storybookjs · github-actions · Jan 14, 2026 · Jan 14, 2026 · Jan 16, 2026 · Jan 16, 2026
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -30,12 +30,14 @@ Thank you for contributing to Storybook! Please submit all PRs to the `next` bra
 > [!CAUTION]
 > This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!
 
-<!-- Please include the steps to test your changes here. For example:
+<!-- Please include the steps that a human maintainer should follow, so they can verify that your changes work. For example:
 
 1. Run a sandbox for template, e.g. `yarn task --task sandbox --start-from auto --template react-vite/default-ts`
 2. Open Storybook in your browser
 3. Access X story
 
+Do not describe how YOU tested the PR code, but how a separate maintainer should do so. A good manual test often mirrors reproduction steps provided in an issue.
+
 -->
 
 ### Documentation
@@ -49,6 +51,7 @@ Thank you for contributing to Storybook! Please submit all PRs to the `next` bra
 ## Checklist for Maintainers
 
 - [ ] When this PR is ready for testing, make sure to add `ci:normal`, `ci:merged` or `ci:daily` GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in `code/lib/cli-storybook/src/sandbox-templates.ts`
+- [ ] Declare whether manual QA will be needed for this PR during the next release, through `qa:needed` or `qa:skip`
 - [ ] Make sure this PR contains **one** of the labels below:
    <details>
      <summary>Available labels</summary>

diff --git a/.github/workflows/agent-scan.yml b/.github/workflows/agent-scan.yml
@@ -1,6 +1,44 @@
+###################################################################################################
+#                                                                                                 #
+#                                            ██                                                   #
+#                                          ██░░██                                                 #
+#  ░░          ░░                        ██░░░░░░██                            ░░░░               #
+#                                      ██░░░░░░░░░░██                                             #
+#                                      ██░░░░░░░░░░██                                             #
+#                                    ██░░░░░░░░░░░░░░██                                           #
+#                                  ██░░░░░░██████░░░░░░██                                         #
+#                                  ██░░░░░░██████░░░░░░██                                         #
+#                                ██░░░░░░░░██████░░░░░░░░██                                       #
+#                                ██░░░░░░░░██████░░░░░░░░██                                       #
+#                              ██░░░░░░░░░░██████░░░░░░░░░░██                                     #
+#                            ██░░░░░░░░░░░░██████░░░░░░░░░░░░██                                   #
+#                            ██░░░░░░░░░░░░██████░░░░░░░░░░░░██                                   #
+#                          ██░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░██                                 #
+#                          ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██                                 #
+#                        ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██                               #
+#                        ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██                               #
+#                      ██░░░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░░░██                             #
+#        ░░            ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██                             #
+#                        ██████████████████████████████████████████                               #
+#                                                                                                 #
+#                                                                                                 #
+#   SECURITY WARNING: Ensure your `pull_request_target` job respects the following rules:         #
+#                                                                                                 #
+# - Never write to GitHub Actions cache, as it would allow cache poisoning attacks                #
+# - Only call third-party systems that are aware the code passed to them could be untrustworthy   #
+# - Always set explicit permissions on your PR to limit the capabilities of secrets.GITHUB_TOKEN  #
+#                                                                                                 #
+###################################################################################################
+
 name: agent-scan
 
+# Start with empty permissions on `pull_request_target`, then set permissions per job as needed.
+permissions: {}
+
 on:
+  # Use `pull_request_target` so we can run this workflow on PRs from forks, as its goal is to assess
+  # if PR authors are trustworthy. Only reasons on the PR author and does not check out the fork code.
+  # zizmor: ignore[dangerous-triggers]  # required for fork PRs; no fork code is checked out
   pull_request_target:
     types:
       - opened
@@ -25,24 +63,34 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
+      contents: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Checkout code from `next`/`main` branch (trusted code, not PR author code)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+          persist-credentials: false
+
       - name: Install script dependencies
         run: npm install --prefix .github/scripts
+
       - name: Check author org membership
         id: membership
         env:
           INPUT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           INPUT_ORG: ${{ github.repository_owner }}
           INPUT_USERNAME: ${{ github.event.pull_request.user.login }}
         run: node .github/scripts/agent-scan-check-org-membership.mjs
+
       - name: Cache AgentScan analysis
         if: steps.membership.outputs.should-scan == 'true'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: .agentscan-cache
+          # Safe because the cache is prefixed and only used here, and does not include
+          # user-controlled content (can't spoof another actor's identity).
           key: agentscan-cache-${{ github.actor }}
-          restore-keys: agentscan-cache-
+
       - name: AgentScan
         if: steps.membership.outputs.should-scan == 'true'
         id: agentscan
@@ -51,13 +99,13 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           agent-scan-comment: false
           cache-path: .agentscan-cache
-          label-community-flagged: "agent-scan:community-flagged"
-          label-mixed: "agent-scan:mixed"
-          label-automation: "agent-scan:automated"
+          label-community-flagged: 'agent-scan:community-flagged'
+          label-mixed: 'agent-scan:mixed'
+          label-automation: 'agent-scan:automated'
 
