validate-plugin.yml

name: Validate Plugin

permissions:
  contents: read
  pull-requests: write
  issues: write
  security-events: write

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
  # Comma-separated lists of blocked GitHub usernames and plugin slugs.
  # Set these in repo Settings → Variables as AUTHOR_BLACKLIST and PLUGIN_BLACKLIST.
  AUTHOR_BLACKLIST: ${{ vars.AUTHOR_BLACKLIST }}
  PLUGIN_BLACKLIST: ${{ vars.PLUGIN_BLACKLIST }}

on:
  pull_request_target:
    types:
      - opened
      - edited
      - synchronize
      - ready_for_review

concurrency:
  group: validate-plugin-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  # --------------------------------------------------------------------------
  # Job 1: Post a notice on draft PRs - no validation runs yet
  # --------------------------------------------------------------------------
  draft-notice:
    if: github.event.pull_request.draft == true
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - name: Checkout config
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          fetch-depth: 1
          sparse-checkout: .github/scripts
          sparse-checkout-cone-mode: false

      - name: Load app ID from config
        id: config
        env:
          GH_APP_ID: ${{ vars.GH_APP_ID }}
          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
        run: |
          if [[ -n "${GH_APP_ID:-}" && -n "${GH_APP_PRIVATE_KEY:-}" ]]; then
            echo "app_id=${GH_APP_ID}" >> "$GITHUB_OUTPUT"
            echo "use_app=true" >> "$GITHUB_OUTPUT"
          else
            echo "use_app=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Generate GitHub App token
        if: steps.config.outputs.use_app == 'true'
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ steps.config.outputs.app_id }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

      - name: Log fallback to actions token
        if: steps.config.outputs.use_app != 'true'
        run: |
          printf '## ⚠️ GitHub App token not available\n\nGH_APP_ID or GH_APP_PRIVATE_KEY not configured. Falling back to `GITHUB_TOKEN` (github-actions[bot] identity).\n' >> "$GITHUB_STEP_SUMMARY"

      - name: Post draft notice
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          GH_TOKEN: ${{ steps.config.outputs.use_app == 'true' && steps.app-token.outputs.token || github.token }}
          BOT_LOGIN: ${{ steps.config.outputs.use_app == 'true' && format('{0}[bot]', steps.app-token.outputs.app-slug) || 'github-actions[bot]' }}
          GH_REPO: ${{ github.repository }}
        run: |
          MARKER="<!--PLUGIN_VALIDATION_DRAFT_NOTICE-->"
          COMMENT="$MARKER"$'\n'"This PR is currently a draft. Plugin validation will run once the PR is marked ready for review."
          EXISTING=$(gh pr view $PR_NUMBER --json comments \
            | jq -r --arg marker "$MARKER" --arg login "$BOT_LOGIN" '.comments[] | select(.author.login==$login) | select(.body | contains($marker)) | .id')
          if [ -n "$EXISTING" ]; then
            gh api "repos/${{ github.repository }}/issues/comments/$EXISTING" -X PATCH -f body="$COMMENT"
          else
            gh pr comment $PR_NUMBER --body "$COMMENT"
          fi

  # --------------------------------------------------------------------------
  # Job 2: Detect which plugins changed and build the matrix
  # --------------------------------------------------------------------------
  detect-changes:
    if: github.event.pull_request.draft == false
    runs-on: ubuntu-latest
    timeout-minutes: 5
    outputs:
      matrix: ${{ steps.detect.outputs.matrix }}
      plugin_count: ${{ steps.detect.outputs.plugin_count }}
      close_pr: ${{ steps.blacklist.outputs.close_pr || steps.detect.outputs.close_pr }}
      close_reason: ${{ steps.blacklist.outputs.close_reason || steps.detect.outputs.close_reason }}
      outside_files: ${{ steps.detect.outputs.outside_files }}
      outside_violation: ${{ steps.detect.outputs.outside_violation }}
      skip_validation: ${{ steps.detect.outputs.skip_validation }}
      pub_key_changed: ${{ steps.detect.outputs.pub_key_changed }}
      has_new_plugin: ${{ steps.detect.outputs.has_new_plugin }}
      has_updated_plugin: ${{ steps.detect.outputs.has_updated_plugin }}
    steps:
      - name: Checkout base branch scripts (trusted)
        uses: actions/checkout@v4
        with:
          repository: ${{ github.repository }}
          ref: ${{ github.event.pull_request.base.ref }}
          fetch-depth: 0
          sparse-checkout: .github/scripts
          sparse-checkout-cone-mode: false

      - name: Fetch base branch
        run: git fetch origin ${{ github.event.pull_request.base.ref }}

      - name: Save trusted scripts before fork checkout
        run: cp -r .github/scripts /tmp/trusted-scripts

      - name: Checkout PR plugins (untrusted content only)
        uses: actions/checkout@v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
          sparse-checkout: plugins
          sparse-checkout-cone-mode: false
          clean: false

      - name: Restore trusted scripts
        run: mkdir -p .github && cp -r /tmp/trusted-scripts .github/scripts

      - name: Re-fetch base branch refs
        run: git fetch https://github.com/${{ github.repository }} +${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }}

      - name: Load app ID from config
        id: config
        env:
          GH_APP_ID: ${{ vars.GH_APP_ID }}
          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
        run: |
          if [[ -n "${GH_APP_ID:-}" && -n "${GH_APP_PRIVATE_KEY:-}" ]]; then
            echo "app_id=${GH_APP_ID}" >> "$GITHUB_OUTPUT"
            echo "use_app=true" >> "$GITHUB_OUTPUT"
          else
            echo "use_app=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Generate GitHub App token
        if: steps.config.outputs.use_app == 'true'
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ steps.config.outputs.app_id }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

      - name: Log fallback to actions token
        if: steps.config.outputs.use_app != 'true'
        run: |
          printf '## ⚠️ GitHub App token not available\n\nGH_APP_ID or GH_APP_PRIVATE_KEY not configured. Falling back to `GITHUB_TOKEN` (github-actions[bot] identity).\n' >> "$GITHUB_STEP_SUMMARY"

      - name: Detect changed plugins
        id: detect
        env:
          GH_TOKEN: ${{ steps.config.outputs.use_app == 'true' && steps.app-token.outputs.token || github.token }}
          GITHUB_REPOSITORY: ${{ github.repository }}
        run: |
          chmod +x .github/scripts/validate/*.sh
          .github/scripts/validate/detect-changes.sh \
            "${{ github.event.pull_request.user.login }}" \
            "${{ github.event.pull_request.base.ref }}"

      - name: Check author and plugin blacklists
        id: blacklist
        # Only run if detect didn't already decide to close (avoids redundant output)
        if: steps.detect.outputs.close_pr != 'true'
        env:
          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
          MATRIX: ${{ steps.detect.outputs.matrix }}
        run: |
          AUTHOR_BL="${AUTHOR_BLACKLIST:-}"
          PLUGIN_BL="${PLUGIN_BLACKLIST:-}"

