Skip to content

Commit d98eafd

Browse files
Crash0v3rrid3claude
andcommitted
docs(action): remove internal references from action.yml comments
Public repo — drop internal-only terms from the action source: ADR-#### design references, the DEVA11Y-### ticket, and internal component/mechanism names (scanProof, ci-review-service, linter-server). Reworded the header and step comments in plain, customer-facing language; kept the product term 'Service Account' and the functional [deva11y-result] CLI stdout token (the published CLI emits it and the action must grep it verbatim). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 0671303 commit d98eafd

1 file changed

Lines changed: 16 additions & 19 deletions

File tree

action.yml

Lines changed: 16 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,15 @@
1-
# BrowserStack Accessibility DevTools — composite GitHub Action (v1: scan + report)
1+
# BrowserStack Accessibility DevTools — composite GitHub Action (scan + report)
22
#
3-
# Design of record: ADR-0035 (CI GitHub App integration), ADR-0036 (Service Account
4-
# auth) — DEVA11Y-463.
5-
#
6-
# This is a THIN WRAPPER (ADR-0035 §2). It:
3+
# A thin wrapper around the published BrowserStack Accessibility CLI. It:
74
# 1. triggers automatically on pull_request (opened/synchronize/reopened/
85
# ready_for_review), or manually when someone comments @AccessibilityDevTools
96
# on a PR (with a commenter write/maintain/admin check);
10-
# 2. runs the PINNED, published CLI (@browserstack/accessibility-devtools) in
11-
# PR-scan mode against the base…head DIFF — it never builds/installs the PR
12-
# head code (fork-PR "diff, don't build" safety, ADR-0035 §7);
13-
# 3. mints a repo-scoped Actions OIDC token (post authenticity, ADR-0035 §5);
14-
# 4. submits the normalized findings + signed scanProof + OIDC token to the
15-
# BrowserStack ci-review-service, which verifies and posts AS THE APP.
7+
# 2. runs the pinned, published CLI (@browserstack/accessibility-devtools)
8+
# against the base…head DIFF — it never builds or installs the PR head code
9+
# (fork-PR "diff, don't build" safety);
10+
# 3. mints a repo-scoped Actions OIDC token proving the run came from this CI;
11+
# 4. submits the findings to BrowserStack, which verifies them and posts the
12+
# results back on the PR as the BrowserStack Accessibility App.
1613
#
1714
# The Action holds NO GitHub write credential — every write (comment, check,
1815
# inline comments, SARIF) is done server-side by the App. The workflow's
@@ -28,10 +25,10 @@ branding:
2825

2926
inputs:
3027
username:
31-
description: 'BrowserStack Service Account username (store as an encrypted Actions secret). Scan auth (ADR-0036).'
28+
description: 'BrowserStack Service Account username (store as an encrypted Actions secret).'
3229
required: true
3330
access-key:
34-
description: 'BrowserStack Service Account access key (store as an encrypted Actions secret). Scan auth (ADR-0036).'
31+
description: 'BrowserStack Service Account access key (store as an encrypted Actions secret).'
3532
required: true
3633
fail-on-severity:
3734
description: 'Severity at/above which the check fails the run: error | warning | none. Default error. `none` reports without ever failing the run.'
@@ -134,7 +131,7 @@ runs:
134131
135132
# ---------------------------------------------------------------------------
136133
# 2. Commenter permission pre-check — MANUAL flow only. Best-effort: the
137-
# AUTHORITATIVE, fail-closed check is server-side (ADR-0035 §5). It must
134+
# AUTHORITATIVE, fail-closed check is server-side. It must
138135
# degrade, not hard-fail: the read-only workflow token cannot call the
139136
# collaborators API, so an inconclusive read means "proceed" and let the
140137
# server gate. The automatic flow skips this (the server authorizes the
@@ -170,7 +167,7 @@ runs:
170167
fi
171168
172169
# ---------------------------------------------------------------------------
173-
# 3. Preflight (ADR-0035 §7): Service Account creds + Actions OIDC must be
170+
# 3. Preflight: Service Account creds + Actions OIDC must be
174171
# available, else skip cleanly — never run with reduced trust.
175172
# ---------------------------------------------------------------------------
176173
- id: preflight
@@ -248,10 +245,10 @@ runs:
248245

249246
# ---------------------------------------------------------------------------
250247
# 6. Run the pinned, published CLI in PR-scan mode. The CLI resolves the
251-
# base..head diff locally, sends only changed-file contents to
252-
# linter-server (which normalizes + HMAC-signs), mints the OIDC token, and
253-
# submits to the ci-review-service, which posts AS THE APP. It prints one
254-
# machine-readable stdout line the report step parses.
248+
# base..head diff locally, sends only the changed-file contents to
249+
# BrowserStack (which normalizes + signs them), mints the OIDC token, and
250+
# submits the findings, which are verified and posted back on the PR as the
251+
# App. It prints one machine-readable stdout line the report step parses.
255252
# ---------------------------------------------------------------------------
256253
- id: scan
257254
if: steps.preflight.outputs.ready == 'true'

0 commit comments

Comments
 (0)