  check-permissions:
    name: permissions check
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v4.1.1
        with:
          persist-credentials: false

      - name: Check permissions on PR
        if: github.event_name == 'pull_request_target'
        run: |
          {% raw %}
          python3 -uS .github/workflows/scripts/trigger_tests_on_label.py \
              --repo-id ${{ github.event.repository.id }} \
              --pr ${{ github.event.number }} \
              --event ${{ github.event.action }} \
              --username "$ARG_USERNAME" \
              --label-names "$ARG_LABEL_NAMES"
          {% endraw %}
        env:
          {% raw %}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # these can contain special characters
          ARG_USERNAME: ${{ github.event.pull_request.user.login }}
          ARG_LABEL_NAMES: ${{ toJSON(github.event.pull_request.labels.*.name) }}
          {% endraw %}

      - name: Check permissions on repo branch
        if: github.event_name == 'push'
        run: true
