Security: Implement stricter rules for CircleCI cache writes

[Sidnioulz]

What I did

• Built on top of @valentinpalkovic's experiment to restrict which workflows can write to CircleCI cache
• Changed conditions to only allow the SB team to write to cache during PRs (and our usual pushes to next and main and workflows that are already gated by AC policies)
• Did not restrict the permission to avoid forks because only our own team members would be able to run workflows for their forked code anyway

Checklist for Contributors

Testing

No automatic tests.

Manual testing

Not easily testable without replicating the entire org and CircleCI setup. The best way would be to merge, then run a workflow from a fork made by an alt account not part of the org, and to check if the workflow wrote to cache.

Documentation

ø

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook publish.yml --field pr=<PR_NUMBER>

Summary by CodeRabbit

• Chores
  • CI now determines whether a PR author is "trusted" and conditionally enables shared cache persistence for eligible runs.
  • Added a pipeline parameter to propagate the "trusted author" flag through workflow triggers and pipeline generation.
  • Dependency caching split into separate restore and save steps to prevent cache poisoning on sensitive PR events.
  • The trusted-author flag is respected by config generation and runtime CI decisions to ensure consistent cache behavior.

[Copilot]

Pull request overview

This PR aims to harden CI caching against untrusted writes by introducing a “trusted author” signal from GitHub Actions into CircleCI’s dynamic config generation, and by splitting GitHub’s dependency cache into restore/save steps with save gated.

Changes:

• Added a ghTrustedAuthor pipeline parameter and a runtime flag used to decide whether CircleCI jobs should persist shared caches.
• Updated the CircleCI config generator entrypoint (scripts/ci/main.ts) to accept a CLI flag and set the runtime trust state.
• Updated GitHub dependency caching to restore for all runs but only save for non-pull_request_target events.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
scripts/ci/utils/runtime.ts	Introduces runtime state for whether the PR author is “trusted”.
scripts/ci/utils/parameters.ts	Adds ghTrustedAuthor to the dynamic config parameters schema.
scripts/ci/main.ts	Plumbs a CLI option into the config generator to set trusted-author state.
scripts/ci/common-jobs.ts	Gates CircleCI cache persistence based on trusted-author state.
.github/workflows/trigger-circle-ci-workflow.yml	Computes ghTrustedAuthor in GH and passes it as a CircleCI pipeline parameter.
.github/actions/setup-node-and-install/action.yml	Splits GitHub cache into restore/save and prevents saving on pull_request_target.
.circleci/config.yml	Adds the new CircleCI pipeline parameter and forwards it to the generator command.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a trusted-author signal that’s computed in GitHub Actions, exported as ghTrustedAuthor, passed into CircleCI config generation, applied at runtime, and used to gate cache persistence in CI jobs and the GitHub Actions composite.

Changes

Trusted Author Cache Persistence

Layer / File(s)	Summary
Runtime state management for trusted author flag scripts/ci/utils/runtime.ts	Module-level trustedAuthor boolean with exported setTrustedAuthor(isTrusted) setter and isTrustedAuthor() getter to track trust status during execution.
CircleCI and script parameter definitions scripts/ci/utils/parameters.ts, .circleci/config.yml	Exported CircleCI pipeline parameter ghTrustedAuthor with type: 'string', default 'false', and description documenting its purpose; parameter added to CircleCI config.
GitHub Actions workflow trust evaluation .github/workflows/trigger-circle-ci-workflow.yml	Adds trusted-author step that evaluates whether the run is trusted (true for push, GitHub Actions bot, or PR authors with OWNER/MEMBER association and non-bot type) and exports it as job output ghTrustedAuthor.
CLI argument parsing and runtime configuration scripts/ci/main.ts	Adds --gh-trusted-author <string> CLI option, reads it into opts, calls setTrustedAuthor(opts.ghTrustedAuthor === 'true'), and uses opts.workflow for config generation.
CircleCI pipeline parameter and config-gen invocation .circleci/config.yml	Declares ghTrustedAuthor pipeline parameter (default 'false') and passes it to the config generation command via --gh-trusted-author=<< pipeline.parameters.ghTrustedAuthor >>; minor executor: reformatting only.
Conditional cache persistence in CI jobs and GitHub Actions scripts/ci/common-jobs.ts, .github/actions/setup-node-and-install/action.yml	Linux build_linux job persists cache only when isTrustedAuthor() is true. GitHub Actions composite splits cache handling: always restore via actions/cache/restore@v4, and save via actions/cache/save@v4 only when github.event_name != 'pull_request_target'.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs:

• storybookjs/storybook#32632: Related changes touching the CircleCI trigger workflow and gating logic for workflow parameters.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/trigger-circle-ci-workflow.yml (1)

13-17: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set explicit least-privilege permissions for this workflow.