          # No-op if neither list is configured
          if [[ -z "$AUTHOR_BL" && -z "$PLUGIN_BL" ]]; then
            exit 0
          fi

          MATCHED=false
          REASON=""

          # Check author blacklist (case-insensitive, strips whitespace around commas)
          if [[ -n "$AUTHOR_BL" ]]; then
            IFS=',' read -ra BLOCKED <<< "$AUTHOR_BL"
            for entry in "${BLOCKED[@]}"; do
              slug="${entry// /}"
              if [[ "${PR_AUTHOR,,}" == "${slug,,}" ]]; then
                MATCHED=true
                REASON="author-blacklisted"
                echo "::warning::PR author '$PR_AUTHOR' is on the author blacklist."
                break
              fi
            done
          fi

          # Check plugin blacklist (case-insensitive)
          if [[ "$MATCHED" != "true" && -n "$PLUGIN_BL" ]]; then
            IFS=',' read -ra BLOCKED <<< "$PLUGIN_BL"
            while IFS= read -r plugin; do
              [[ -z "$plugin" ]] && continue
              for entry in "${BLOCKED[@]}"; do
                slug="${entry// /}"
                if [[ "${plugin,,}" == "${slug,,}" ]]; then
                  MATCHED=true
                  REASON="plugin-blacklisted"
                  echo "::warning::Plugin '$plugin' is on the plugin blacklist."
                  break 2
                fi
              done
            done < <(printf '%s' "$MATRIX" | jq -r '.[]' 2>/dev/null || true)
          fi

          if [[ "$MATCHED" == "true" ]]; then
            echo "close_pr=true" >> "$GITHUB_OUTPUT"
            echo "close_reason=$REASON" >> "$GITHUB_OUTPUT"
          fi

  # --------------------------------------------------------------------------
  # Job 3: Apply PR labels based on change classification
  # --------------------------------------------------------------------------
  label-pr:
    needs: [detect-changes]
    if: always() && needs.detect-changes.result == 'success'
    runs-on: ubuntu-latest
    timeout-minutes: 2
    steps:
      - name: Checkout config
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          fetch-depth: 1
          sparse-checkout: .github/scripts
          sparse-checkout-cone-mode: false

      - name: Load app ID from config
        id: config
        env:
          GH_APP_ID: ${{ vars.GH_APP_ID }}
          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
        run: |
          if [[ -n "${GH_APP_ID:-}" && -n "${GH_APP_PRIVATE_KEY:-}" ]]; then
            echo "app_id=${GH_APP_ID}" >> "$GITHUB_OUTPUT"
            echo "use_app=true" >> "$GITHUB_OUTPUT"
          else
            echo "use_app=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Generate GitHub App token
        if: steps.config.outputs.use_app == 'true'
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ steps.config.outputs.app_id }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

      - name: Log fallback to actions token
        if: steps.config.outputs.use_app != 'true'
        run: |
          printf '## ⚠️ GitHub App token not available\n\nGH_APP_ID or GH_APP_PRIVATE_KEY not configured. Falling back to `GITHUB_TOKEN` (github-actions[bot] identity).\n' >> "$GITHUB_STEP_SUMMARY"

      - name: Apply labels
        env:
          GH_TOKEN: ${{ steps.config.outputs.use_app == 'true' && steps.app-token.outputs.token || github.token }}
          GH_REPO: ${{ github.repository }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          HAS_NEW_PLUGIN: ${{ needs.detect-changes.outputs.has_new_plugin }}
          HAS_UPDATED_PLUGIN: ${{ needs.detect-changes.outputs.has_updated_plugin }}
          OUTSIDE_FILES: ${{ needs.detect-changes.outputs.outside_files }}
          OUTSIDE_VIOLATION: ${{ needs.detect-changes.outputs.outside_violation }}
          CLOSE_PR: ${{ needs.detect-changes.outputs.close_pr }}
        run: |
          apply_label() {
            local label=$1 condition=$2
            if [[ "$condition" == "true" ]]; then
              gh pr edit "$PR_NUMBER" --add-label "$label" || true
            else
              gh pr edit "$PR_NUMBER" --remove-label "$label" 2>/dev/null || true
            fi
          }
          apply_label "New Plugin"    "$HAS_NEW_PLUGIN"
          apply_label "Plugin Update" "$HAS_UPDATED_PLUGIN"
          # Repo Update only when there are outside files AND it's not a violation (authorized)
          if [[ -n "$OUTSIDE_FILES" && "$OUTSIDE_VIOLATION" != "true" ]]; then
            IS_REPO_UPDATE=true
          else
            IS_REPO_UPDATE=false
          fi
          apply_label "Repo Update" "$IS_REPO_UPDATE"
          # Invalid when PR has unauthorized outside changes or unauthorized plugin modifications
          if [[ "$OUTSIDE_VIOLATION" == "true" || "$CLOSE_PR" == "true" ]]; then
            IS_INVALID=true
          else
            IS_INVALID=false
          fi
          apply_label "Invalid" "$IS_INVALID"

  # --------------------------------------------------------------------------
  # Job 4: Validate PR title format
  #   Runs on every non-draft, non-closing PR event (including 'edited', which
  #   fires when the title is renamed).
  # --------------------------------------------------------------------------
  validate-title:
    needs: [detect-changes]
    if: github.event.pull_request.draft == false && needs.detect-changes.result == 'success' && needs.detect-changes.outputs.close_pr == 'false'
    runs-on: ubuntu-latest
    timeout-minutes: 2
    outputs:
      title_valid: ${{ steps.check.outputs.title_valid }}
      title_feedback: ${{ steps.check.outputs.title_feedback }}
      title_suggestion: ${{ steps.check.outputs.title_suggestion }}
    steps:
      - name: Validate PR title format
        id: check
        env:
          PR_TITLE: ${{ github.event.pull_request.title }}
          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
          PLUGIN_COUNT: ${{ needs.detect-changes.outputs.plugin_count }}
          MATRIX: ${{ needs.detect-changes.outputs.matrix }}
          SKIP_VALIDATION: ${{ needs.detect-changes.outputs.skip_validation }}
        run: |
          TITLE="$PR_TITLE"
          AUTHOR="$PR_AUTHOR"
          COUNT="${PLUGIN_COUNT:-0}"
          SKIP="${SKIP_VALIDATION:-false}"
          MATRIX_JSON="${MATRIX:-[]}"
          TITLE_VALID=true
          TITLE_FEEDBACK=""
          TITLE_SUGGESTION=""

          # Build a context-appropriate suggestion for this PR
          if [[ "$COUNT" == "0" ]]; then
            CONTEXT_SUGGESTION="[repo]: Brief description of changes"
          elif [[ "$COUNT" == "1" ]]; then
            SLUG=$(printf '%s' "$MATRIX_JSON" | jq -r '.[0] // "plugin-slug"' || echo "plugin-slug")
            CONTEXT_SUGGESTION="[$SLUG]: Brief description of changes"
          else
            CONTEXT_SUGGESTION="[$AUTHOR]: Brief description of changes"
          fi

