geobrix/.github/workflows/deploy-docs.yml at main · databrickslabs/geobrix · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Build and deploy Docusaurus docs to GitHub Pages.
# Public site URL: https://databrickslabs.github.io/geobrix/
#
# First-time setup: In repo Settings → Pages → Build and deployment,
# set Source to "GitHub Actions".
#
# Runs on the org's hardened runner group (see runs-on below); the runner
# is on an allowlisted network, so it works even when IP allow lists
# exclude generic ubuntu-latest.
name: Deploy documentation

on:
  push:
    branches: [main]
    paths:
      - 'docs/**'
      - '.github/workflows/deploy-docs.yml'
  workflow_dispatch:

permissions:
  contents: read

concurrency:
  group: "pages"
  cancel-in-progress: false

jobs:
  build:
    runs-on:
      group: databrickslabs-protected-runner-group
      labels: linux-ubuntu-latest
    # Checkout uses REPO_ACCESS_TOKEN (non-exempt secret), so gate behind the protected env.
    environment: runtime
    permissions:
      contents: read
      # Required by .github/actions/jfrog-auth: GitHub OIDC token exchange for npm via JFrog.
      id-token: write
    steps:
      # For restricted GITHUB_TOKEN, add secret REPO_ACCESS_TOKEN (PAT with repo scope) if needed.
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          token: ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}

      - name: Setup Node
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
        with:
          node-version: "20"
          cache: "npm"
          cache-dependency-path: docs/package-lock.json

      # Route npm through JFrog with OIDC-issued credentials for supply-chain
      # hardening. Must run after setup-node so npm is on PATH for auto-detect.
      - name: Authenticate for JFrog (npm via OIDC)
        uses: ./.github/actions/jfrog-auth

      - name: Install dependencies
        run: cd docs && npm ci

      - name: Build
        run: cd docs && npm run build
        env:
          NODE_ENV: production
          # Force public GitHub Pages baseUrl (https://databrickslabs.github.io/geobrix/)
          DOCS_PUBLIC_PAGES: '1'

      - name: Upload artifact
        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b  # v4.0.0
        with:
          path: docs/build

  deploy:
    # Scoped perms (per policy least-privilege): only the deploy job needs pages/id-token write.
    permissions:
      pages: write
      id-token: write
    environment:
      name: github-pages
      url: ${{ steps.deploy.outputs.page_url }}
    runs-on:
      group: databrickslabs-protected-runner-group
      labels: linux-ubuntu-latest
    needs: build
    steps:
      - name: Deploy to GitHub Pages
        id: deploy
        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e  # v4.0.5