name: Dual Approval Check

on:
  workflow_call:
    inputs:
      pr_number:
        description: "Pull request number"
        required: false
        type: number
      cto-reviewer:
        description: "GitHub username of the CTO reviewer"
        required: false
        type: string
        default: "privilegedescalation-cto"
      qa-reviewer:
        description: "GitHub username of the QA reviewer"
        required: false
        type: string
        default: "privilegedescalation-qa"

jobs:
  dual-approval:
    name: Dual Approval (CTO + QA)
    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:
      - name: Check dual approval
        env:
          GH_TOKEN: ${{ github.token }}
          CTO_REVIEWER: ${{ inputs.cto-reviewer }}
          QA_REVIEWER: ${{ inputs.qa-reviewer }}
          PR_NUMBER: ${{ inputs.pr_number }}
          REPO: ${{ github.repository }}
        run: |
          if [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]; then
            echo "::notice::No PR number in context (dismissed review or workflow_call without pr_number). Skipping dual approval check — no action needed."
            exit 0
          fi

          echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}"

          REVIEWS=$(curl -sf \
            -H "Authorization: Bearer ${GH_TOKEN}" \
            -H "Accept: application/vnd.github.v3+json" \
            "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")

          if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
            echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}. Assuming no approvals yet."
            exit 1
          fi

          CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | if .state then .state == "APPROVED" else false end')

          QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | if .state then .state == "APPROVED" else false end')

          echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
          echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"

          if [ "${CTO_APPROVED}" = "true" ] && [ "${QA_APPROVED}" = "true" ]; then
            echo "Both CTO and QA have approved. Dual approval check passed."
          else
            echo "Dual approval check failed."
            if [ "${CTO_APPROVED}" != "true" ]; then
              echo "  Missing: CTO approval from ${CTO_REVIEWER}"
            fi
            if [ "${QA_APPROVED}" != "true" ]; then
              echo "  Missing: QA approval from ${QA_REVIEWER}"
            fi
            exit 1
          fi