This pull_request_target workflow currently uses default token permissions; that is broader than needed for this security-sensitive path. Add explicit minimal permissions at workflow/job level.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trigger-circle-ci-workflow.yml around lines 13 - 17, Add
an explicit least-privilege permissions block at the top of the workflow (above
or next to the existing concurrency block) instead of relying on defaults: add a
top-level permissions key with only the actions this pull_request_target needs
(for example, set contents: read and pull-requests: write or whichever minimal
scopes your jobs require, and include id-token: write only if OIDC is used).
Update the workflow's top-level YAML (near the concurrency and jobs keys) to
declare that minimal permissions set so the workflow no longer runs with broad
default token scopes.

♻️ Duplicate comments (3)

scripts/ci/utils/runtime.ts (1)

1-1: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Defaulting trust to true is fail-open for cache writes.

Line 1 should default to false so any missed wiring does not accidentally allow cache persistence from untrusted contexts.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/ci/utils/runtime.ts` at line 1, The variable trustedAuthor is
currently defaulted to true which is fail-open; change its initialization so
trustedAuthor defaults to false to prevent accidental cache writes from
untrusted contexts (update the declaration of trustedAuthor in runtime.ts
accordingly) and ensure any code paths that expect a truthy value explicitly set
it after proper verification.

scripts/ci/main.ts (1)

153-157: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

--gh-trusted-author should default to false, not true.

Line 156 creates a permissive fallback and undermines the cache-write hardening when upstream wiring is missing.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/ci/main.ts` around lines 153 - 157, The CLI option
'--gh-trusted-author' is defaulting to 'true' which weakens cache-write
hardening; change its default to 'false' in the option declaration (the
.option(...) call that sets '--gh-trusted-author <string>') so the fallback is
non-permissive, and ensure any downstream parsing of ghTrustedAuthor (e.g.,
where ghTrustedAuthor is read or converted to boolean) still handles the new
default correctly.

.circleci/config.yml (1)

20-23: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pipeline parameter default should be fail-closed.

Line 21 should default ghTrustedAuthor to 'false' to avoid permissive cache-write behavior when callers don’t pass the value.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.circleci/config.yml around lines 20 - 23, The pipeline parameter
ghTrustedAuthor currently defaults to 'true' which makes cache-write permissive;
change its default value to 'false' so the parameter is fail-closed. Locate the
ghTrustedAuthor parameter definition (the block with keys default, description,
type) and update the default from 'true' to 'false' while keeping the
description and type intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.circleci/config.yml:
- Around line 51-53: The CircleCI step passes the wrong CLI flag name
(--trusted-author) which doesn't match the option defined in scripts/ci/main.ts
(--gh-trusted-author); update the CircleCI invocation to use --gh-trusted-author
so the argument maps to the option defined in main.ts (or alternatively rename
the option in main.ts to --trusted-author if you prefer that API), ensuring the
flag passed in the CircleCI command (yarn dlx jiti ./scripts/ci/main.ts) exactly
matches the option name parsed in main.ts at the CLI definition.

---

Outside diff comments:
In @.github/workflows/trigger-circle-ci-workflow.yml:
- Around line 13-17: Add an explicit least-privilege permissions block at the
top of the workflow (above or next to the existing concurrency block) instead of
relying on defaults: add a top-level permissions key with only the actions this
pull_request_target needs (for example, set contents: read and pull-requests:
write or whichever minimal scopes your jobs require, and include id-token: write
only if OIDC is used). Update the workflow's top-level YAML (near the
concurrency and jobs keys) to declare that minimal permissions set so the
workflow no longer runs with broad default token scopes.

---

Duplicate comments:
In @.circleci/config.yml:
- Around line 20-23: The pipeline parameter ghTrustedAuthor currently defaults
to 'true' which makes cache-write permissive; change its default value to
'false' so the parameter is fail-closed. Locate the ghTrustedAuthor parameter
definition (the block with keys default, description, type) and update the
default from 'true' to 'false' while keeping the description and type intact.

