CI: Provide basic CI jobs for forked repositories, and disable our own jobs

[Sidnioulz]

What I did

• Ran Prettier on code/ to ensure the prettier job provided to fork repo owners provides actual feedback on their code changes
• Reworked GitHub Actions to ensure that most jobs don't trigger on forked repositories
• Added jobs to ensure unit tests on linux+windows, prettier, and tsc all run on forked repositories without a CircleCI account

This should help ensure that forked repositories have a coherent CI status, that actually reflects code quality issues rather than CI setup shenanigans. If forked repos have code quality reporting, there's a wee chance this increases the quality of received PRs.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

ø

Manual testing

• See CI status on individual commits on my forked repo
• See actions checks on PRs

Documentation

• Removed mention of disabling CI for forks in CONTRIBUTION.md

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

Summary by CodeRabbit

• New Features
  • Added automated checks (type, format, unit tests) for forked repositories to improve contributor feedback.
• Bug Fixes
  • Corrected SvelteKit tsconfig formatting to valid JSON.
• Documentation
  • Streamlined CONTRIBUTING guide: simplified fork setup and clarified upstream tracking and local dev steps.
• Chores
  • Restricted various scheduled, release, publish, stale, triage, and test workflows to run only on the primary organization, reducing noise on forks.
• Style
  • Minor formatting updates across schemas, YAML, and docs; updated Prettier ignore rules to preserve required import order.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit f4d9dfd

Command	Status	Duration	Result
nx run-many -t build --parallel=3	✅ Succeeded	48s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-10-03 14:14:59 UTC

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds repository-owner guards to many GitHub Actions jobs to run only for owner 'storybookjs', introduces a new fork-only CI workflow for non-'storybookjs' owners, and makes minor formatting/config tweaks across schemas, YAML, JSON, and docs. No functional product code changes.

Changes

Cohort / File(s)	Summary
Owner-gated GitHub Actions .github/workflows/cron-weekly.yml, .github/workflows/generate-sandboxes.yml, .github/workflows/handle-release-branches.yml, .github/workflows/prepare-non-patch-release.yml, .github/workflows/prepare-patch-release.yml, .github/workflows/publish.yml, .github/workflows/stale.yml, .github/workflows/tests-unit.yml, .github/workflows/triage.yml, .github/workflows/trigger-circle-ci-workflow.yml	Add if: github.repository_owner == 'storybookjs' to selected jobs/steps, gating execution by repository owner; no step logic changes.
New fork CI workflow .github/workflows/fork-checks.yml	New workflow running on pushes for forks (repository_owner != 'storybookjs'): type check, formatting, and unit tests on Ubuntu and Windows; shared checkout and setup steps.
Docs and contributor guidance CONTRIBUTING.md	Updates fork instructions: remove “disable Actions” guidance, add explicit upstream setup commands, minor wording changes.
Tooling ignore/config code/.prettierignore	Ignore core/src/core-server/presets/common-manager.ts with comment; retain existing entries.
Schema formatting (Angular) code/frameworks/angular/build-schema.json, code/frameworks/angular/start-schema.json	JSON Schema reformatting (single-line arrays/types, minor whitespace); no semantic changes.
YAML quoting consistency code/frameworks/server-webpack5/template/cli/page.stories.yaml	Switch double quotes to single quotes for string literals; no semantic change.
JSON validity tweak code/frameworks/sveltekit/tsconfig.json	Remove trailing comma after paths in compilerOptions; no behavioral change.
Docs formatting (ESLint rule) code/lib/eslint-plugin/docs/rules/no-stories-of.md	Remove an empty line in example; formatting only.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Scheduler as GitHub Scheduler/Triggers
  participant Workflow as Workflow Job
  note over Workflow: Owner-gated jobs
  Scheduler->>Workflow: Trigger workflow/job
  alt repository_owner == 'storybookjs'
    Workflow->>Workflow: Execute steps
  else repository_owner != 'storybookjs'
    Workflow--xScheduler: Skip job (condition not met)
  end

Loading

sequenceDiagram
  autonumber
  actor Pusher as Push on Fork
  participant ForkChecks as fork-checks.yml
  note over ForkChecks: Runs only if repository_owner != 'storybookjs'
  Pusher->>ForkChecks: push
  alt repository_owner != 'storybookjs'
    ForkChecks->>TypeCheck: yarn task --task check
    ForkChecks->>Formatting: yarn lint:prettier --check .
    par Unit Tests
      ForkChecks->>UT_Ubuntu: Install deps → Compile → Install Playwright → yarn test
      ForkChecks->>UT_Windows: Install deps → Compile → Install Playwright → yarn test
    end
  else repository_owner == 'storybookjs'
    ForkChecks--xPusher: Skip entire workflow
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Release tooling: Use npm Trusted Publishing #32607 — Also modifies .github/workflows/publish.yml (setup/quoting and token changes), overlapping with this PR’s publish job edits.
• Release tooling: Use npm Trusted Publishing for canaries #32621 — Adjusts multiple GitHub Actions workflows including publish.yml and tests-unit.yml, intersecting with this PR’s workflow gating changes.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CONTRIBUTING.md (1)

173-177: Fix broken shell command (too many arguments to cd)

The example concatenates two commands into one line; it will fail. Split into two lines.

-```shell 
-cd code yarn build --watch react core-server api addon-docs 
-```
+```shell
+cd code
+yarn build --watch react core-server api addon-docs
+```

🧹 Nitpick comments (7)

.github/workflows/prepare-patch-release.yml (1)

21-21: Owner-gate LGTM; consider explicit minimal permissions

The repo-owner check is correct. Optionally harden the workflow by setting explicit, minimal GITHUB_TOKEN permissions.

