ci: restrict Stably AI suite to release workflow only

Drop `secrets: inherit` from pr.yml so the Stably API key is never mounted into a PR run — fork or otherwise. The AI suite already no-oped on fork PRs (GitHub withholds secrets), but narrowing the exposure to release-only makes the trust model obvious at a glance and removes per-PR API cost for a single structural screenshot check that the default suite largely covers.
2026-04-21 14:17:16 +00:00 · 2026-04-20 13:37:54 -07:00 · 2026-04-20 13:37:54 -07:00 · 80e87c3c57
commit 80e87c3c57
parent 14d4499df4
2 changed files with 13 additions and 11 deletions
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@ -61,13 +61,13 @@ jobs:
      - name: Run E2E tests
        run: xvfb-run --auto-servernum pnpm run test:e2e

-      # Why: the AI suite is gated on STABLY_API_KEY — only present on
-      # in-repo pushes/PRs, never on fork PRs (GitHub does not expose repo
-      # secrets to forks). Running it on push events from the main repo
-      # gives maintainers a signal on trusted refs without leaking the key
-      # to untrusted PR code. `continue-on-error` keeps it non-blocking for
-      # now, matching the project-level guidance that Stably coverage is
-      # additive signal rather than a merge gate.
+      # Why: the AI suite is gated on STABLY_API_KEY and only runs on
+      # release tags — pr.yml intentionally does NOT inherit secrets, so
+      # no PR (in-repo or fork) can reach the Stably API. The key arrives
+      # via `secrets: inherit` from release.yml on trusted release refs.
+      # `continue-on-error` keeps it non-blocking, matching the project-
+      # level guidance that Stably coverage is additive signal rather
+      # than a merge gate.
      - name: Run Stably AI E2E tests
        id: stably
        if: ${{ env.STABLY_API_KEY != '' }}
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -46,7 +46,9 @@ jobs:

  e2e:
    uses: ./.github/workflows/e2e.yml
-    # Why: inherit secrets so STABLY_API_KEY is available for in-repo PRs.
-    # Fork PRs won't see the value (GitHub returns empty for forks), which
-    # is exactly what we want — the AI step in e2e.yml skips on empty key.
-    secrets: inherit
+    # Why no `secrets: inherit`: the AI suite is not invoked on PRs. Every
+    # PR runs the default Playwright suite only; the Stably step is
+    # release-only (see .github/workflows/release.yml). Avoiding the
+    # secret mount here keeps the PR pipeline auditable — a reader can
+    # see at a glance that no PR run, fork or otherwise, can reach the
+    # Stably API key.