name: Restrict PR Authors

on:
  pull_request:
    types: [opened, reopened, synchronize]
    branches: 
      - '**' # Apply to all PRs in this repo

permissions:
  pull-requests: write

jobs:
  check_pr_author:
    runs-on: ubuntu-latest
    steps:
      - name: Validate PR Author
        uses: actions/github-script@v7
        with:
          script: |
            // TODO: Add your team members here
            const allowed = [
              "hydracp9",
              "eltayar", // Added for testing/dev
              // "another-client-user"
            ];

            const prAuthor = context.payload.pull_request.user.login;

            core.info(`PR Author: ${prAuthor}`);

            if (!allowed.includes(prAuthor)) {
              core.setFailed(`⛔ Unauthorized Access: User '${prAuthor}' is not in the allowed list.`);
              
              // Optional: Close the PR automatically
              try {
                 await github.rest.pulls.update({
                    owner: context.repo.owner,
                    repo: context.repo.repo,
                    pull_number: context.payload.pull_request.number,
                    state: "closed"
                 });
                 core.info("PR has been closed automatically.");
              } catch (e) {
                 core.warning("Failed to close PR automatically.");
              }
            } else {
              core.info("✅ Authorized.");
            }