Example (top-level):

 on:
   push:
     branches:
       - next
   workflow_dispatch:
 
+permissions:
+  contents: read
+  actions: read

.github/workflows/cron-weekly.yml (1)

12-13: Pin third-party actions to a commit SHA

To reduce supply-chain risk, pin external actions (checkout, markdown-link-check) to immutable SHAs instead of tags.

.github/workflows/stale.yml (1)

6-12: Set explicit permissions for the stale action

actions/stale needs write scopes to label/close. Define minimal permissions at workflow/job level to avoid relying on defaults.

Example (top-level):

 on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+  contents: read

.github/workflows/trigger-circle-ci-workflow.yml (2)

1-16: Harden pull_request_target workflow permissions

Given this uses pull_request_target and triggers external systems, set minimal GITHUB_TOKEN permissions.

Example (top-level):

 name: Trigger CircleCI workflow
 
 on:
   pull_request_target:
     types: [opened, synchronize, labeled, reopened]
   push:
     branches:
       - next
       - main
 
+permissions:
+  contents: read
+  pull-requests: read
+  actions: read

---

62-68: Pin external action to a SHA

Pin fjogeleit/http-request-action to a commit SHA for supply-chain safety.

code/frameworks/angular/start-schema.json (1)

149-152: loglevel description vs validation mismatch

Description includes “error” but the pattern excludes it. Include error to avoid rejecting valid values.

-      "pattern": "(silly|verbose|info|warn|silent)"
+      "pattern": "^(silly|verbose|info|warn|error|silent)$"

code/frameworks/angular/build-schema.json (1)

33-36: loglevel description vs validation mismatch

Allow “error” to match the documented options.

-      "pattern": "(silly|verbose|info|warn|silent)"
+      "pattern": "^(silly|verbose|info|warn|error|silent)$"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d4b085 and f4d9dfd.

📒 Files selected for processing (18)

• .github/workflows/cron-weekly.yml (1 hunks)
• .github/workflows/fork-checks.yml (1 hunks)
• .github/workflows/generate-sandboxes.yml (2 hunks)
• .github/workflows/handle-release-branches.yml (3 hunks)
• .github/workflows/prepare-non-patch-release.yml (1 hunks)
• .github/workflows/prepare-patch-release.yml (1 hunks)
• .github/workflows/publish.yml (2 hunks)
• .github/workflows/stale.yml (1 hunks)
• .github/workflows/tests-unit.yml (1 hunks)
• .github/workflows/triage.yml (1 hunks)
• .github/workflows/trigger-circle-ci-workflow.yml (3 hunks)
• CONTRIBUTING.md (1 hunks)
• code/.prettierignore (1 hunks)
• code/frameworks/angular/build-schema.json (5 hunks)
• code/frameworks/angular/start-schema.json (6 hunks)
• code/frameworks/server-webpack5/template/cli/page.stories.yaml (1 hunks)
• code/frameworks/sveltekit/tsconfig.json (1 hunks)
• code/lib/eslint-plugin/docs/rules/no-stories-of.md (0 hunks)

💤 Files with no reviewable changes (1)

• code/lib/eslint-plugin/docs/rules/no-stories-of.md

🧰 Additional context used

📓 Path-based instructions (1)

code/**/tsconfig*.json

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Keep TypeScript strict mode enabled; do not relax strict compiler options in tsconfig files

Files:

• code/frameworks/sveltekit/tsconfig.json

🪛 actionlint (1.7.7)

.github/workflows/fork-checks.yml

48-48: label "windows-11-arm" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Core Unit Tests, windows-latest

🔇 Additional comments (7)

.github/workflows/cron-weekly.yml (1)

9-9: Owner-gate LGTM

This prevents scheduled runs on forks. Looks good.

.github/workflows/stale.yml (1)

9-9: Owner-gate LGTM

Prevents stale bot from operating on forks. Good.

.github/workflows/trigger-circle-ci-workflow.yml (1)

19-19: Owner-gates LGTM

Gating all CircleCI trigger jobs on the org owner is correct and avoids secret exposure on forks.

Also applies to: 41-41, 60-60

code/frameworks/angular/start-schema.json (1)

96-100: Formatting-only changes LGTM

Single-line arrays and trailing newline are fine; no behavior change.

Also applies to: 135-138, 140-143, 154-157, 196-197, 224-225, 233-233

code/frameworks/angular/build-schema.json (1)

70-74: Formatting-only changes LGTM

Array compaction and newline tweak look good; behavior unchanged.

Also applies to: 76-79, 81-84, 119-122, 161-162, 189-190, 198-198

.github/workflows/handle-release-branches.yml (1)

8-8: Owner-gates LGTM

Keeps release-branch handling limited to the org; safe given secrets and external hooks.

Also applies to: 72-72, 91-91

CONTRIBUTING.md (1)

132-140: Fork/upstream guidance LGTM

Clearer upstream setup; removing “disable Actions on forks” aligns with new fork CI.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Invalid GitHub-hosted runner label.

windows-11-arm is not a supported GitHub-hosted runner label, so this job will never start. Switch to an available Windows label (e.g. windows-latest, windows-2022, or another runner you’ve configured) before landing this workflow.

🧰 Tools

🪛 actionlint (1.7.7)

48-48: label "windows-11-arm" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🤖 Prompt for AI Agents

.github/workflows/fork-checks.yml around line 48: the job uses an unsupported
GitHub-hosted runner label `windows-11-arm` which prevents the workflow from
starting; replace that label with a valid runner (for example `windows-latest`
or `windows-2022`) or with a self-hosted runner label you manage, then ensure
any OS-specific steps/paths remain compatible with the chosen runner.