name: "Run PR workflows"
on:
  pull_request:

permissions:
  pull-requests: write

concurrency:
  group: ${{ github.workflow }}-pr-${{ github.head_ref || github.ref_name }}
  cancel-in-progress: true

jobs:
  pre_check:
    name: "Check if we need to update the SDK"
    runs-on: ubuntu-latest
    # Setting the environment is the more important reason we need this job.
    # We use this job as a gate, so we can approve the PR workflow only once. If
    # we set this in the update_sdk job and in the build_image job, we would have
    # to approve the workflow for every job that kicks off. Given that the jobs
    # are sequenced, this is cumbersome. Use this job as a gate and make the rest
    # dependent on it.
    environment: development
    outputs:
      sdk_changes: ${{ steps.step1.outputs.sdk_changes }}
    steps:
      - name: Set outputs
        id: step1
        shell: bash
        run: |
          echo "sdk_changes=${{ contains(github.event.pull_request.body, '/update-sdk') }}" >> $GITHUB_OUTPUT

  update_sdk:
    name: "Build an updated SDK container"
    needs: [ pre_check ]
    if: needs.pre_check.outputs.sdk_changes == 'true'
    # SDK build needs access to bincache ssh secret
    secrets: inherit
    uses: ./.github/workflows/update-sdk.yaml

  build_image:
    needs: [ update_sdk ]
    # The update-sdk job may be skipped, which is fine. We only care if it tried to
    # run, but failed.
    if: (always() && !cancelled()) && needs.update_sdk.result != 'failure'
    name: "Build the OS image"
    uses: ./.github/workflows/ci.yaml
    with:
      custom_sdk_version: ${{ needs.update_sdk.outputs.sdk_version }}
      image_formats: qemu_uefi