Merge pull request #35392 from storybookjs/kasper/ai-cli-configdir-in… #5530
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################################### | |
| # # | |
| # ██ # | |
| # ██░░██ # | |
| # ░░ ░░ ██░░░░░░██ ░░░░ # | |
| # ██░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░██████░░░░░░██ # | |
| # ██░░░░░░██████░░░░░░██ # | |
| # ██░░░░░░░░██████░░░░░░░░██ # | |
| # ██░░░░░░░░██████░░░░░░░░██ # | |
| # ██░░░░░░░░░░██████░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░██████░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░██████░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██ # | |
| # ██░░░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░░░██ # | |
| # ░░ ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ # | |
| # ██████████████████████████████████████████ # | |
| # # | |
| # # | |
| # SECURITY WARNING: Ensure your `pull_request_target` job respects the following rules: # | |
| # # | |
| # - Never write to GitHub Actions cache, as it would allow cache poisoning attacks # | |
| # - Only call third-party systems that are aware the code passed to them could be untrustworthy # | |
| # - Always set explicit permissions on your PR to limit the capabilities of secrets.GITHUB_TOKEN # | |
| # # | |
| ################################################################################################### | |
| name: Trigger CircleCI workflow | |
| # Start with empty permissions on `pull_request_target`, then set permissions per job as needed. | |
| permissions: {} | |
| on: | |
| # zizmor: ignore[dangerous-triggers] # required for fork PRs; no fork code is checked out — only the Circle CI API is called | |
| pull_request_target: | |
| types: [opened, synchronize, labeled, reopened] | |
| push: | |
| branches: | |
| - next | |
| - main | |
| # For PR events, group per-PR (github.ref is refs/pull/<n>/merge) so redundant | |
| # re-triggers on the same PR cancel each other. For pushes to a shared branch | |
| # (next/main), key on the commit SHA instead: otherwise two merges landing close | |
| # together share the refs/heads/<branch> group and the earlier merge's trigger is | |
| # cancelled before it can POST to CircleCI, silently skipping its `merged` workflow. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.sha || github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| get-branch: | |
| if: github.repository_owner == 'storybookjs' | |
| runs-on: ubuntu-latest | |
| permissions: {} | |
| steps: | |
| - id: get-branch | |
| env: | |
| REF_NAME: ${{ github.ref_name }} | |
| PR_REF_NAME: ${{ github.event.pull_request.head.ref }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| IS_FORK: ${{ github.event.pull_request.head.repo.fork }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| run: | | |
| if [ "$IS_FORK" = "true" ]; then | |
| BRANCH="pull/${PR_NUMBER}/head" | |
| elif [ "$EVENT_NAME" = "push" ]; then | |
| BRANCH="$REF_NAME" | |
| else | |
| BRANCH="$PR_REF_NAME" | |
| fi | |
| echo "$BRANCH" | |
| echo "branch=$BRANCH" >> "$GITHUB_OUTPUT" | |
| outputs: | |
| branch: ${{ steps.get-branch.outputs.branch }} | |
| get-parameters: | |
| if: github.repository_owner == 'storybookjs' | |
| runs-on: ubuntu-latest | |
| permissions: {} | |
| steps: | |
| - id: normal | |
| if: github.event_name == 'pull_request_target' && (contains(github.event.pull_request.labels.*.name, 'ci:normal')) | |
| run: echo "workflow=normal" >> "$GITHUB_OUTPUT" | |
| - id: docs | |
| if: github.event_name == 'pull_request_target' && (contains(github.event.pull_request.labels.*.name, 'ci:docs')) | |