          # Check format and extract prefix using bash =~ to avoid grep/sed ERE inconsistencies.
          # [^]] inside bash =~ means "not ]" (] is literal when first after [^).
          if [[ "$TITLE" =~ ^\[([^]]+)\]:?[[:space:]]+.+ ]]; then
            PREFIX="${BASH_REMATCH[1]}"

            # Validate prefix matches expected context
            if [[ "$COUNT" == "0" ]]; then
              if [[ "$PREFIX" != "repo" ]]; then
                TITLE_VALID=false
                TITLE_FEEDBACK="For repo-level or non-plugin changes, the prefix should be \`[repo]\`."
                TITLE_SUGGESTION="$CONTEXT_SUGGESTION"
              fi
            elif [[ "$COUNT" == "1" ]]; then
              EXPECTED=$(printf '%s' "$MATRIX_JSON" | jq -r '.[0] // ""' || echo "")
              if [[ -n "$EXPECTED" && "$PREFIX" != "$EXPECTED" ]]; then
                TITLE_VALID=false
                TITLE_FEEDBACK="For a single plugin change, the prefix should match the plugin folder name: \`[$EXPECTED]\`."
                TITLE_SUGGESTION="$CONTEXT_SUGGESTION"
              fi
            else
              if [[ "$PREFIX" != "$AUTHOR" ]]; then
                TITLE_VALID=false
                TITLE_FEEDBACK="For changes to multiple plugins, the prefix should be your GitHub username: \`[$AUTHOR]\`."
                TITLE_SUGGESTION="$CONTEXT_SUGGESTION"
              fi
            fi
          else
            TITLE_VALID=false
            TITLE_FEEDBACK="PR title does not match the required format. Expected: \`[prefix] description\`."
            TITLE_SUGGESTION="$CONTEXT_SUGGESTION"
          fi

          echo "title_valid=$TITLE_VALID" >> "$GITHUB_OUTPUT"
          {
            echo "title_feedback<<ENDOFVALUE"
            echo "$TITLE_FEEDBACK"
            echo "ENDOFVALUE"
          } >> "$GITHUB_OUTPUT"
          {
            echo "title_suggestion<<ENDOFVALUE"
            echo "$TITLE_SUGGESTION"
            echo "ENDOFVALUE"
          } >> "$GITHUB_OUTPUT"

          if [[ "$TITLE_VALID" != "true" ]]; then
            echo "::error::PR title does not match the required format. See CONTRIBUTING.md for details."
            exit 1
          fi

  # --------------------------------------------------------------------------
  # Job 5: CodeQL security and quality analysis (runs after validate-plugin)
  # --------------------------------------------------------------------------
  codeql-analyze:
    needs: [detect-changes, validate-plugin, validate-title]
    if: needs.validate-plugin.result == 'success' && needs.detect-changes.outputs.skip_validation != 'true' && needs.validate-title.outputs.title_valid == 'true'
    runs-on: ubuntu-latest
    timeout-minutes: 15
    outputs:
      codeql_status: ${{ steps.status.outputs.codeql_status }}
      codeql_errors: ${{ steps.status.outputs.codeql_errors }}
      codeql_warnings: ${{ steps.status.outputs.codeql_warnings }}
      codeql_mediums: ${{ steps.status.outputs.codeql_mediums }}
      codeql_lows: ${{ steps.status.outputs.codeql_lows }}
      codeql_unscanned_langs: ${{ steps.status.outputs.codeql_unscanned_langs }}
    steps:
      - name: Checkout PR merge commit for analysis
        uses: actions/checkout@v4
        with:
          ref: refs/pull/${{ github.event.pull_request.number }}/merge
          # Minimal placeholder - overridden immediately by the next step
          # (actions/checkout doesn't support dynamic expressions in sparse-checkout)
          sparse-checkout: .gitignore
          sparse-checkout-cone-mode: false

      - name: Limit checkout to changed plugin folders only
        run: |
          echo '${{ needs.detect-changes.outputs.matrix }}' \
            | jq -r '.[] | "plugins/\(.)"' \
            | git sparse-checkout set --stdin
          git checkout

      - name: Detect supported languages
        id: detect-langs
        run: |
          LANGS=()
          UNSCANNED=()

          # --- CodeQL-supported languages ---
          if find plugins -name '*.py' -print -quit | grep -q .; then
            LANGS+=(python)
          fi
          if find plugins \( -name '*.js' -o -name '*.ts' -o -name '*.jsx' -o -name '*.tsx' \) -print -quit | grep -q .; then
            LANGS+=(javascript)
          fi
          if find plugins -name '*.go' -print -quit | grep -q .; then
            LANGS+=(go)
          fi
          if find plugins -name '*.rb' -print -quit | grep -q .; then
            LANGS+=(ruby)
          fi
          if find plugins \( -name '*.java' -o -name '*.kt' -o -name '*.kts' \) -print -quit | grep -q .; then
            LANGS+=("java-kotlin")
          fi
          if find plugins \( -name '*.c' -o -name '*.cpp' -o -name '*.cc' -o -name '*.h' -o -name '*.hpp' \) -print -quit | grep -q .; then
            LANGS+=("c-cpp")
          fi

          # --- Files present but not supported by CodeQL ---
          if find plugins \( -name '*.sh' -o -name '*.bash' \) -print -quit | grep -q .; then
            UNSCANNED+=(shell)
          fi
          if find plugins -name '*.php' -print -quit | grep -q .; then
            UNSCANNED+=(php)
          fi
          if find plugins -name '*.lua' -print -quit | grep -q .; then
            UNSCANNED+=(lua)
          fi
          if find plugins \( -name '*.pl' -o -name '*.pm' \) -print -quit | grep -q .; then
            UNSCANNED+=(perl)
          fi
          if find plugins -name '*.rs' -print -quit | grep -q .; then
            UNSCANNED+=(rust)
          fi

          UNSCANNED_CSV=""
          [[ ${#UNSCANNED[@]} -gt 0 ]] && UNSCANNED_CSV=$(IFS=,; echo "${UNSCANNED[*]}")
          echo "unscanned_langs=$UNSCANNED_CSV" >> "$GITHUB_OUTPUT"

          if [[ ${#LANGS[@]} -gt 0 ]]; then
            LANG_CSV=$(IFS=,; echo "${LANGS[*]}")
            echo "found=true" >> "$GITHUB_OUTPUT"
            echo "languages=$LANG_CSV" >> "$GITHUB_OUTPUT"
            echo "Detected languages for CodeQL: $LANG_CSV"
            if [[ -n "$UNSCANNED_CSV" ]]; then echo "Unscanned (no CodeQL support): $UNSCANNED_CSV"; fi
          else
            echo "found=false" >> "$GITHUB_OUTPUT"
            echo "languages=" >> "$GITHUB_OUTPUT"
            echo "No supported language files found in changed plugins - skipping CodeQL."
            if [[ -n "$UNSCANNED_CSV" ]]; then echo "Unscanned file types detected (no CodeQL support): $UNSCANNED_CSV"; fi
          fi

