permission
        id: checkAccess
        uses: actions-cool/check-user-permission@v2
        with:
          require: write
          username: ${{ github.triggering_actor }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Add run-ci label
        if: steps.checkAccess.outputs.require-result == 'true'
        uses: actions/github-script@v7
        with:
          token: ${{ secrets.GH_PAT_FOR_TAGGING }}
          script: |
            github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
              labels: ['run-ci']
            })