name: Contributor Attribution Check

on:
  pull_request:
    branches: [main]
  # No paths filter — the job must always run so the required check
  # reports a status (path-gated workflows leave checks "pending" forever
  # when no matching files change, which blocks merge).

permissions:
  contents: read

jobs:
  check-attribution:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0  # Full history needed for git log

      - name: Check if relevant files changed
        id: filter
        run: |
          BASE="${{ github.event.pull_request.base.sha }}"
          HEAD="${{ github.event.pull_request.head.sha }}"
          CHANGED=$(git diff --name-only "$BASE"..."$HEAD" -- '*.py' '**/*.py' '.github/workflows/contributor-check.yml' || true)
          if [ -n "$CHANGED" ]; then
            echo "run=true" >> "$GITHUB_OUTPUT"
          else
            echo "run=false" >> "$GITHUB_OUTPUT"
            echo "No Python files changed, skipping attribution check."
          fi

      - name: Check for unmapped contributor emails
        if: steps.filter.outputs.run == 'true'
        run: |
          # Get the merge base between this PR and main
          MERGE_BASE=$(git merge-base origin/main HEAD)

          # Find any new author emails in this PR's commits
          NEW_EMAILS=$(git log ${MERGE_BASE}..HEAD --format='%ae' --no-merges | sort -u)

          if [ -z "$NEW_EMAILS" ]; then
            echo "No new commits to check."
            exit 0
          fi

          # Check each email against AUTHOR_MAP in release.py
          MISSING=""
          while IFS= read -r email; do
            # Skip teknium and bot emails
            case "$email" in
              *teknium*|*noreply@github.com*|*dependabot*|*github-actions*|*anthropic.com*|*cursor.com*)
                continue ;;
            esac

            # Check if email is in AUTHOR_MAP (either as a key or matches noreply pattern)
            if echo "$email" | grep -qP '\+.*@users\.noreply\.github\.com'; then
              continue  # GitHub noreply emails auto-resolve
            fi

            if ! grep -qF "\"${email}\"" scripts/release.py 2>/dev/null; then
              AUTHOR=$(git log --author="$email" --format='%an' -1)
              MISSING="${MISSING}\n  ${email} (${AUTHOR})"
            fi
          done <<< "$NEW_EMAILS"

          if [ -n "$MISSING" ]; then
            echo ""
            echo "⚠️  New contributor email(s) not in AUTHOR_MAP:"
            echo -e "$MISSING"
            echo ""
            echo "Please add mappings to scripts/release.py AUTHOR_MAP:"
            echo -e "$MISSING" | while read -r line; do
              email=$(echo "$line" | sed 's/^ *//' | cut -d' ' -f1)
              [ -z "$email" ] && continue
              echo "    \"${email}\": \"<github-username>\","
            done
            echo ""
            echo "To find the GitHub username for an email:"
            echo "  gh api 'search/users?q=EMAIL+in:email' --jq '.items[0].login'"
            exit 1
          else
            echo "✅ All contributor emails are mapped in AUTHOR_MAP."
          fi