ci: publish devnotes independently of releases (#536)

andreatgretel · web-flow · commit aee3d3ff9071 · 2026-04-13T14:39:11.000-03:00
* ci: add workflow to publish devnotes independently of releases Adds a GitHub Actions workflow that rebuilds the `latest` docs alias when devnotes change on main, so blog posts go live without cutting a package release. * ci: pin actions to commit SHAs and restrict default permissions Address Greptile review findings: - Pin checkout, setup-uv, and download-artifact to commit SHAs matching the pattern from #517 - Add top-level permissions: {} to restrict default token scope * ci: build devnotes from last deployed state, not main Instead of building the full site from main (which could include unreleased docs), checkout the commit that latest was last built from (tracked in gh-pages commit messages) and overlay only docs/devnotes/ from main. Download notebooks from the last successful build-docs run instead of rebuilding them. * ci: add actions:read permission for notebook download The gh run list/download calls need actions:read on GITHUB_TOKEN, which is denied by the top-level permissions: {} block.
diff --git a/.github/workflows/publish-devnotes.yml b/.github/workflows/publish-devnotes.yml
@@ -0,0 +1,67 @@
+name: Publish devnotes
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "docs/devnotes/**"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+      - name: Get last deployed docs state
+        run: |
+          git fetch origin gh-pages --depth=1
+          DEPLOY_MSG=$(git log FETCH_HEAD -1 --format="%s")
+          SOURCE_SHA=$(echo "$DEPLOY_MSG" | sed -n 's/^Deployed \([0-9a-f]*\) to .*/\1/p')
+          VERSION=$(echo "$DEPLOY_MSG" | sed -n 's/^Deployed [0-9a-f]* to \([^ ]*\) .*/\1/p')
+
+          if [ -z "$SOURCE_SHA" ] || [ -z "$VERSION" ]; then
+            echo "::error::Could not parse deploy info from gh-pages. Expected: 'Deployed <sha> to <version> ...'"
+            exit 1
+          fi
+
+          echo "::notice::Last deploy: commit $SOURCE_SHA for version $VERSION"
+          echo "SOURCE_SHA=$SOURCE_SHA" >> $GITHUB_ENV
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+      - name: Checkout docs source and overlay devnotes
+        run: |
+          git checkout ${{ env.SOURCE_SHA }}
+          git checkout ${{ github.sha }} -- docs/devnotes/
+      - name: Install uv
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+        with:
+          version: "0.9.5"
+      - name: Set up Python
+        run: uv python install 3.11
+      - name: Install dependencies for docs
+        run: uv sync --all-packages --group docs
+      - name: Download notebooks from last docs build
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir -p docs/notebooks
+          LAST_RUN_ID=$(gh run list --workflow build-docs.yml --status success --limit 1 --json databaseId -q '.[0].databaseId')
+          if [ -z "$LAST_RUN_ID" ]; then
+            echo "::error::No successful build-docs run found. Cannot build without notebooks."
+            exit 1
+          fi
+          gh run download "$LAST_RUN_ID" --name notebooks --dir docs/notebooks
+          echo "::notice::Downloaded notebooks from build-docs run $LAST_RUN_ID"
+      - name: Setup doc deploy
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      - name: Rebuild latest docs
+        run: uv run mike deploy --push --update-aliases ${{ env.VERSION }} latest
