ci: standardize docs workflow#4
Conversation
There was a problem hiding this comment.
Pull request overview
Standardizes the documentation build/deploy GitHub Actions workflow to match the shared “website handoff” pattern, including pinning setup-uv and conditionally deploying generated MkDocs output to the website repository.
Changes:
- Pins
astral-sh/setup-uvto a specific commit (v8.1.0) for the docs workflow. - Builds docs via
uv run mkdocs buildand conditionally deployssite/when a deploy key is present. - Routes deploy key through a job-level env var and uses it to gate the deploy step.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| - name: Build docs | ||
| run: uv run mkdocs build --strict | ||
| run: uv run mkdocs build |
There was a problem hiding this comment.
Removing --strict from the MkDocs build step will allow broken links / config warnings to pass silently and can result in publishing a partially broken site. If the intent is to relax strictness, it would help to document why; otherwise consider keeping strict mode enabled for CI docs builds.
| run: uv run mkdocs build | |
| run: uv run mkdocs build --strict |
| env: | ||
| DOCS_DEPLOY_KEY: ${{ secrets.DOCS_DEPLOY_KEY }} | ||
| steps: |
There was a problem hiding this comment.
DOCS_DEPLOY_KEY is being placed into the job-level env, which makes the secret available to every step (including third-party actions) and increases the blast radius if any step logs/exports env vars. Prefer keeping the deploy key scoped to the deploy step only.
| if: ${{ env.DOCS_DEPLOY_KEY != '' }} | ||
| uses: cpina/github-action-push-to-another-repository@v1.7.2 | ||
| env: | ||
| SSH_DEPLOY_KEY: ${{ secrets.DOCS_DEPLOY_KEY }} | ||
| SSH_DEPLOY_KEY: ${{ env.DOCS_DEPLOY_KEY }} | ||
| with: |
There was a problem hiding this comment.
The deploy gating and key injection can be done directly off the secrets context (in the if: and SSH_DEPLOY_KEY assignment) rather than routing through env.DOCS_DEPLOY_KEY. This avoids depending on a derived env value and keeps the secret out of the general environment.
|
Superseded by the later GitHub Actions/Dependabot maintenance PR that has already been merged to main. |
Summary
Notes