Skip to content

add CI/CD for documentation #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gkuznik wants to merge 4 commits into
base: main
Choose a base branch
from
+214 −2
Open

add CI/CD for documentation #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4615bea
add CI/CD for documentation
gkuznik Apr 2, 2026
4f19bdd
add permissions
gkuznik Apr 2, 2026
8e84a06
fix mv
gkuznik Apr 2, 2026
5fc8ef1
split deploy step
gkuznik Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 62 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
on:
push:
branches-ignore:
- "gh-readonly-queue/**"
branches:
- 'main'
pull_request:
merge_group:
workflow_dispatch:
Expand Down Expand Up @@ -133,3 +133,63 @@

- name: Build
run: just build

build-docs:
name: Build the documentation
runs-on: ubuntu-latest
needs: [container]
container:
image: ${{ needs.container.outputs.container_name }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive

- name: Set stm32l4r5zi config
run: just config load stm32l4r5zi_def --no-confirm

- name: Generate docs
run: cargo doc --no-deps --workspace

- name: Upload docs artifact
uses: actions/upload-artifact@v4
with:
name: docs
path: target/doc

deploy-docs:
Comment on lines +138 to +161

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 days ago

In general, to fix this class of issue, you add an explicit permissions block either at the workflow root (applies to all jobs without their own permissions) or at the individual job level, and scope it down to exactly what that job needs. For read-only workflows that just check out code and run tests/builds, contents: read is typically sufficient.

For this specific workflow snippet, the flagged build-docs job only checks out code, runs cargo doc, and uploads artifacts. None of these actions require write access to repository contents; they only require read access to pull the code. The safest minimal fix, without changing existing functionality, is to add a permissions block with contents: read to the build-docs job. The deploy-docs job already has an explicit permissions block, so it does not need changes. Other jobs (e.g., fmt, kani, build-stm32-l4r5zi-def, and presumably test/container) might also warrant explicit permissions in a broader hardening pass, but CodeQL’s reported issue is for build-docs, so we will scope the change there.

Concretely, in .github/workflows/ci.yml, under the build-docs: job (after runs-on / needs or before container), add:

    permissions:
      contents: read

No imports or other definitions are needed, since this is pure workflow YAML.

Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -138,6 +138,8 @@
     name: Build the documentation
     runs-on: ubuntu-latest
     needs: [container]
+    permissions:
+      contents: read
     container:
       image: ${{ needs.container.outputs.container_name }}
     steps:
EOF
@@ -138,6 +138,8 @@
name: Build the documentation
runs-on: ubuntu-latest
needs: [container]
permissions:
contents: read
container:
image: ${{ needs.container.outputs.container_name }}
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Deploy the documentation online
runs-on: ubuntu-latest
needs: [build-docs]
if: github.ref == 'refs/heads/main'
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
permissions:
contents: read
pages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
sparse-checkout: website

- name: Download docs
uses: actions/download-artifact@v4
with:
name: docs
path: website/docs

- name: Setup Pages
uses: actions/configure-pages@v5

- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
path: 'website'

- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
Binary file added website/images/osiris.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
152 changes: 152 additions & 0 deletions website/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Osiris RTOS</title>
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}

body {
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background: linear-gradient(135deg, #1e3c72 0%, #2a5298 100%);
min-height: 100vh;
color: white;
}

.container {
display: flex;
flex-direction: column;
align-items: center;
justify-content: center;
min-height: 100vh;
padding: 20px;
}

.header {
text-align: center;
margin-bottom: 2rem;
}

.header h1 {
font-size: 3rem;
margin-bottom: 2rem;
text-shadow: 2px 2px 4px rgba(0, 0, 0, 0.3);
}

.header p {
font-size: 1.2rem;
opacity: 0.9;
}

.logo-container {
margin: 2rem 0;
max-width: 500px;
width: 100%;
}

.logo {
width: 100%;
height: auto;
border-radius: 10px;
box-shadow: 0 10px 30px rgba(0, 0, 0, 0.3);
}

.nav-links {
display: flex;
gap: 2rem;
margin-top: 2rem;
flex-wrap: wrap;
justify-content: center;
}

.nav-link {
display: inline-flex;
align-items: center;
gap: 0.5rem;
padding: 12px 24px;
background: rgba(255, 255, 255, 0.1);
backdrop-filter: blur(10px);
border: 1px solid rgba(255, 255, 255, 0.2);
border-radius: 50px;
text-decoration: none;
color: white;
font-weight: 500;
transition: all 0.3s ease;
}

.nav-link:hover {
background: rgba(255, 255, 255, 0.2);
transform: translateY(-2px);
box-shadow: 0 5px 15px rgba(0, 0, 0, 0.2);
}

.icon {
font-size: 20px;
display: inline-block;
}

footer {
margin-top: 5rem;
text-align: center;
opacity: 0.7;
font-size: 0.9rem;
}

@media (max-width: 768px) {
.header h1 {
font-size: 2rem;
}

.header p {
font-size: 1rem;
}

.nav-links {
flex-direction: column;
align-items: center;
}

.nav-link {
width: 200px;
justify-content: center;
}
}
</style>
</head>

<body>
<div class="container">
<header class="header">
<h1>Osiris RTOS</h1>
<p>A real-time Operating System designed and verified to enable reliable software updates and operation for embedded systems.</p>
</header>

<div class="logo-container">
<img src="images/osiris.png" alt="OsirisRTOS Logo" class="logo">
</div>

<nav class="nav-links">
<a href="https://github.com/OsirisRTOS/osiris/" class="nav-link" target="_blank" rel="noopener">
<span class="icon">💻</span>
Source Code
</a>

<a href="https://osiris.rs/docs/kernel/index.html" class="nav-link" target="_blank" rel="noopener">
<span class="icon">📚</span>
Documentation
</a>
</nav>

<footer>
<p>&copy; 2026 Osiris Authors</p>
</footer>
</div>
</body>

</html>
Loading