      - name: Get merge commit SHA
        id: merge
        run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT

      - name: Initialize CodeQL
        if: steps.detect-langs.outputs.found == 'true'
        uses: github/codeql-action/init@v4
        with:
          languages: ${{ steps.detect-langs.outputs.languages }}
          # Query suite options (slowest → fastest):
          #   security-and-quality  – security + maintainability/style (quality results are discarded by our SARIF filter anyway)
          #   security-extended     – all security severities, no quality queries (current)
          #   (omit queries:)       – high-confidence security only; drops CVSS 6.0–6.9 medium findings our report surfaces
          queries: security-extended

      - name: Autobuild
        if: steps.detect-langs.outputs.found == 'true'
        uses: github/codeql-action/autobuild@v4

      - name: Perform CodeQL Analysis
        if: steps.detect-langs.outputs.found == 'true'
        id: analyze
        uses: github/codeql-action/analyze@v4
        with:
          category: pr-${{ github.event.pull_request.number }}
          output: sarif-results
          upload: false
        continue-on-error: true

      - name: Set CodeQL status output
        id: status
        if: always()
        run: |
          # Only block on security findings with CVSS score >= 7.0 (HIGH or CRITICAL).
          # CodeQL stores this in rule properties["security-severity"], not in result.level.
          JQ_BLOCKING='
            [ .runs[] |
              . as $run |
              (
                [ (($run.tool.driver.rules // [])[]          | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}),
                  ((($run.tool.extensions // [])[].rules // [])[] | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}) ]
                | from_entries
              ) as $secmap |
              ($run.results // [])[] |
              ((.ruleId // .rule.id // "") | tostring) as $rid |
              select((($secmap[$rid] // "0") | tonumber) >= 7.0)
            ] | length'
          JQ_MEDIUM='
            [ .runs[] |
              . as $run |
              (
                [ (($run.tool.driver.rules // [])[]          | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}),
                  ((($run.tool.extensions // [])[].rules // [])[] | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}) ]
                | from_entries
              ) as $secmap |
              ($run.results // [])[] |
              ((.ruleId // .rule.id // "") | tostring) as $rid |
              (($secmap[$rid] // "0") | tonumber) as $sev |
              select($sev >= 6.0 and $sev < 7.0)
            ] | length'
          JQ_LOW='
            [ .runs[] |
              . as $run |
              (
                [ (($run.tool.driver.rules // [])[]          | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}),
                  ((($run.tool.extensions // [])[].rules // [])[] | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}) ]
                | from_entries
              ) as $secmap |
              ($run.results // [])[] |
              ((.ruleId // .rule.id // "") | tostring) as $rid |
              (($secmap[$rid] // "0") | tonumber) as $sev |
              select($sev < 6.0)
            ] | length'
          RESULT_COUNT=0
          MEDIUM_COUNT=0
          LOW_COUNT=0
          TOTAL_COUNT=0
          if [[ -d "sarif-results" ]]; then
            for f in sarif-results/*.sarif sarif-results/*.sarif.gz; do
              [[ -f "$f" ]] || continue
              if [[ "$f" == *.gz ]]; then
                CONTENT=$(gunzip -c "$f")
              else
                CONTENT=$(cat "$f")
              fi
              COUNT=$(echo "$CONTENT" | jq "$JQ_BLOCKING")
              MED=$(echo "$CONTENT" | jq "$JQ_MEDIUM")
              LOW=$(echo "$CONTENT" | jq "$JQ_LOW")
              TOT=$(echo "$CONTENT" | jq '[.runs[] | (.results // [])[]] | length')
              echo "File $f: ${COUNT:-0} blocking, ${MED:-0} medium, ${LOW:-0} low, $TOT total"
              echo "$CONTENT" | jq -r \
                '[ .runs[] | . as $run |
                   ([ (($run.tool.driver.rules // [])[] | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}),
                      ((($run.tool.extensions // [])[].rules // [])[] | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}) ] | from_entries) as $secmap |
                   ($run.results // [])[] |
                   ((.ruleId // .rule.id // "") | tostring) as $rid |
                   select((($secmap[$rid] // "0") | tonumber) >= 7.0) |
                   "  [blocking] \($rid) sec-sev=\($secmap[$rid] // "n/a")" ] | .[]' || true
              RESULT_COUNT=$((RESULT_COUNT + ${COUNT:-0}))
              MEDIUM_COUNT=$((MEDIUM_COUNT + ${MED:-0}))
              LOW_COUNT=$((LOW_COUNT + ${LOW:-0}))
              TOTAL_COUNT=$((TOTAL_COUNT + ${TOT:-0}))
            done
          fi
          WARN_COUNT=$(( TOTAL_COUNT > RESULT_COUNT ? TOTAL_COUNT - RESULT_COUNT : 0 ))
          echo "Found $RESULT_COUNT high/critical, $MEDIUM_COUNT medium, $LOW_COUNT low, and $WARN_COUNT other CodeQL result(s)"
          echo "codeql_errors=$RESULT_COUNT" >> "$GITHUB_OUTPUT"
          echo "codeql_warnings=$WARN_COUNT" >> "$GITHUB_OUTPUT"
          echo "codeql_mediums=$MEDIUM_COUNT" >> "$GITHUB_OUTPUT"
          echo "codeql_lows=$LOW_COUNT" >> "$GITHUB_OUTPUT"

