CI: Provide basic CI jobs for forked repositories, and disable our own jobs

[Sidnioulz]

TO DO

• Fix up "no changes pending" caused by unstable prettier fixes

What I did

• Ran Prettier on code/ to ensure the prettier job provided to fork repo owners provides actual feedback on their code changes
• Reworked GitHub Actions to ensure that most jobs don't trigger on forked repositories
• Added jobs to ensure unit tests on linux+windows, prettier, and tsc all run on forked repositories without a CircleCI account

This should help ensure that forked repositories have a coherent CI status, that actually reflects code quality issues rather than CI setup shenanigans. If forked repos have code quality reporting, there's a wee chance this increases the quality of received PRs.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

ø

Manual testing

• See CI status on individual commits on my forked repo
• See actions checks on PRs

Documentation

• Removed mention of disabling CI for forks in CONTRIBUTION.md

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

Summary by CodeRabbit

• Chores
  • CI workflows now run only for the main organization; added a fork-specific workflow to run type checks, formatting, and unit tests on pushes.
  • Minor linting-related adjustments and updated Prettier ignore to preserve import ordering.
• Documentation
  • CONTRIBUTING updated with clearer fork/upstream setup and improved onboarding guidance.
• Bug Fixes
  • Fixed invalid JSON in SvelteKit configuration.
• Style
  • Minor formatting tweaks in schemas and YAML; no behavioral changes.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit bfb21d2

Command	Status	Duration	Result
nx run-many -t build --parallel=3	✅ Succeeded	48s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-10-06 18:24:10 UTC

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds repository-owner gating (github.repository_owner == 'storybookjs') to many GitHub Actions jobs, introduces a new fork-only workflow that runs on non-storybook forks, and makes minor documentation, formatting, Prettier-ignore, JSON, and linting-comment changes.

Changes

Cohort / File(s)	Summary
Owner-gated workflows .github/workflows/cron-weekly.yml, .../generate-sandboxes.yml, .../handle-release-branches.yml, .../prepare-non-patch-release.yml, .../prepare-patch-release.yml, .../publish.yml, .../stale.yml, .../tests-unit.yml, .../triage.yml, .../trigger-circle-ci-workflow.yml	Added if: github.repository_owner == 'storybookjs' to selected jobs/steps (some combined with always()); no other step logic changed.
New fork checks workflow .github/workflows/fork-checks.yml	New workflow that runs on pushes when github.repository_owner != 'storybookjs'; performs type-check, formatting check, and unit tests (Ubuntu/Windows) using shared setup action and Playwright install.
Docs CONTRIBUTING.md	Removed instruction to disable Actions on forks; added git fetch upstream and git branch --set-upstream-to upstream/main main guidance and reworded onboarding text.
Prettier ignore code/.prettierignore	Added ignore for core/src/core-server/presets/common-manager.ts with comment explaining preserved import order.
Angular schemas formatting code/frameworks/angular/build-schema.json, code/frameworks/angular/start-schema.json	Reflowed arrays/unions and adjusted formatting (single-line defaults/type arrays); no schema semantics changed.
YAML quoting normalization code/frameworks/server-webpack5/template/cli/page.stories.yaml	Converted double-quoted string literals to single quotes; no semantic change.
JSON fix code/frameworks/sveltekit/tsconfig.json	Removed trailing comma in compilerOptions.paths to produce valid JSON.
Linting comment removal code/core/src/core-server/presets/common-manager.ts	Removed ESLint/Prettier directive comments around the imports block; import order retained.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Event as GitHub Event
  participant WF as Workflow
  participant Jobs as Jobs

  rect rgba(230,240,255,0.35)
    note over WF: Owner-gated workflows
    Event->>WF: schedule / push / pull_request
    WF->>WF: evaluate github.repository_owner == 'storybookjs'
    alt owner == 'storybookjs'
      WF->>Jobs: run gated jobs (publish, stale, triage, tests, generate-sandboxes, etc.)
    else owner != 'storybookjs'
      WF--xJobs: skip gated jobs
    end
  end