In `@scripts/ci/main.ts`:
- Around line 153-157: The CLI option '--gh-trusted-author' is defaulting to
'true' which weakens cache-write hardening; change its default to 'false' in the
option declaration (the .option(...) call that sets '--gh-trusted-author
<string>') so the fallback is non-permissive, and ensure any downstream parsing
of ghTrustedAuthor (e.g., where ghTrustedAuthor is read or converted to boolean)
still handles the new default correctly.

In `@scripts/ci/utils/runtime.ts`:
- Line 1: The variable trustedAuthor is currently defaulted to true which is
fail-open; change its initialization so trustedAuthor defaults to false to
prevent accidental cache writes from untrusted contexts (update the declaration
of trustedAuthor in runtime.ts accordingly) and ensure any code paths that
expect a truthy value explicitly set it after proper verification.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4bdbac13-27a5-4af6-88f7-02762603ba66

📥 Commits

Reviewing files that changed from the base of the PR and between 8d9719c and 3262799.

📒 Files selected for processing (7)

• .circleci/config.yml
• .github/actions/setup-node-and-install/action.yml
• .github/workflows/trigger-circle-ci-workflow.yml
• scripts/ci/common-jobs.ts
• scripts/ci/main.ts
• scripts/ci/utils/parameters.ts
• scripts/ci/utils/runtime.ts

[coderabbitai]

♻️ Duplicate comments (1)

.circleci/config.yml (1)

51-53: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix CLI flag mismatch for trusted-author propagation (Line 53).

--trusted-author does not match the declared CLI option (--gh-trusted-author), so the trust signal can be ignored and cache-write gating may not behave as intended.

Suggested fix

             yarn dlx jiti ./scripts/ci/main.ts \
               --workflow=<< pipeline.parameters.workflow >> \
-              --trusted-author=<< pipeline.parameters.ghTrustedAuthor >>
+              --gh-trusted-author=<< pipeline.parameters.ghTrustedAuthor >>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.circleci/config.yml around lines 51 - 53, The CI step is passing the wrong
CLI flag --trusted-author which doesn't match the declared option
--gh-trusted-author, so the trusted-author value won't be propagated; update the
invocation in the CI script (the yarn dlx jiti ./scripts/ci/main.ts call) to use
--gh-trusted-author=<< pipeline.parameters.ghTrustedAuthor >> (or the exact
declared flag name) so the trust signal is forwarded correctly to the script and
cache-write gating can operate as intended.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.circleci/config.yml:
- Around line 51-53: The CI step is passing the wrong CLI flag --trusted-author
which doesn't match the declared option --gh-trusted-author, so the
trusted-author value won't be propagated; update the invocation in the CI script
(the yarn dlx jiti ./scripts/ci/main.ts call) to use --gh-trusted-author=<<
pipeline.parameters.ghTrustedAuthor >> (or the exact declared flag name) so the
trust signal is forwarded correctly to the script and cache-write gating can
operate as intended.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3156a584-bc70-45c5-bf03-4eb5969a678a

📥 Commits

Reviewing files that changed from the base of the PR and between 3262799 and 8e26a7a.

📒 Files selected for processing (3)

• .circleci/config.yml
• scripts/ci/main.ts
• scripts/ci/utils/runtime.ts

[Sidnioulz]

@valentinpalkovic I suspect the CI error is because we're still comparing to next's code. Do we agree on this? Should we merge and then assess?

[coderabbitai]

♻️ Duplicate comments (1)

.circleci/config.yml (1)

51-53: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use the correct CLI flag name for trusted-author wiring.

Line 53 still passes --trusted-author, but this flow is wired around --gh-trusted-author; the current argument can be ignored/misparsed and break the trust gate propagation.

