name: PR Label Validation

on:
  pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
    types: [opened, labeled, unlabeled, synchronize]

permissions: {}

jobs:
  validate-release-label:
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
      - id: token
        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Require PR to have a changelog label
        uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5.5.2
        with:
          token: ${{ steps.token.outputs.token }}
          mode: exactly
          count: 1
          use_regex: true
          labels: 'changelog:.*'
          add_comment: true
          message: 'Label error. Requires {{errorString}} {{count}} of: {{ provided }}. Found: {{ applied }}. A maintainer will add the required label.'