Ci: Run agent-scan for PR from forks only

[huang-julien]

Closes #

What I did

This PR changes the run conditions from Agent-scan. author_association deosn't seems that reliable, GH was marking us as CONTRIBUTOR instead of MEMBERS of the repo...

This change the run conditions for agent-scan to run only on PR coming from forks

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

none, I've tested the API manually through Curl which either returns 200 or 404

Caution

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook publish.yml --field pr=<PR_NUMBER>

Summary by CodeRabbit

• Chores
  • Refined CI workflow to gate automated security scans behind an organization membership check.
  • Tightened eligibility logic so scans no longer run for PRs from the same repo unless membership criteria are met; removed the collaborator association from allowed values.
  • Added a membership-check step that conditionally enables caching, scanning, and labeling when appropriate.

[coderabbitai]

📝 Walkthrough

Walkthrough

The agent-scan workflow tightens job eligibility (adds fork-origin check; removes "COLLABORATOR" from author_association) and inserts a new org-membership script that sets steps.membership.outputs.should-scan. Cache, AgentScan, and PR-labeling steps run only when should-scan == 'true'.

Changes

AgentScan Eligibility Tightening

Layer / File(s)	Summary
Org membership script .github/scripts/agent-scan-check-org-membership.mjs	Adds script importing @actions/core and @actions/github, checks org membership via GitHub REST API, sets is-org-member and should-scan outputs, and handles 404/302/403 specially.
Job Eligibility Conditions .github/workflows/agent-scan.yml	Job if: expression now requires github.event.pull_request.head.repo.full_name != github.repository and removes "COLLABORATOR" from allowed author_association.
Membership gating & steps .github/workflows/agent-scan.yml	Adds Check author org membership step that runs the new script; updates cache, AgentScan execution, and Label PR with classification steps to require steps.membership.outputs.should-scan == 'true'.

Sequence Diagram(s)

sequenceDiagram
  participant Runner as GitHub Actions Runner
  participant Script as agent-scan-check-org-membership.mjs
  participant GH as GitHub REST API
  participant Cache as Actions Cache
  participant AgentScan as AgentScan action
  participant Label as PR labeling step

  Runner->>Script: execute with token, org, username
  Script->>GH: GET /orgs/{org}/members/{username}
  GH-->>Script: 200/404/302/403/other
  Script->>Runner: set outputs is-org-member / should-scan
  Runner->>Cache: conditional (should-scan == 'true') restore/cache
  Runner->>AgentScan: conditional (should-scan == 'true') run AgentScan
  AgentScan-->>Label: classification output
  Runner->>Label: conditional (should-scan == 'true') label PR

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• storybookjs/storybook#34293: Applies the same AgentScan workflow and scripts; related changes to agent-scan flow and labeling.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/agent-scan.yml:
- Around line 21-24: The current workflow condition filters by
github.event.pull_request.author_association (the contains(...) checks), which
blocks fork PRs from OWNER/MEMBER; remove that author_association-based check
and instead detect forked PRs using repo-level fields (e.g., replace the
contains(...) author_association condition with an expression that checks
github.event.pull_request.head.repo.fork == true or compares
github.event.pull_request.head.repo.full_name !=
github.event.pull_request.base.repo.full_name). Update the conditional
expression in the job to use github.event.pull_request.head.repo.fork (or the
full_name comparison) so the workflow runs for fork PRs regardless of
author_association.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 536498e2-507e-4c91-91a3-ffeb562e0010

📥 Commits

Reviewing files that changed from the base of the PR and between 4fd4885 and 54b0a9c.

📒 Files selected for processing (1)

• .github/workflows/agent-scan.yml

[coderabbitai]

🧹 Nitpick comments (1)

.github/scripts/agent-scan-check-org-membership.mjs (1)

21-21: ⚡ Quick win

Add a comment to explain the intentionally empty catch block.

The empty block on line 21 handles the expected 404 case (user is not an org member) but lacks a clarifying comment. This could be confusing for maintainers.

📝 Suggested improvement

   } catch (error) {
     if (error.status === 404) {
+      // 404 means user is not an org member; this is expected, keep isOrgMember = false
     } else if (error.status === 302 || error.status === 403) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/agent-scan-check-org-membership.mjs at line 21, Add a
clarifying inline comment inside the empty if (error.status === 404) { } block
to state that the block is intentionally left empty because a 404 indicates the
user is not an org member and no further action is required; reference the check
on error.status === 404 to locate where to add the comment (the
catch/conditional handling around that status).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/scripts/agent-scan-check-org-membership.mjs:
- Line 21: Add a clarifying inline comment inside the empty if (error.status ===
404) { } block to state that the block is intentionally left empty because a 404
indicates the user is not an org member and no further action is required;
reference the check on error.status === 404 to locate where to add the comment
(the catch/conditional handling around that status).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0ea47d87-8321-445b-8df5-63618f8bf47e

📥 Commits

Reviewing files that changed from the base of the PR and between 54b0a9c and b79b235.

📒 Files selected for processing (2)

• .github/scripts/agent-scan-check-org-membership.mjs
• .github/workflows/agent-scan.yml