Suggested fix

             yarn dlx jiti ./scripts/ci/main.ts \
               --workflow=<< pipeline.parameters.workflow >> \
-              --trusted-author=<< pipeline.parameters.ghTrustedAuthor >>
+              --gh-trusted-author=<< pipeline.parameters.ghTrustedAuthor >>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.circleci/config.yml around lines 51 - 53, The CI job invokes the TypeScript
CLI via "yarn dlx jiti ./scripts/ci/main.ts" with the wrong flag
"--trusted-author"; change that to "--gh-trusted-author" so the pipeline
parameter wired as << pipeline.parameters.ghTrustedAuthor >> is passed to the
CLI correctly and the trust gate receives the value; update the invocation in
the CircleCI job where "yarn dlx jiti ./scripts/ci/main.ts" is called to replace
"--trusted-author" with "--gh-trusted-author".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.circleci/config.yml:
- Around line 51-53: The CI job invokes the TypeScript CLI via "yarn dlx jiti
./scripts/ci/main.ts" with the wrong flag "--trusted-author"; change that to
"--gh-trusted-author" so the pipeline parameter wired as <<
pipeline.parameters.ghTrustedAuthor >> is passed to the CLI correctly and the
trust gate receives the value; update the invocation in the CircleCI job where
"yarn dlx jiti ./scripts/ci/main.ts" is called to replace "--trusted-author"
with "--gh-trusted-author".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: af05da87-90ec-41c4-a857-777252d86020

📥 Commits

Reviewing files that changed from the base of the PR and between 8e26a7a and 49c8f04.

📒 Files selected for processing (1)

• .circleci/config.yml

[storybook-app-bot]

Package Benchmarks

^{Commit: d1734a0, ran on 21 May 2026 at 15:28:02 UTC}

The following packages have significant changes to their size or dependencies:

@storybook/builder-webpack5

	Before	After	Difference
Dependency count	184	184	0
Self size	79 KB	79 KB	0 B
Dependency size	33.24 MB	33.34 MB	🚨 +94 KB 🚨
Bundle Size Analyzer	Link	Link

storybook

	Before	After	Difference
Dependency count	72	72	0
Self size	20.25 MB	20.27 MB	🚨 +19 KB 🚨
Dependency size	36.17 MB	36.17 MB	0 B
Bundle Size Analyzer	Link	Link

@storybook/angular

	Before	After	Difference
Dependency count	185	185	0
Self size	142 KB	160 KB	🚨 +17 KB 🚨
Dependency size	30.73 MB	30.73 MB	0 B
Bundle Size Analyzer	Link	Link

@storybook/ember

	Before	After	Difference
Dependency count	188	188	0
Self size	15 KB	15 KB	🚨 +18 B 🚨
Dependency size	29.96 MB	30.06 MB	🚨 +94 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/nextjs

	Before	After	Difference
Dependency count	534	534	0
Self size	662 KB	662 KB	0 B
Dependency size	61.37 MB	61.50 MB	🚨 +128 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/nextjs-vite

	Before	After	Difference
Dependency count	93	93	0
Self size	1.38 MB	1.38 MB	🎉 -96 B 🎉
Dependency size	24.79 MB	24.83 MB	🚨 +34 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/preact-vite

	Before	After	Difference
Dependency count	14	14	0
Self size	13 KB	13 KB	0 B
Dependency size	1.47 MB	1.49 MB	🚨 +23 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/react-native-web-vite

	Before	After	Difference
Dependency count	122	122	0
Self size	30 KB	30 KB	0 B
Dependency size	25.86 MB	25.90 MB	🚨 +34 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/react-vite

	Before	After	Difference
Dependency count	83	83	0
Self size	36 KB	36 KB	0 B
Dependency size	22.57 MB	22.60 MB	🚨 +34 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/react-webpack5

	Before	After	Difference
Dependency count	271	271	0
Self size	23 KB	23 KB	🚨 +12 B 🚨
Dependency size	45.91 MB	46.04 MB	🚨 +128 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/server-webpack5

	Before	After	Difference
Dependency count	196	196	0
Self size	16 KB	16 KB	0 B
Dependency size	34.51 MB	34.60 MB	🚨 +94 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/svelte-vite

	Before	After	Difference
Dependency count	19	20	🚨 +1 🚨
Self size	56 KB	56 KB	0 B
Dependency size	26.65 MB	27.00 MB	🚨 +352 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/sveltekit

	Before	After	Difference
Dependency count	20	21	🚨 +1 🚨
Self size	56 KB	56 KB	0 B
Dependency size	26.71 MB	27.06 MB	🚨 +352 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/tanstack-react

	Before	After	Difference
Dependency count	84	84	0
Self size	107 KB	106 KB	🎉 -1 KB 🎉
Dependency size	22.60 MB	22.64 MB	🚨 +34 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/vue3-vite