  rect rgba(235,255,235,0.35)
    note over WF: Fork-only workflow
    Event->>WF: push (fork)
    WF->>WF: evaluate github.repository_owner != 'storybookjs'
    alt owner != 'storybookjs'
      WF->>Jobs: run fork-checks (type-check, formatting, unit tests on Ubuntu/Windows)
    else owner == 'storybookjs'
      WF--xJobs: skip fork checks
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Release tooling: Use npm Trusted Publishing for canaries #32621: Modifies publish.yml and CI job structure; likely overlaps with owner-gating changes.
• Release tooling: Use npm Trusted Publishing #32607: Changes publish-related job configuration; related to edits in publish.yml.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3e9c725 and bfb21d2.

📒 Files selected for processing (1)

• .github/workflows/trigger-circle-ci-workflow.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: normal
• GitHub Check: Core Unit Tests, windows-latest

🔇 Additional comments (1)

.github/workflows/trigger-circle-ci-workflow.yml (1)

19-61: Owner gating aligns with fork strategy

Thanks for aligning all three jobs behind the repository-owner check. This keeps the CircleCI trigger confined to the canonical repo while preserving behavior for upstream pushes and PRs. Nice consistency with the other workflows in the PR.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CONTRIBUTING.md (1)

173-177: Fix broken shell command (too many arguments to cd)

The example concatenates two commands into one line; it will fail. Split into two lines.

-```shell 
-cd code yarn build --watch react core-server api addon-docs 
-```
+```shell
+cd code
+yarn build --watch react core-server api addon-docs
+```

🧹 Nitpick comments (7)

.github/workflows/prepare-patch-release.yml (1)

21-21: Owner-gate LGTM; consider explicit minimal permissions

The repo-owner check is correct. Optionally harden the workflow by setting explicit, minimal GITHUB_TOKEN permissions.

Example (top-level):

 on:
   push:
     branches:
       - next
   workflow_dispatch:
 
+permissions:
+  contents: read
+  actions: read

.github/workflows/cron-weekly.yml (1)

12-13: Pin third-party actions to a commit SHA

To reduce supply-chain risk, pin external actions (checkout, markdown-link-check) to immutable SHAs instead of tags.

.github/workflows/stale.yml (1)

6-12: Set explicit permissions for the stale action

actions/stale needs write scopes to label/close. Define minimal permissions at workflow/job level to avoid relying on defaults.

Example (top-level):

 on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+  contents: read

.github/workflows/trigger-circle-ci-workflow.yml (2)

1-16: Harden pull_request_target workflow permissions

Given this uses pull_request_target and triggers external systems, set minimal GITHUB_TOKEN permissions.

Example (top-level):

 name: Trigger CircleCI workflow
 
 on:
   pull_request_target:
     types: [opened, synchronize, labeled, reopened]
   push:
     branches:
       - next
       - main
 
+permissions:
+  contents: read
+  pull-requests: read
+  actions: read

---

62-68: Pin external action to a SHA

Pin fjogeleit/http-request-action to a commit SHA for supply-chain safety.

code/frameworks/angular/start-schema.json (1)

149-152: loglevel description vs validation mismatch

Description includes “error” but the pattern excludes it. Include error to avoid rejecting valid values.

-      "pattern": "(silly|verbose|info|warn|silent)"
+      "pattern": "^(silly|verbose|info|warn|error|silent)$"

code/frameworks/angular/build-schema.json (1)

33-36: loglevel description vs validation mismatch

Allow “error” to match the documented options.

-      "pattern": "(silly|verbose|info|warn|silent)"
+      "pattern": "^(silly|verbose|info|warn|error|silent)$"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d4b085 and f4d9dfd.

