[pull] next from storybookjs:next #83
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################################### | |
| # # | |
| # ██ # | |
| # ██░░██ # | |
| # ░░ ░░ ██░░░░░░██ ░░░░ # | |
| # ██░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░██████░░░░░░██ # | |
| # ██░░░░░░██████░░░░░░██ # | |
| # ██░░░░░░░░██████░░░░░░░░██ # | |
| # ██░░░░░░░░██████░░░░░░░░██ # | |
| # ██░░░░░░░░░░██████░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░██████░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░██████░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░░░██ # | |
| # ░░ ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ # | |
| # ██████████████████████████████████████████ # | |
| # # | |
| # # | |
| # SECURITY WARNING: Ensure your `pull_request_target` job respects the following rules: # | |
| # # | |
| # - Never write to GitHub Actions cache, as it would allow cache poisoning attacks # | |
| # - Only call third-party systems that are aware the code passed to them could be untrustworthy # | |
| # - Always set explicit permissions on your PR to limit the capabilities of secrets.GITHUB_TOKEN # | |
| # # | |
| ################################################################################################### | |
| name: agent-scan | |
| # Start with empty permissions on `pull_request_target`, then set permissions per job as needed. | |
| permissions: {} | |
| on: | |
| # Use `pull_request_target` so we can run this workflow on PRs from forks, as its goal is to assess | |
| # if PR authors are trustworthy. Only reasons on the PR author and does not check out the fork code. | |
| # zizmor: ignore[dangerous-triggers] # required for fork PRs; no fork code is checked out | |
| pull_request_target: | |
| types: | |
| - opened | |
| - reopened | |
| branches: | |
| - next | |
| - main | |
| concurrency: | |
| group: agent-scan-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| agentscan: | |
| if: | | |
| github.repository_owner == 'storybookjs' && | |
| github.event.pull_request.head.repo.full_name != github.repository && | |
| !contains( | |
| fromJSON('["dependabot[bot]", "github-actions[bot]","storybook-bot"]'), | |
| github.event.pull_request.user.login | |
| ) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| steps: | |
| - name: Checkout code from `next`/`main` branch (trusted code, not PR author code) | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.base.sha }} | |
| persist-credentials: false | |
| - name: Install script dependencies | |
| run: npm install --prefix .github/scripts | |
| - name: Check author org membership | |
| id: membership | |
| env: | |
| INPUT_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| INPUT_ORG: ${{ github.repository_owner }} | |
| INPUT_USERNAME: ${{ github.event.pull_request.user.login }} | |
| run: node .github/scripts/agent-scan-check-org-membership.mjs | |
| - name: Cache AgentScan analysis | |
| if: steps.membership.outputs.should-scan == 'true' | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: .agentscan-cache | |
| # Safe because the cache is prefixed and only used here, and does not include | |
| # user-controlled content (can't spoof another actor's identity). | |
| key: agentscan-cache-${{ github.actor }} | |
| - name: AgentScan | |
| if: steps.membership.outputs.should-scan == 'true' | |
| id: agentscan | |
| uses: MatteoGabriele/agentscan-action@f41545309db947a68e22ed2643f182e754f4d41a # v1.8.0 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| agent-scan-comment: false | |
| cache-path: .agentscan-cache | |
| label-community-flagged: 'agent-scan:community-flagged' | |
| label-mixed: 'agent-scan:mixed' | |
| label-automation: 'agent-scan:automated' | |
| - name: Label PR with classification | |
| if: steps.membership.outputs.should-scan == 'true' && steps.agentscan.outputs.classification | |
| env: | |
| INPUT_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| INPUT_CLASSIFICATION: ${{ steps.agentscan.outputs.classification }} | |
| run: node .github/scripts/agent-scan-label-pr.mjs |