       - name: Label PR with classification
         if: steps.membership.outputs.should-scan == 'true' && steps.agentscan.outputs.classification
         env:
           INPUT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           INPUT_CLASSIFICATION: ${{ steps.agentscan.outputs.classification }}
-        run: node .github/scripts/agent-scan-label-pr.mjs
+        run: node .github/scripts/agent-scan-label-pr.mjs
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -25,7 +25,9 @@ jobs:
     # If you do not check out your code, Copilot will do this for you.
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js and Install Dependencies
         uses: ./.github/actions/setup-node-and-install

diff --git a/.github/workflows/cron-weekly.yml b/.github/workflows/cron-weekly.yml
diff --git a/.github/workflows/danger-js.yml b/.github/workflows/danger-js.yml
@@ -30,8 +30,11 @@
 #                                                                                                 #
 ###################################################################################################
 
+name: Danger JS
+
 on:
   # We need `pull_request_target` to check external contributor PRs.
+  # zizmor: ignore[dangerous-triggers]  # job checks out base.sha (trusted code), not the PR head; see security warning above
   pull_request_target:
     types:
       - opened
@@ -47,16 +50,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.number }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  issues: read
-  pull-requests: write
+permissions: {}
 
-name: Danger JS
 jobs:
   dangerJS:
     name: Danger JS
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

diff --git a/.github/workflows/fork-checks.yml b/.github/workflows/fork-checks.yml
@@ -7,15 +7,20 @@ on:
 env:
   NODE_OPTIONS: '--max_old_space_size=4096'
 
+permissions: {}
+
 jobs:
   check:
     name: Core Type Checking
     if: github.repository_owner != 'storybookjs'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 2
+          persist-credentials: false
 
       - name: Setup Node.js and Install Dependencies
         uses: ./.github/actions/setup-node-and-install
@@ -29,10 +34,13 @@ jobs:
     name: Core Formatting
     if: github.repository_owner != 'storybookjs'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 2
+          persist-credentials: false
 
       - name: Setup Node.js and Install Dependencies
         uses: ./.github/actions/setup-node-and-install
@@ -49,10 +57,13 @@ jobs:
     runs-on: ${{ matrix.os }}
     name: Core Unit Tests, ${{ matrix.os }}
     if: github.repository_owner != 'storybookjs'
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 2
+          persist-credentials: false
 
       - name: Setup Node.js and Install Dependencies
         uses: ./.github/actions/setup-node-and-install

diff --git a/.github/workflows/generate-sandboxes.yml b/.github/workflows/generate-sandboxes.yml
@@ -14,16 +14,18 @@ env:
   CLEANUP_SANDBOX_NODE_MODULES: 'true'
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
 
+permissions: {}
+
 defaults:
   run:
     working-directory: ./code
 
-
 jobs:
   set-branches:
     name: Resolve target branches
     if: github.repository_owner == 'storybookjs'
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       branches: ${{ steps.set.outputs.branches }}
     steps:
@@ -45,6 +47,8 @@ jobs:
     needs: set-branches
     if: github.repository_owner == 'storybookjs'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -67,11 +71,12 @@ jobs:
             /usr/share/dotnet \
             /usr/share/swift
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ matrix.branch }}
+          persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e #6.4.0
         with:
           node-version-file: '.nvmrc'
 
@@ -104,13 +109,16 @@ jobs:
         # publish sandboxes even if the generation fails, as some sandboxes might have been generated successfully
         # when triggered manually, always publish to the `next` branch on the sandboxes repo
         if: ${{ !cancelled() }}
-        run: yarn publish-sandboxes --remote=https://storybook-bot:${{ secrets.PAT_STORYBOOK_BOT }}@github.com/storybookjs/sandboxes.git --push --branch=${{ github.event_name == 'workflow_dispatch' && 'next' || matrix.branch }}
+        env:
+          PAT: ${{ secrets.PAT_STORYBOOK_BOT }}
+          BRANCH: ${{ github.event_name == 'workflow_dispatch' && 'next' || matrix.branch }}
+        run: yarn publish-sandboxes --remote="https://storybook-bot:${PAT}@github.com/storybookjs/sandboxes.git" --push --branch="$BRANCH"
 
       - name: Report failure to Discord
         if: failure()
         env:
           DISCORD_WEBHOOK: ${{ secrets.DISCORD_MONITORING_URL }}
-        uses: Ilshidur/action-discord@d2594079a10f1d6739ee50a2471f0ca57418b554
+        uses: Ilshidur/action-discord@d2594079a10f1d6739ee50a2471f0ca57418b554 # v0.4.0
         with:
           args: |
             The generation of some or all sandboxes on the **${{ matrix.branch }}** branch has failed.