Danger: Fail/warn when PR targets wrong base branch

[Copilot]

Checklist for Contributors

Testing

Manual testing

We can create PRs to test after merging. If we want to test before merging, we need to allow the script to run on the PR branch first, and then target PRs to it. Maybe we can get away with renaming the PR branch to "release-something". LMK how you wanna proceed, @yannbf

---

Agent stuff

• Add checkTargetBranch function to scripts/dangerfile.js that fails when a non-team-member PR targets main or a branch containing release, and warns when targeting anything other than next
• Add warn to the danger import in scripts/dangerfile.js
• Update .github/workflows/danger-js.yml to also trigger on release-* and *-release branches
• Remove bot check from checkTargetBranch so bots (e.g. storybook-bot) with OWNER/MEMBER association are exempt from the branch check

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Internal]: Create danger-js script to fail when a PR targets main</issue_title>
<issue_description>### Describe the bug

Our contributors might not know that we use next as a default branch.

If a non-team member opens a PR against main or a branch with the word release, Danger JS should fail. If they open a PR against anything else but next, we should output a warning (if possible in the tool/CI).

Reproduction link

N/A

Reproduction steps

N/A

System

N/A

Additional context

N/A</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Internal]: Create danger-js script to fail when a PR targets main #34006

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Summary by CodeRabbit

• Chores
  • Strengthened pull request validation to prevent contributors from targeting main or release branches and to warn when targeting non-next branches.
  • Broadened CI automation so pull-request checks run across all branches (wildcard), expanding automated validation coverage.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit ace6ce5

Command	Status	Duration	Result
nx run-many -t compile,check,knip,test,pretty-d...	❌ Failed	14m 38s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-03-04 17:12:28 UTC

[nx-cloud]

View your CI Pipeline Execution ↗ for commit c08d2fe

Command	Status	Duration	Result
nx run-many -t compile,check,knip,test,pretty-d...	❌ Failed	11m 59s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-03-04 14:56:17 UTC

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6ba46a05-9f50-4b02-99ef-4e55a1e26272

📥 Commits

Reviewing files that changed from the base of the PR and between c08d2fe and ace6ce5.

📒 Files selected for processing (1)

• .github/workflows/danger-js.yml

---

📝 Walkthrough

Walkthrough

Changed the Danger GitHub Actions trigger branches from main/next to a wildcard and added a new checkTargetBranch() in scripts/dangerfile.js that enforces PR base-branch rules for non-privileged authors (fail on main or release branches, warn if not next).

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/danger-js.yml	Replaced PR trigger branch list (main, next) with a wildcard (**) for on.pull_request.branches; other workflow fields (types, concurrency) unchanged.
Branch Protection Logic scripts/dangerfile.js	Added checkTargetBranch() to enforce base-branch rules for non-OWNER/MEMBER authors (fail if base is main or contains release, warn if base is not next); added warn import and invoked the check early in the Dangerfile.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Contributor as Contributor
participant GitHub as GitHub
participant Actions as GitHub Actions (danger-js.yml)
participant Danger as Danger Runner
participant Dangerfile as scripts/dangerfile.js

Contributor->>GitHub: Open PR (base branch)
GitHub->>Actions: Trigger danger-js workflow (branches: **)
Actions->>Danger: Run Danger
Danger->>Dangerfile: Evaluate dangerfile
Dangerfile->>Dangerfile: checkTargetBranch(author, base)
alt base is main or contains release and author not OWNER/MEMBER
Dangerfile->>Danger: fail("Disallowed base branch")
else base is not next and author not OWNER/MEMBER
Dangerfile->>Danger: warn("Prefer targeting 'next'")
else
Dangerfile->>Danger: continue checks

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Build: Remove local Danger Docker build and use ghcr.io runtime #33051 — Also modifies Danger CI setup: updates .github/workflows/danger-js.yml and adjusts repository dangerfile logic.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/danger-js.yml:
- Around line 10-14: The workflow currently restricts Danger runs via the
branches: list containing "main", "next", "release-*", and "*-release", which
prevents Danger from running on PRs targeting other base branches; update the
workflow trigger so Danger runs for PRs to any branch—e.g., remove or relax the
restrictive branches: block and add or modify the pull_request trigger to
include all branches (use pull_request with branches: ["**"] or omit branch
filters) so the "warn on any non-`next` target" rule executes for all PR
targets.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f168896d-4c47-424e-ba85-6e6fe65d0601

📥 Commits

Reviewing files that changed from the base of the PR and between 33e2117 and c08d2fe.

📒 Files selected for processing (2)

• .github/workflows/danger-js.yml
• scripts/dangerfile.js