1- # BrowserStack Accessibility DevTools — composite GitHub Action (v1: scan + report)
1+ # BrowserStack Accessibility DevTools — composite GitHub Action (scan + report)
22#
3- # Design of record: ADR-0035 (CI GitHub App integration), ADR-0036 (Service Account
4- # auth) — DEVA11Y-463.
5- #
6- # This is a THIN WRAPPER (ADR-0035 §2). It:
3+ # A thin wrapper around the published BrowserStack Accessibility CLI. It:
74# 1. triggers automatically on pull_request (opened/synchronize/reopened/
85# ready_for_review), or manually when someone comments @AccessibilityDevTools
96# on a PR (with a commenter write/maintain/admin check);
10- # 2. runs the PINNED , published CLI (@browserstack/accessibility-devtools) in
11- # PR-scan mode against the base…head DIFF — it never builds/ installs the PR
12- # head code (fork-PR "diff, don't build" safety, ADR-0035 §7 );
13- # 3. mints a repo-scoped Actions OIDC token (post authenticity, ADR-0035 §5) ;
14- # 4. submits the normalized findings + signed scanProof + OIDC token to the
15- # BrowserStack ci-review-service, which verifies and posts AS THE APP .
7+ # 2. runs the pinned , published CLI (@browserstack/accessibility-devtools)
8+ # against the base…head DIFF — it never builds or installs the PR head code
9+ # (fork-PR "diff, don't build" safety);
10+ # 3. mints a repo-scoped Actions OIDC token proving the run came from this CI ;
11+ # 4. submits the findings to BrowserStack, which verifies them and posts the
12+ # results back on the PR as the BrowserStack Accessibility App .
1613#
1714# The Action holds NO GitHub write credential — every write (comment, check,
1815# inline comments, SARIF) is done server-side by the App. The workflow's
@@ -28,10 +25,10 @@ branding:
2825
2926inputs :
3027 username :
31- description : ' BrowserStack Service Account username (store as an encrypted Actions secret). Scan auth (ADR-0036). '
28+ description : ' BrowserStack Service Account username (store as an encrypted Actions secret).'
3229 required : true
3330 access-key :
34- description : ' BrowserStack Service Account access key (store as an encrypted Actions secret). Scan auth (ADR-0036). '
31+ description : ' BrowserStack Service Account access key (store as an encrypted Actions secret).'
3532 required : true
3633 fail-on-severity :
3734 description : ' Severity at/above which the check fails the run: error | warning | none. Default error. `none` reports without ever failing the run.'
@@ -134,7 +131,7 @@ runs:
134131
135132 # ---------------------------------------------------------------------------
136133 # 2. Commenter permission pre-check — MANUAL flow only. Best-effort: the
137- # AUTHORITATIVE, fail-closed check is server-side (ADR-0035 §5) . It must
134+ # AUTHORITATIVE, fail-closed check is server-side. It must
138135 # degrade, not hard-fail: the read-only workflow token cannot call the
139136 # collaborators API, so an inconclusive read means "proceed" and let the
140137 # server gate. The automatic flow skips this (the server authorizes the
@@ -170,7 +167,7 @@ runs:
170167 fi
171168
172169 # ---------------------------------------------------------------------------
173- # 3. Preflight (ADR-0035 §7) : Service Account creds + Actions OIDC must be
170+ # 3. Preflight: Service Account creds + Actions OIDC must be
174171 # available, else skip cleanly — never run with reduced trust.
175172 # ---------------------------------------------------------------------------
176173 - id : preflight
@@ -248,10 +245,10 @@ runs:
248245
249246 # ---------------------------------------------------------------------------
250247 # 6. Run the pinned, published CLI in PR-scan mode. The CLI resolves the
251- # base..head diff locally, sends only changed-file contents to
252- # linter-server (which normalizes + HMAC- signs), mints the OIDC token, and
253- # submits to the ci-review-service , which posts AS THE APP. It prints one
254- # machine-readable stdout line the report step parses.
248+ # base..head diff locally, sends only the changed-file contents to
249+ # BrowserStack (which normalizes + signs them ), mints the OIDC token, and
250+ # submits the findings , which are verified and posted back on the PR as the
251+ # App. It prints one machine-readable stdout line the report step parses.
255252 # ---------------------------------------------------------------------------
256253 - id : scan
257254 if : steps.preflight.outputs.ready == 'true'
0 commit comments