          # Generate a findings detail file for inclusion in the PR comment
          if [[ "$RESULT_COUNT" -gt 0 ]]; then
            MERGE_SHA=$(git rev-parse HEAD)
            {
              echo "| Rule | Location | Description |"
              echo "|------|----------|-------------|"
              for f in sarif-results/*.sarif sarif-results/*.sarif.gz; do
                [[ -f "$f" ]] || continue
                if [[ "$f" == *.gz ]]; then
                  FC=$(gunzip -c "$f")
                else
                  FC=$(cat "$f")
                fi
                echo "$FC" | jq -r \
                  --arg repo "$GITHUB_REPOSITORY" \
                  --arg sha "$MERGE_SHA" \
                  '.runs[] |
                  . as $run |
                  (
                    [ (($run.tool.driver.rules // [])[]         | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}),
                      ((($run.tool.extensions // [])[].rules // [])[] | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}) ]
                    | from_entries
                  ) as $secmap |
                  ($run.results // [])[] |
                  . as $result |
                  (($result.ruleId // $result.rule.id // "") | tostring) as $rid |
                  select((($secmap[$rid] // "0") | tonumber) >= 7.0) |
                  (.locations[0].physicalLocation.artifactLocation.uri // "?") as $uri |
                  ((.locations[0].physicalLocation.region.startLine // "?") | tostring) as $line |
                  (.message.text // "no description" | gsub("\n"; " ") | gsub("://"; "\u200b://") | gsub("www\\."; "www\u200b.") | gsub("#(?=[0-9])"; "#\u200b") | gsub("\\[(?<c>[^\\]]+)\\][(][0-9]+[)]"; .c) | gsub("\\["; "&#91;") | gsub("\\]"; "&#93;") | if length > 150 then .[0:150] + "\u2026" else . end) as $msg |
                  (if $uri != "?" and $line != "?" then "[\($uri):\($line)](https://github.com/\($repo)/blob/\($sha)/\($uri)#L\($line))" else "\($uri):\($line)" end) as $loc |
                  "| `\($rid)` | \($loc) | \($msg) |"'
              done
            } > codeql-findings.md
          fi
          # Generate medium findings detail file for informational display in the PR comment
          if [[ "$MEDIUM_COUNT" -gt 0 ]]; then
            MERGE_SHA=${MERGE_SHA:-$(git rev-parse HEAD)}
            {
              echo "| Rule | Location | Description |"
              echo "|------|----------|-------------|"
              for f in sarif-results/*.sarif sarif-results/*.sarif.gz; do
                [[ -f "$f" ]] || continue
                if [[ "$f" == *.gz ]]; then
                  FC=$(gunzip -c "$f")
                else
                  FC=$(cat "$f")
                fi
                echo "$FC" | jq -r \
                  --arg repo "$GITHUB_REPOSITORY" \
                  --arg sha "$MERGE_SHA" \
                  '.runs[] |
                  . as $run |
                  (
                    [ (($run.tool.driver.rules // [])[]         | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}),
                      ((($run.tool.extensions // [])[].rules // [])[] | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}) ]
                    | from_entries
                  ) as $secmap |
                  ($run.results // [])[] |
                  . as $result |
                  (($result.ruleId // $result.rule.id // "") | tostring) as $rid |
                  (($secmap[$rid] // "0") | tonumber) as $sev |
                  select($sev >= 6.0 and $sev < 7.0) |
                  (.locations[0].physicalLocation.artifactLocation.uri // "?") as $uri |
                  ((.locations[0].physicalLocation.region.startLine // "?") | tostring) as $line |
                  (.message.text // "no description" | gsub("\n"; " ") | gsub("://"; "\u200b://") | gsub("www\\."; "www\u200b.") | gsub("#(?=[0-9])"; "#\u200b") | gsub("\\[(?<c>[^\\]]+)\\][(][0-9]+[)]"; .c) | gsub("\\["; "&#91;") | gsub("\\]"; "&#93;") | if length > 150 then .[0:150] + "\u2026" else . end) as $msg |
                  (if $uri != "?" and $line != "?" then "[\($uri):\($line)](https://github.com/\($repo)/blob/\($sha)/\($uri)#L\($line))" else "\($uri):\($line)" end) as $loc |
                  "| `\($rid)` | \($loc) | \($msg) |"'
              done
            } > codeql-medium-findings.md
          fi
          # Generate low findings detail file for informational display in the PR comment (collapsed)
          if [[ "$LOW_COUNT" -gt 0 ]]; then
            MERGE_SHA=${MERGE_SHA:-$(git rev-parse HEAD)}
            {
              echo "| Rule | Location | Description |"
              echo "|------|----------|-------------|"
              for f in sarif-results/*.sarif sarif-results/*.sarif.gz; do
                [[ -f "$f" ]] || continue
                if [[ "$f" == *.gz ]]; then
                  FC=$(gunzip -c "$f")
                else
                  FC=$(cat "$f")
                fi
                echo "$FC" | jq -r \
                  --arg repo "$GITHUB_REPOSITORY" \
                  --arg sha "$MERGE_SHA" \
                  '.runs[] |
                  . as $run |
                  (
                    [ (($run.tool.driver.rules // [])[]         | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}),
                      ((($run.tool.extensions // [])[].rules // [])[] | {key: (.id // ""), value: ((.properties["security-severity"] // "0") | tostring)}) ]
                    | from_entries
                  ) as $secmap |
                  ($run.results // [])[] |
                  . as $result |
                  (($result.ruleId // $result.rule.id // "") | tostring) as $rid |
                  (($secmap[$rid] // "0") | tonumber) as $sev |
                  select($sev < 6.0) |
                  (.locations[0].physicalLocation.artifactLocation.uri // "?") as $uri |
                  ((.locations[0].physicalLocation.region.startLine // "?") | tostring) as $line |
                  (.message.text // "no description" | gsub("\n"; " ") | gsub("://"; "\u200b://") | gsub("www\\."; "www\u200b.") | gsub("#(?=[0-9])"; "#\u200b") | gsub("\\[(?<c>[^\\]]+)\\][(][0-9]+[)]"; .c) | gsub("\\["; "&#91;") | gsub("\\]"; "&#93;") | if length > 150 then .[0:150] + "\u2026" else . end) as $msg |
                  (if $uri != "?" and $line != "?" then "[\($uri):\($line)](https://github.com/\($repo)/blob/\($sha)/\($uri)#L\($line))" else "\($uri):\($line)" end) as $loc |
                  "| `\($rid)` | \($loc) | \($msg) |"'
              done
            } > codeql-low-findings.md
          fi
          if [[ "$RESULT_COUNT" -gt 0 || ( "${{ steps.detect-langs.outputs.found }}" == 'true' && "${{ steps.analyze.outcome }}" != "success" && "${{ steps.analyze.outcome }}" != "" ) ]]; then
            echo "codeql_status=failure" >> "$GITHUB_OUTPUT"
          elif [[ "${{ steps.detect-langs.outputs.found }}" == 'false' ]]; then
            echo "codeql_status=skipped" >> "$GITHUB_OUTPUT"
          else
            echo "codeql_status=success" >> "$GITHUB_OUTPUT"
          fi
          echo "codeql_unscanned_langs=${{ steps.detect-langs.outputs.unscanned_langs }}" >> "$GITHUB_OUTPUT"

      - name: Upload findings detail for PR comment
        if: always() && steps.status.outputs.codeql_status == 'failure'
        uses: actions/upload-artifact@v4
        with:
          name: codeql-findings
          path: codeql-findings.md
          if-no-files-found: ignore

      - name: Upload medium findings detail for PR comment
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: codeql-medium-findings
          path: codeql-medium-findings.md
          if-no-files-found: ignore

      - name: Upload low findings detail for PR comment
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: codeql-low-findings
          path: codeql-low-findings.md
          if-no-files-found: ignore

      - name: Fail job if CodeQL found high/error/critical issues
        if: always() && steps.status.outputs.codeql_status == 'failure'
        run: exit 1

