Skip to content

[pull] next from storybookjs:next #83

[pull] next from storybookjs:next

[pull] next from storybookjs:next #83

Workflow file for this run

###################################################################################################
# #
# ██ #
# ██░░██ #
# ░░ ░░ ██░░░░░░██ ░░░░ #
# ██░░░░░░░░░░██ #
# ██░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░██ #
# ██░░░░░░██████░░░░░░██ #
# ██░░░░░░██████░░░░░░██ #
# ██░░░░░░░░██████░░░░░░░░██ #
# ██░░░░░░░░██████░░░░░░░░██ #
# ██░░░░░░░░░░██████░░░░░░░░░░██ #
# ██░░░░░░░░░░░░██████░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░██████░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░░░██ #
# ░░ ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ #
# ██████████████████████████████████████████ #
# #
# #
# SECURITY WARNING: Ensure your `pull_request_target` job respects the following rules: #
# #
# - Never write to GitHub Actions cache, as it would allow cache poisoning attacks #
# - Only call third-party systems that are aware the code passed to them could be untrustworthy #
# - Always set explicit permissions on your PR to limit the capabilities of secrets.GITHUB_TOKEN #
# #
###################################################################################################
name: agent-scan
# Start with empty permissions on `pull_request_target`, then set permissions per job as needed.
permissions: {}
on:
# Use `pull_request_target` so we can run this workflow on PRs from forks, as its goal is to assess
# if PR authors are trustworthy. Only reasons on the PR author and does not check out the fork code.
# zizmor: ignore[dangerous-triggers] # required for fork PRs; no fork code is checked out
pull_request_target:
types:
- opened
- reopened
branches:
- next
- main
concurrency:
group: agent-scan-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
agentscan:
if: |
github.repository_owner == 'storybookjs' &&
github.event.pull_request.head.repo.full_name != github.repository &&
!contains(
fromJSON('["dependabot[bot]", "github-actions[bot]","storybook-bot"]'),
github.event.pull_request.user.login
)
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
steps:
- name: Checkout code from `next`/`main` branch (trusted code, not PR author code)
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.base.sha }}
persist-credentials: false
- name: Install script dependencies
run: npm install --prefix .github/scripts
- name: Check author org membership
id: membership
env:
INPUT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
INPUT_ORG: ${{ github.repository_owner }}
INPUT_USERNAME: ${{ github.event.pull_request.user.login }}
run: node .github/scripts/agent-scan-check-org-membership.mjs
- name: Cache AgentScan analysis
if: steps.membership.outputs.should-scan == 'true'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: .agentscan-cache
# Safe because the cache is prefixed and only used here, and does not include
# user-controlled content (can't spoof another actor's identity).
key: agentscan-cache-${{ github.actor }}
- name: AgentScan
if: steps.membership.outputs.should-scan == 'true'
id: agentscan
uses: MatteoGabriele/agentscan-action@f41545309db947a68e22ed2643f182e754f4d41a # v1.8.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
agent-scan-comment: false
cache-path: .agentscan-cache
label-community-flagged: 'agent-scan:community-flagged'
label-mixed: 'agent-scan:mixed'
label-automation: 'agent-scan:automated'
- name: Label PR with classification
if: steps.membership.outputs.should-scan == 'true' && steps.agentscan.outputs.classification
env:
INPUT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
INPUT_CLASSIFICATION: ${{ steps.agentscan.outputs.classification }}
run: node .github/scripts/agent-scan-label-pr.mjs