	Before	After	Difference
Dependency count	108	109	🚨 +1 🚨
Self size	36 KB	36 KB	0 B
Dependency size	43.75 MB	44.10 MB	🚨 +352 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/web-components-vite

	Before	After	Difference
Dependency count	15	15	0
Self size	19 KB	19 KB	0 B
Dependency size	1.52 MB	1.54 MB	🚨 +17 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/cli

	Before	After	Difference
Dependency count	203	203	0
Self size	908 KB	908 KB	🎉 -55 B 🎉
Dependency size	87.56 MB	87.58 MB	🚨 +19 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/codemod

	Before	After	Difference
Dependency count	196	196	0
Self size	32 KB	32 KB	🚨 +36 B 🚨
Dependency size	86.05 MB	86.06 MB	🚨 +19 KB 🚨
Bundle Size Analyzer	Link	Link

create-storybook

	Before	After	Difference
Dependency count	73	73	0
Self size	1.08 MB	1.08 MB	🎉 -66 B 🎉
Dependency size	56.43 MB	56.45 MB	🚨 +19 KB 🚨
Bundle Size Analyzer	node	node

@storybook/preset-react-webpack

	Before	After	Difference
Dependency count	164	164	0
Self size	18 KB	18 KB	🎉 -24 B 🎉
Dependency size	32.25 MB	32.34 MB	🚨 +94 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/preact

	Before	After	Difference
Dependency count	2	2	0
Self size	23 KB	46 KB	🚨 +23 KB 🚨
Dependency size	32 KB	32 KB	0 B
Bundle Size Analyzer	Link	Link

@storybook/react

	Before	After	Difference
Dependency count	59	59	0
Self size	1.47 MB	1.51 MB	🚨 +34 KB 🚨
Dependency size	13.30 MB	13.30 MB	🎉 -6 B 🎉
Bundle Size Analyzer	Link	Link

@storybook/svelte

	Before	After	Difference
Dependency count	2	3	🚨 +1 🚨
Self size	49 KB	49 KB	🚨 +1 B 🚨
Dependency size	230 KB	582 KB	🚨 +352 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/vue3

	Before	After	Difference
Dependency count	3	4	🚨 +1 🚨
Self size	66 KB	66 KB	🚨 +7 B 🚨
Dependency size	213 KB	565 KB	🚨 +352 KB 🚨
Bundle Size Analyzer	Link	Link

@storybook/web-components

	Before	After	Difference
Dependency count	3	3	0
Self size	62 KB	79 KB	🚨 +17 KB 🚨
Dependency size	47 KB	47 KB	0 B
Bundle Size Analyzer	Link	Link

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/trigger-circle-ci-workflow.yml (1)

40-75: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Scope GITHUB_TOKEN permissions explicitly for this workflow.

Line 40 onward runs without a permissions block. For pull_request_target, default token scopes can be broader than required. Add least-privilege permissions explicitly.

Suggested hardening

 name: Trigger CircleCI workflow
 
 on:
@@
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: read

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trigger-circle-ci-workflow.yml around lines 40 - 75, The
get-parameters job is running without an explicit permissions block; add a
least-privilege permissions stanza to the job (get-parameters) to scope the
GITHUB_TOKEN. Update the job to include a permissions section (e.g.,
permissions: pull-requests: read, contents: read, actions: read) so only
necessary read scopes are granted for the steps that inspect pull request
metadata and do not need write access; place it at the same indentation as
runs-on and steps.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/trigger-circle-ci-workflow.yml:
- Around line 40-75: The get-parameters job is running without an explicit
permissions block; add a least-privilege permissions stanza to the job
(get-parameters) to scope the GITHUB_TOKEN. Update the job to include a
permissions section (e.g., permissions: pull-requests: read, contents: read,
actions: read) so only necessary read scopes are granted for the steps that
inspect pull request metadata and do not need write access; place it at the same
indentation as runs-on and steps.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f98fbda4-03c0-403c-8cfb-e925a4c11cd4

📥 Commits

Reviewing files that changed from the base of the PR and between 94420af and d1734a0.

📒 Files selected for processing (7)

• .circleci/config.yml
• .github/actions/setup-node-and-install/action.yml
• .github/workflows/trigger-circle-ci-workflow.yml
• scripts/ci/common-jobs.ts
• scripts/ci/main.ts
• scripts/ci/utils/parameters.ts
• scripts/ci/utils/runtime.ts