  # --------------------------------------------------------------------------
  # Job 6: ClamAV antivirus scan (runs after validate-plugin)
  # --------------------------------------------------------------------------
  clamav-scan:
    needs: [detect-changes, validate-plugin, validate-title]
    if: needs.validate-plugin.result == 'success' && needs.detect-changes.outputs.skip_validation != 'true' && needs.validate-title.outputs.title_valid == 'true'
    runs-on: ubuntu-latest
    timeout-minutes: 10
    outputs:
      clamav_status: ${{ steps.status.outputs.clamav_status }}
      clamav_infected: ${{ steps.status.outputs.clamav_infected }}
    steps:
      - name: Checkout PR merge commit for scan
        uses: actions/checkout@v4
        with:
          ref: refs/pull/${{ github.event.pull_request.number }}/merge
          sparse-checkout: .gitignore
          sparse-checkout-cone-mode: false

      - name: Limit checkout to changed plugin folders only
        run: |
          echo '${{ needs.detect-changes.outputs.matrix }}' \
            | jq -r '.[] | "plugins/\(.)"' \
            | git sparse-checkout set --stdin
          git checkout

      - name: Get cache keys
        id: cache-keys
        run: |
          echo "week=$(date +%Y-W%V)" >> $GITHUB_OUTPUT
          echo "date=$(date +%Y%m%d)" >> $GITHUB_OUTPUT

      - name: Cache ClamAV installation (weekly)
        id: cache-clamav-install
        uses: actions/cache@v4
        with:
          path: /tmp/clamav-apt
          key: clamav-install-${{ runner.os }}-${{ steps.cache-keys.outputs.week }}
          restore-keys: clamav-install-${{ runner.os }}-

      - name: Cache ClamAV virus definitions (daily)
        id: cache-clamav-defs
        uses: actions/cache@v4
        with:
          path: /tmp/clamav-db
          key: clamav-defs-${{ runner.os }}-${{ steps.cache-keys.outputs.date }}
          restore-keys: clamav-defs-${{ runner.os }}-

      - name: Install ClamAV
        run: |
          sudo apt-get update -qq
          if [[ "${{ steps.cache-clamav-install.outputs.cache-hit }}" == 'true' ]]; then
            echo "Installing ClamAV from cached packages..."
            sudo cp /tmp/clamav-apt/*.deb /var/cache/apt/archives/ 2>/dev/null || true
          fi
          sudo apt-get install -y --no-install-recommends clamav
          if [[ "${{ steps.cache-clamav-install.outputs.cache-hit }}" != 'true' ]]; then
            echo "Saving ClamAV packages to cache..."
            mkdir -p /tmp/clamav-apt
            find /var/cache/apt/archives/ \( -name 'clamav*.deb' -o -name 'libclamav*.deb' \) \
              -exec cp {} /tmp/clamav-apt/ \; 2>/dev/null || true
          fi

      - name: Update virus definitions
        run: |
          sudo systemctl stop clamav-freshclam 2>/dev/null || true
          sudo mkdir -p /tmp/clamav-db
          sudo chown -R clamav:clamav /tmp/clamav-db
          if [[ "${{ steps.cache-clamav-defs.outputs.cache-hit }}" != 'true' ]]; then
            echo "Downloading fresh ClamAV definitions..."
            sudo freshclam --datadir=/tmp/clamav-db
          else
            echo "Using cached ClamAV definitions"
          fi

      - name: Scan changed plugin directories
        id: scan
        run: |
          PLUGIN_DIRS=$(echo '${{ needs.detect-changes.outputs.matrix }}' \
            | jq -r '.[] | "plugins/\(.)"' | tr '\n' ' ')
          echo "Scanning: $PLUGIN_DIRS"
          set +e
          # SC2086: PLUGIN_DIRS is intentionally word-split to produce multiple args
          # shellcheck disable=SC2086
          clamscan --database=/tmp/clamav-db \
            --recursive --infected --no-summary \
            $PLUGIN_DIRS > clamav-output.txt 2>&1
          echo "exit_code=$?" >> $GITHUB_OUTPUT
          set -e
          cat clamav-output.txt

      - name: Set ClamAV status outputs
        id: status
        if: always()
        env:
          SCAN_EXIT: ${{ steps.scan.outputs.exit_code }}
        run: |
          INFECTED=0
          if [[ -f "clamav-output.txt" ]]; then
            INFECTED=$(grep -c ' FOUND$' clamav-output.txt || true)
          fi
          echo "clamav_infected=$INFECTED" >> "$GITHUB_OUTPUT"

          if [[ "$INFECTED" -gt 0 ]]; then
            {
              echo "| File | Signature |"
              echo "|------|-----------|"
              grep ' FOUND$' clamav-output.txt | while IFS= read -r line; do
                FULL_PATH=$(echo "$line" | sed 's/: .* FOUND$//')
                FILE=$(echo "$FULL_PATH" | sed "s|^${GITHUB_WORKSPACE}/||")
                SIG=$(echo "$line" | sed 's/^[^:]*: //; s/ FOUND$//')
                HASH=$(sha256sum "$FULL_PATH" 2>/dev/null | cut -d' ' -f1 || true)
                if [[ -n "$HASH" ]]; then
                  echo "| \`$FILE\` | [\`$SIG\`](https://www.virustotal.com/gui/file/${HASH}) |"
                else
                  echo "| \`$FILE\` | \`$SIG\` |"
                fi
              done
            } > clamav-findings.md
            echo "clamav_status=failure" >> "$GITHUB_OUTPUT"
          elif [[ "${SCAN_EXIT:-0}" -ge 2 ]]; then
            echo "clamav_status=failure" >> "$GITHUB_OUTPUT"
          else
            echo "clamav_status=success" >> "$GITHUB_OUTPUT"
          fi

      - name: Upload ClamAV findings for PR comment
        if: always() && steps.status.outputs.clamav_status == 'failure'
        uses: actions/upload-artifact@v4
        with:
          name: clamav-findings
          path: clamav-findings.md
          if-no-files-found: ignore

      - name: Load app ID from config
        if: always() && steps.status.outputs.clamav_status == 'failure'
        id: config
        env:
          GH_APP_ID: ${{ vars.GH_APP_ID }}
          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
        run: |
          if [[ -n "${GH_APP_ID:-}" && -n "${GH_APP_PRIVATE_KEY:-}" ]]; then
            echo "app_id=${GH_APP_ID}" >> "$GITHUB_OUTPUT"
            echo "use_app=true" >> "$GITHUB_OUTPUT"
          else
            echo "use_app=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Generate GitHub App token
        if: always() && steps.status.outputs.clamav_status == 'failure' && steps.config.outputs.use_app == 'true'
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ steps.config.outputs.app_id }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

      - name: Apply quarantine label
        if: always() && steps.status.outputs.clamav_status == 'failure'
        env:
          GH_TOKEN: ${{ steps.config.outputs.use_app == 'true' && steps.app-token.outputs.token || github.token }}
        run: |
          gh label create "QUARANTINE" \
            --color "FFFF00" \
            --description "ClamAV detected a potential threat in this PR" \
            --repo "$GITHUB_REPOSITORY" 2>/dev/null || true
          gh pr edit "${{ github.event.pull_request.number }}" \
            --add-label "QUARANTINE" \
            --repo "$GITHUB_REPOSITORY"

