ci: standardize docs workflow#18
Conversation
There was a problem hiding this comment.
Pull request overview
Standardizes the docs CI workflow to match the shared “website handoff” deployment pattern, using uv to build MkDocs output and (optionally) pushing the built site/ to the website repository when a deploy key is available.
Changes:
- Pins
astral-sh/setup-uvto a specific commit (v8.1.0) for more deterministic action behavior. - Builds docs via
uv run mkdocs build. - Gates the deploy step so it only runs when
DOCS_DEPLOY_KEYis present, and deployssite/towebsite/static/docs/data/.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| - name: Deploy to website repo | ||
| if: ${{ env.DOCS_DEPLOY_KEY != '' }} | ||
| uses: cpina/github-action-push-to-another-repository@v1.7.2 |
There was a problem hiding this comment.
cpina/github-action-push-to-another-repository@v1.7.2 is a third-party action referenced by a movable tag. Since this workflow uses an SSH deploy key, consider pinning this action to an exact commit SHA (and optionally documenting the corresponding version) to reduce supply-chain risk from tag retargeting.
| env: | ||
| DOCS_DEPLOY_KEY: ${{ secrets.DOCS_DEPLOY_KEY }} |
There was a problem hiding this comment.
DOCS_DEPLOY_KEY is being exported at the job level, which makes the deploy key available to every step (including third-party actions like actions/checkout and astral-sh/setup-uv). To follow least-privilege, scope the secret to only the deploy step and use if: ${{ secrets.DOCS_DEPLOY_KEY != '' }} (or similar) instead of routing it through env at the job level.
|
Superseded by the later GitHub Actions/Dependabot maintenance PR that has already been merged to main. |
Summary
Notes