| run: echo "workflow=docs" >> "$GITHUB_OUTPUT" | |
| - id: merged | |
| if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci:merged') | |
| run: echo "workflow=merged" >> "$GITHUB_OUTPUT" | |
| - id: daily | |
| if: github.event_name == 'pull_request_target' && (contains(github.event.pull_request.labels.*.name, 'ci:daily')) | |
| run: echo "workflow=daily" >> "$GITHUB_OUTPUT" | |
| - id: trusted-author | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| USER_TYPE: ${{ github.event.pull_request.user.type }} | |
| USER_LOGIN: ${{ github.event.pull_request.user.login }} | |
| GITHUB_API_TOKEN: ${{ secrets.STORYBOOKJS_ORG_MEMBERSHIP_TOKEN }} | |
| run: | | |
| # You can only push to `main` and `next` as a core team member, so the content is trustworthy. | |
| if [ "$EVENT_NAME" = "push" ]; then | |
| echo "result=true" >> "$GITHUB_OUTPUT" | |
| # These commits are made by the release actions, which are gated to core team members. | |
| elif [ "$USER_LOGIN" = "github-actions[bot]" ] && [ "$USER_TYPE" = "Bot" ]; then | |
| echo "result=true" >> "$GITHUB_OUTPUT" | |
| else | |
| # Explicitly trust only members of specific Storybook teams. | |
| # Team slugs for: Maintainers, Core, Developer Experience. | |
| TRUSTED_TEAMS="maintainers core developer-experience" | |
| IS_TRUSTED=false | |
| for TEAM in $TRUSTED_TEAMS; do | |
| STATE=$(curl -fsSL \ | |
| -H "Authorization: Bearer $GITHUB_API_TOKEN" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "https://api.github.com/orgs/storybookjs/teams/$TEAM/memberships/$USER_LOGIN" \ | |
| | jq -r '.state' 2>/dev/null || true) | |
| if [ "$STATE" = "active" ]; then | |
| IS_TRUSTED=true | |
| break | |
| fi | |
| done | |
| echo "result=$IS_TRUSTED" >> "$GITHUB_OUTPUT" | |
| fi | |
| outputs: | |
| workflow: ${{ steps.normal.outputs.workflow || steps.docs.outputs.workflow || steps.merged.outputs.workflow || steps.daily.outputs.workflow }} | |
| ghBaseBranch: ${{ github.event.pull_request.base.ref }} | |
| ghPrNumber: ${{ github.event.pull_request.number }} | |
| ghTrustedAuthor: ${{ steps.trusted-author.outputs.result }} | |
| trigger-circle-ci-workflow: | |
| runs-on: ubuntu-latest | |
| needs: [get-branch, get-parameters] | |
| if: github.repository_owner == 'storybookjs' && needs.get-parameters.outputs.workflow != '' | |
| permissions: {} | |
| steps: | |
| - name: Trigger CircleCI pipeline | |
| env: | |
| CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }} | |
| BRANCH: ${{ needs.get-branch.outputs.branch }} | |
| WORKFLOW: ${{ needs.get-parameters.outputs.workflow }} | |
| GH_BASE_BRANCH: ${{ needs.get-parameters.outputs.ghBaseBranch }} | |
| GH_PR_NUMBER: ${{ needs.get-parameters.outputs.ghPrNumber }} | |
| GH_TRUSTED_AUTHOR: ${{ needs.get-parameters.outputs.ghTrustedAuthor }} | |
| run: | | |
| PARAMETERS=$(jq -nc \ | |
| --arg workflow "$WORKFLOW" \ | |
| --arg ghBaseBranch "$GH_BASE_BRANCH" \ | |
| --arg ghPrNumber "$GH_PR_NUMBER" \ | |
| --arg ghTrustedAuthor "$GH_TRUSTED_AUTHOR" \ | |
| '{workflow: $workflow, ghBaseBranch: $ghBaseBranch, ghPrNumber: $ghPrNumber, ghTrustedAuthor: $ghTrustedAuthor}') | |
| PAYLOAD=$(jq -nc --arg branch "$BRANCH" --argjson parameters "$PARAMETERS" \ | |
| '{branch: $branch, parameters: $parameters}') | |
| curl -sS --fail-with-body -X POST \ | |
| -H "Content-Type: application/json" \ | |
| -H "Circle-Token: $CIRCLE_CI_TOKEN" \ | |
| -d "$PAYLOAD" \ | |
| "https://circleci.com/api/v2/project/gh/storybookjs/storybook/pipeline" |