feat(schemas): publish meta-schemas to schemas.opendecree.dev via Pages#263
Merged
Conversation
Adds the GitHub Pages deploy workflow that serves the JSON Schema 2020-12 meta-schemas under schemas/v*/ at https://schemas.opendecree.dev/schema/v*/decree-{schema,config}.json, plus the supporting index generator and an operations runbook. The workflow uses the explicit-allowlist publishing model: it builds _site/ from scratch, copies only the JSON files, runs an audit step that fails on unrecognized paths, and uploads exactly _site/ as the Pages artifact. The rest of the repo is not exposed. Pre-deploy validation reuses scripts/validate-meta-schemas.py (the same script ci.yml runs on PRs) and adds a $id-matches-publish-URL assertion so a stale rename can't slip through. Bootstrap requires Cloudflare CNAME schemas → opendecree.github.io (DNS-only) and Pages source = GitHub Actions with custom domain schemas.opendecree.dev. Steps are documented in docs/development/schemas-hosting-runbook.md. The first push that includes this workflow will trigger an attempt to deploy; until Pages is configured, configure-pages will fail, which is expected and harmless — re-dispatch via workflow_dispatch after setup. Closes #125
This was referenced Apr 30, 2026
zeevdr
added
enhancement
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 1 + Phase 3 of the schemas-publishing work for #125. Adds:
.github/workflows/deploy-pages.yml— builds_site/fromschemas/v*/..., validates, uploads as the Pages artifact, deploys viaactions/deploy-pages@v4. Triggers:pushtomainfiltered onschemas/**+workflow_dispatchfor manual republish.scripts/generate-schema-index.py— stdlib-only generator that walks_site/schema/v*/and writes_site/index.html(table of versions and links) plus a_site/robots.txt.docs/development/schemas-hosting-runbook.md— one-time setup, publishing flow, immutability policy, troubleshooting..agents/context/schema-spec.md— resolves the "Hosting target" open question to "Pages on decree itself, custom domain via Cloudflare CNAME (DNS-only)" + cross-links the runbook.Closes #125 (after the manual one-time DNS + Pages setup below).
Allowlist publishing model
Pages source is set to GitHub Actions (not "Deploy from a branch"). The workflow:
_site/directory in the runner's tmpfs each invocation.schemas/vX.Y.Z/decree-{schema,config}.jsoninto_site/schema/vX.Y.Z/(note the dir rename: source isschemas/, URL is/schema/)._site/index.html+_site/robots.txt._site/contains anything other than:_site/index.html_site/robots.txt_site/schema/vX.Y.Z/decree-{schema,config}.json_site/viaactions/upload-pages-artifact@v3(path: _siteis an allowlist).The rest of the repo (README,
internal/,docs/,.agents/, etc.) is never exposed at any URL onschemas.opendecree.dev.Validation
Pre-deploy validation runs three checks:
scripts/validate-meta-schemas.py— same script ci.yml already runs on PRs (reuses CI: validate schema YAMLs against meta-schema #124 work). Asserts canonical files validate cleanly and known-invalid fixtures fail.$id-matches-publish-URL assertion — for eachschemas/v*/decree-{schema,config}.json, parse$idand compare to the URL it'll be served at. Catches the rare stale-rename case.If any of these fail, the run fails before
actions/deploy-pagesis reached — no broken artifact ever reaches Pages.The first push to
maincontaining this workflow will trigger a deploy attempt. The deploy will fail with "Pages site not found" (or similar) until:schemas→opendecree.github.io, DNS-only (gray cloud).GitHub Actions, custom domain =schemas.opendecree.dev. If GitHub asks for a TXT verification record, add it via the same Cloudflare DNS panel.curl -I https://schemas.opendecree.dev/.After step 3, re-trigger via
gh workflow run deploy-pages.yml. Subsequent pushes toschemas/**auto-deploy.The runbook documents these steps in detail.
Out of scope
Test plan
python3 -c 'import yaml; yaml.safe_load(...)').make validate-meta-schemaspasses locally onmainHEAD._site/build + audit logic locally — produces 4 files, all on the allowlist.$id-vs-URL check — both v0.1.0 files match.scripts/generate-schema-index.py— produces a valid HTML page listing v0.1.0.curl -I https://schemas.opendecree.dev/returns 200 (post-merge, after manual setup).schemas/**edit (post-merge).