      - name: Fail job if ClamAV detected threats
        if: always() && steps.status.outputs.clamav_status == 'failure'
        run: exit 1

  # --------------------------------------------------------------------------
  # Job 7: Validate each plugin in parallel via matrix
  # --------------------------------------------------------------------------
  validate-plugin:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.close_pr == 'false' && needs.detect-changes.outputs.skip_validation != 'true'
    runs-on: ubuntu-latest
    timeout-minutes: 10
    strategy:
      fail-fast: false
      matrix:
        plugin: ${{ fromJson(needs.detect-changes.outputs.matrix) }}
    steps:
      - name: Checkout base branch scripts (trusted)
        uses: actions/checkout@v4
        with:
          repository: ${{ github.repository }}
          ref: ${{ github.event.pull_request.base.ref }}
          fetch-depth: 0
          sparse-checkout: .github/scripts
          sparse-checkout-cone-mode: false

      - name: Fetch base branch
        run: git fetch origin ${{ github.event.pull_request.base.ref }}

      - name: Save trusted scripts before fork checkout
        run: cp -r .github/scripts /tmp/trusted-scripts

      - name: Checkout PR plugins (untrusted content only)
        uses: actions/checkout@v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
          sparse-checkout: plugins
          sparse-checkout-cone-mode: false
          clean: false

      - name: Restore trusted scripts
        run: mkdir -p .github && cp -r /tmp/trusted-scripts .github/scripts

      - name: Re-fetch base branch refs
        run: git fetch https://github.com/${{ github.repository }} +${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }}

      - name: Load app ID from config
        id: config
        env:
          GH_APP_ID: ${{ vars.GH_APP_ID }}
          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
        run: |
          if [[ -n "${GH_APP_ID:-}" && -n "${GH_APP_PRIVATE_KEY:-}" ]]; then
            echo "app_id=${GH_APP_ID}" >> "$GITHUB_OUTPUT"
            echo "use_app=true" >> "$GITHUB_OUTPUT"
          else
            echo "use_app=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Generate GitHub App token
        if: steps.config.outputs.use_app == 'true'
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ steps.config.outputs.app_id }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

      - name: Log fallback to actions token
        if: steps.config.outputs.use_app != 'true'
        run: |
          printf '## ⚠️ GitHub App token not available\n\nGH_APP_ID or GH_APP_PRIVATE_KEY not configured. Falling back to `GITHUB_TOKEN` (github-actions[bot] identity).\n' >> "$GITHUB_STEP_SUMMARY"

      - name: Validate ${{ matrix.plugin }}
        id: validate
        env:
          GH_TOKEN: ${{ steps.config.outputs.use_app == 'true' && steps.app-token.outputs.token || github.token }}
          GITHUB_REPOSITORY: ${{ github.repository }}
        run: |
          chmod +x .github/scripts/validate/*.sh
          set +e
          .github/scripts/validate/validate.sh \
            "${{ matrix.plugin }}" \
            "${{ github.event.pull_request.user.login }}" \
            "${{ github.event.pull_request.base.ref }}" \
            "${{ matrix.plugin }}.fragment.md"
          echo "exit_code=$?" >> $GITHUB_OUTPUT
        continue-on-error: true

      - name: Upload report fragment
        uses: actions/upload-artifact@v4
        with:
          name: fragment-${{ matrix.plugin }}
          path: ${{ matrix.plugin }}.fragment.md
          if-no-files-found: warn

      - name: Fail step if validation failed
        if: steps.validate.outputs.exit_code != '0'
        run: exit 1

  # --------------------------------------------------------------------------
  # Job 8: Aggregate all fragments, post PR comment, set final status
  # --------------------------------------------------------------------------
  report:
    needs: [detect-changes, validate-plugin, codeql-analyze, clamav-scan, validate-title]
    if: always() && needs.detect-changes.result == 'success' && needs.detect-changes.outputs.close_pr == 'false' && (needs.detect-changes.outputs.skip_validation != 'true' || needs.detect-changes.outputs.pub_key_changed == 'true' || needs.validate-title.outputs.title_valid == 'false')
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - name: Checkout scripts
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          fetch-depth: 1
          sparse-checkout: .github/scripts
          sparse-checkout-cone-mode: false

      - name: Load app ID from config
        id: config
        env:
          GH_APP_ID: ${{ vars.GH_APP_ID }}
          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
        run: |
          if [[ -n "${GH_APP_ID:-}" && -n "${GH_APP_PRIVATE_KEY:-}" ]]; then
            echo "app_id=${GH_APP_ID}" >> "$GITHUB_OUTPUT"
            echo "use_app=true" >> "$GITHUB_OUTPUT"
          else
            echo "use_app=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Generate GitHub App token
        if: steps.config.outputs.use_app == 'true'
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ steps.config.outputs.app_id }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

      - name: Log fallback to actions token
        if: steps.config.outputs.use_app != 'true'
        run: |
          printf '## ⚠️ GitHub App token not available\n\nGH_APP_ID or GH_APP_PRIVATE_KEY not configured. Falling back to `GITHUB_TOKEN` (github-actions[bot] identity).\n' >> "$GITHUB_STEP_SUMMARY"

      - name: Download all report fragments
        uses: actions/download-artifact@v4
        with:
          pattern: fragment-*
          path: fragments
          merge-multiple: true
        continue-on-error: true

      - name: Download CodeQL findings detail
        uses: actions/download-artifact@v4
        with:
          name: codeql-findings
          path: codeql-findings
        continue-on-error: true

      - name: Download CodeQL medium findings detail
        uses: actions/download-artifact@v4
        with:
          name: codeql-medium-findings
          path: codeql-medium-findings
        continue-on-error: true

      - name: Download CodeQL low findings detail
        uses: actions/download-artifact@v4
        with:
          name: codeql-low-findings
          path: codeql-low-findings
        continue-on-error: true

      - name: Download ClamAV findings detail
        uses: actions/download-artifact@v4
        with:
          name: clamav-findings
          path: clamav-findings
        continue-on-error: true