📒 Files selected for processing (18)

• .github/workflows/cron-weekly.yml (1 hunks)
• .github/workflows/fork-checks.yml (1 hunks)
• .github/workflows/generate-sandboxes.yml (2 hunks)
• .github/workflows/handle-release-branches.yml (3 hunks)
• .github/workflows/prepare-non-patch-release.yml (1 hunks)
• .github/workflows/prepare-patch-release.yml (1 hunks)
• .github/workflows/publish.yml (2 hunks)
• .github/workflows/stale.yml (1 hunks)
• .github/workflows/tests-unit.yml (1 hunks)
• .github/workflows/triage.yml (1 hunks)
• .github/workflows/trigger-circle-ci-workflow.yml (3 hunks)
• CONTRIBUTING.md (1 hunks)
• code/.prettierignore (1 hunks)
• code/frameworks/angular/build-schema.json (5 hunks)
• code/frameworks/angular/start-schema.json (6 hunks)
• code/frameworks/server-webpack5/template/cli/page.stories.yaml (1 hunks)
• code/frameworks/sveltekit/tsconfig.json (1 hunks)
• code/lib/eslint-plugin/docs/rules/no-stories-of.md (0 hunks)

💤 Files with no reviewable changes (1)

• code/lib/eslint-plugin/docs/rules/no-stories-of.md

🧰 Additional context used

📓 Path-based instructions (1)

code/**/tsconfig*.json

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Keep TypeScript strict mode enabled; do not relax strict compiler options in tsconfig files

Files:

• code/frameworks/sveltekit/tsconfig.json

🪛 actionlint (1.7.7)

.github/workflows/fork-checks.yml

48-48: label "windows-11-arm" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Core Unit Tests, windows-latest

🔇 Additional comments (7)

.github/workflows/cron-weekly.yml (1)

9-9: Owner-gate LGTM

This prevents scheduled runs on forks. Looks good.

.github/workflows/stale.yml (1)

9-9: Owner-gate LGTM

Prevents stale bot from operating on forks. Good.

.github/workflows/trigger-circle-ci-workflow.yml (1)

19-19: Owner-gates LGTM

Gating all CircleCI trigger jobs on the org owner is correct and avoids secret exposure on forks.

Also applies to: 41-41, 60-60

code/frameworks/angular/start-schema.json (1)

96-100: Formatting-only changes LGTM

Single-line arrays and trailing newline are fine; no behavior change.

Also applies to: 135-138, 140-143, 154-157, 196-197, 224-225, 233-233

code/frameworks/angular/build-schema.json (1)

70-74: Formatting-only changes LGTM

Array compaction and newline tweak look good; behavior unchanged.

Also applies to: 76-79, 81-84, 119-122, 161-162, 189-190, 198-198

.github/workflows/handle-release-branches.yml (1)

8-8: Owner-gates LGTM

Keeps release-branch handling limited to the org; safe given secrets and external hooks.

Also applies to: 72-72, 91-91

CONTRIBUTING.md (1)

132-140: Fork/upstream guidance LGTM

Clearer upstream setup; removing “disable Actions on forks” aligns with new fork CI.

[storybook-pr-benchmarking]

Package Benchmarks

^{Commit: bfb21d2, ran on 6 October 2025 at 18:12:02 UTC}

No significant changes detected, all good. 👏

[Sidnioulz]

This is questionable. To make sure prettier doesn't mess with our sensitive files in forked repos, we need to actually add them to prettierignore.

But this is a less good setup for us where we know internally that specific bits of the files should be ignored, but still want automatic formatting on the rest of the files through ESLint.

[JReinhold]

Why is prettierignore better for forks here?

Is it because forks run prettier directly instead of via eslint? If so, can we just add a prettierignore comment as well as the existing eslint comment?

[Sidnioulz]

Exactly. See how our command uses eslint-disable to prevent prettifying? We don't appear to be running prettier directly in the monorepo. If we don't ignore the file in prettier, the file's content changes when running prettier. So actually ignoring the file results in stronger protection (at the expense of no longer having ESLint format the rest).

[Sidnioulz]

(btw I meant that my code change was questionable, not the original code ;-) so thanks for questioning it!)

[JReinhold]

Great idea!

[JReinhold]

Could we use an Actions strategy pattern instead for Windows+Ubuntu tests?

[Sidnioulz]

Good idea!

• Switch to strategy matrix

[JReinhold]

Why is prettierignore better for forks here?

Is it because forks run prettier directly instead of via eslint? If so, can we just add a prettierignore comment as well as the existing eslint comment?