      - name: Aggregate and post comment
        id: report
        env:
          GH_TOKEN: ${{ steps.config.outputs.use_app == 'true' && steps.app-token.outputs.token || github.token }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          DISCORD_URL: ${{ vars.DISCORD_URL }}
          CODEQL_RESULT: ${{ needs.codeql-analyze.outputs.codeql_status }}
          CODEQL_ERRORS: ${{ needs.codeql-analyze.outputs.codeql_errors }}
          CODEQL_WARNINGS: ${{ needs.codeql-analyze.outputs.codeql_warnings }}
          CODEQL_MEDIUMS: ${{ needs.codeql-analyze.outputs.codeql_mediums }}
          CODEQL_LOWS: ${{ needs.codeql-analyze.outputs.codeql_lows }}
          CODEQL_UNSCANNED_LANGS: ${{ needs.codeql-analyze.outputs.codeql_unscanned_langs }}
          CLAMAV_RESULT: ${{ needs.clamav-scan.outputs.clamav_status }}
          CLAMAV_INFECTED: ${{ needs.clamav-scan.outputs.clamav_infected }}
          OUTSIDE_FILES: ${{ needs.detect-changes.outputs.outside_files }}
          OUTSIDE_VIOLATION: ${{ needs.detect-changes.outputs.outside_violation }}
          PUB_KEY_CHANGED: ${{ needs.detect-changes.outputs.pub_key_changed }}
          TITLE_VALID: ${{ needs.validate-title.outputs.title_valid }}
          TITLE_FEEDBACK: ${{ needs.validate-title.outputs.title_feedback }}
          TITLE_SUGGESTION: ${{ needs.validate-title.outputs.title_suggestion }}
          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
          chmod +x .github/scripts/validate/*.sh
          set +e
          .github/scripts/validate/report.sh \
            "${{ github.event.pull_request.number }}" \
            "${{ github.event.pull_request.user.login }}" \
            "${{ needs.detect-changes.outputs.plugin_count }}" \
            "false" \
            "fragments"
          echo "exit_code=$?" >> $GITHUB_OUTPUT

      - name: Fail workflow if any plugin failed
        if: steps.report.outputs.exit_code != '0'
        run: |
          echo "::error::Plugin validation failed. See PR comment for details."
          exit 1

  # --------------------------------------------------------------------------
  # Job 9: Auto-close unauthorized PRs
  # --------------------------------------------------------------------------
  close-unauthorized:
    needs: detect-changes
    if: always() && needs.detect-changes.result == 'success' && needs.detect-changes.outputs.close_pr == 'true'
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - name: Checkout scripts
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          fetch-depth: 1
          sparse-checkout: .github/scripts
          sparse-checkout-cone-mode: false

      - name: Load app ID from config
        id: config
        env:
          GH_APP_ID: ${{ vars.GH_APP_ID }}
          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
        run: |
          if [[ -n "${GH_APP_ID:-}" && -n "${GH_APP_PRIVATE_KEY:-}" ]]; then
            echo "app_id=${GH_APP_ID}" >> "$GITHUB_OUTPUT"
            echo "use_app=true" >> "$GITHUB_OUTPUT"
          else
            echo "use_app=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Generate GitHub App token
        if: steps.config.outputs.use_app == 'true'
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ steps.config.outputs.app_id }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

      - name: Log fallback to actions token
        if: steps.config.outputs.use_app != 'true'
        run: |
          printf '## ⚠️ GitHub App token not available\n\nGH_APP_ID or GH_APP_PRIVATE_KEY not configured. Falling back to `GITHUB_TOKEN` (github-actions[bot] identity).\n' >> "$GITHUB_STEP_SUMMARY"

      - name: Post close comment and close PR
        env:
          GH_TOKEN: ${{ steps.config.outputs.use_app == 'true' && steps.app-token.outputs.token || github.token }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          DISCORD_URL: ${{ vars.DISCORD_URL }}
          CLOSE_REASON: ${{ needs.detect-changes.outputs.close_reason }}
        run: |
          chmod +x .github/scripts/validate/*.sh
          .github/scripts/validate/report.sh \
            "${{ github.event.pull_request.number }}" \
            "${{ github.event.pull_request.user.login }}" \
            "${{ needs.detect-changes.outputs.plugin_count }}" \
            "true" \
            "/dev/null"

  # --------------------------------------------------------------------------
  # Job 10: Gate - single fixed status check for branch protection rules
  #   Reference this job by name "Plugin PR Check" in your branch protection.
  #   Passes only when all jobs succeed. Fails for any error, including
  #   unauthorized PRs.
  # --------------------------------------------------------------------------
  plugin-pr-check:
    name: Plugin PR Check
    needs: [detect-changes, codeql-analyze, clamav-scan, validate-plugin, validate-title, report]
    if: always()
    runs-on: ubuntu-latest
    timeout-minutes: 2
    steps:
      - name: Check for quarantine label
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          LABELS=$(gh pr view "${{ github.event.pull_request.number }}" \
            --repo "${{ github.repository }}" \
            --json labels --jq '[.labels[].name] | join(",")' 2>/dev/null || true)
          if echo "$LABELS" | grep -qF "QUARANTINE"; then
            echo "::error::This PR has a QUARANTINE label applied. A maintainer must review and remove the label before merging is allowed."
            exit 1
          fi

      - name: Evaluate validation result
        env:
          DETECT_RESULT: ${{ needs.detect-changes.result }}
          CLOSE_PR: ${{ needs.detect-changes.outputs.close_pr }}
          SKIP_VALIDATION: ${{ needs.detect-changes.outputs.skip_validation }}
          OUTSIDE_VIOLATION: ${{ needs.detect-changes.outputs.outside_violation }}
          TITLE_RESULT: ${{ needs.validate-title.result }}
          CODEQL_RESULT: ${{ needs.codeql-analyze.result }}
          CODEQL_STATUS: ${{ needs.codeql-analyze.outputs.codeql_status }}
          CLAMAV_RESULT: ${{ needs.clamav-scan.result }}
          CLAMAV_STATUS: ${{ needs.clamav-scan.outputs.clamav_status }}
          VALIDATE_RESULT: ${{ needs.validate-plugin.result }}
          REPORT_RESULT: ${{ needs.report.result }}
        run: |
          if [[ "$DETECT_RESULT" != "success" ]]; then
            echo "::error::Plugin detection failed or no plugin changes found."
            exit 1
          fi
          if [[ "$SKIP_VALIDATION" == "true" ]]; then
            echo "No plugin changes detected and author has write access - passing."
            exit 0
          fi
          if [[ "$TITLE_RESULT" == "failure" ]]; then
            echo "::error::PR title does not match the required format. Rename the PR and re-run."
            exit 1
          fi
          if [[ "$OUTSIDE_VIOLATION" == "true" ]]; then
            echo "::error::PR contains unauthorized changes outside the plugins/ directory."
            exit 1
          fi
          if [[ "$CLOSE_PR" == "true" ]]; then
            echo "::error::PR is unauthorized - no permission to modify these plugins."
            exit 1
          fi
          if [[ "$CODEQL_RESULT" == "failure" || "$CODEQL_STATUS" == "failure" ]]; then
            echo "::error::CodeQL security analysis failed. See the Security tab for details."
            exit 1
          fi
          if [[ "$CLAMAV_RESULT" == "failure" || "$CLAMAV_STATUS" == "failure" ]]; then
            echo "::error::ClamAV antivirus scan detected threats. See PR comment for details."
            exit 1
          fi
          if [[ "$VALIDATE_RESULT" == "failure" || "$VALIDATE_RESULT" == "cancelled" ]]; then
            echo "::error::One or more plugin validations failed. See PR comment for details."
            exit 1
          fi
          if [[ "$REPORT_RESULT" != "success" ]]; then
            echo "::error::Plugin validation failed. See PR comment for details."
            exit 1
          fi
          echo "All plugins validated successfully."