Merge branch 'main' into codex/73-release-publishing-docs

Author: coisa

.github/wiki

@@ -0,0 +1,117 @@
+Branch Protection and Bot Commits
+=================================
+
+Fast Forward repositories keep generated documentation out of protected
+branches until the related pull request is merged. This keeps ``main`` stable,
+lets maintainers review generated output before it becomes canonical, and
+avoids requiring automation to bypass branch protection for normal preview
+updates.
+
+The model has two publishing lanes:
+
+- pull requests publish isolated previews;
+- merges into ``main`` publish the final wiki and reports.
+
+Wiki Preview Lifecycle
+----------------------
+
+The wiki workflow writes generated Markdown to the GitHub wiki repository, but
+it does not publish pull request content directly to the wiki ``master`` branch.
+Instead, each pull request receives a dedicated wiki branch.
+
+For pull request ``123`` the workflow:
+
+1. runs ``composer dev-tools wiki -- --target=.github/wiki``;
+2. commits the generated wiki content to the wiki branch ``pr-123``;
+3. updates the parent repository submodule pointer at ``.github/wiki``;
+4. commits that pointer update back to the pull request branch.
+
+The parent repository commit is important because reviewers can see exactly
+which generated wiki revision belongs to the pull request. The bot commit SHOULD
+stay on the pull request branch because protected ``main`` branches usually
+reject direct commits.
+
+After the pull request is merged into ``main``, the publish job copies the
+content from the wiki preview branch, such as ``pr-123``, to the wiki
+``master`` branch. That makes the reviewed wiki content live only after the
+source code merge is complete.
+
+Reports Preview Lifecycle
+-------------------------
+
+Reports use the same review-before-publish idea, but the output is served from
+GitHub Pages instead of the wiki repository.
+
+On pull requests, the reports workflow:
+
+- generates docs, coverage, and report assets from the pull request code;
+- publishes them under ``previews/pr-<number>/`` in the Pages branch;
+- comments on the pull request with preview links when possible;
+- keeps workflow artifacts available as a fallback when Pages publishing or the
+  comment update is unavailable.
+
+On ``main``, the reports workflow publishes the final site at the root of the
+Pages branch. Pull request previews use PR-specific directories, so multiple
+open pull requests can have independent previews without overwriting each other.
+
+When a pull request is closed, the workflow SHOULD remove its preview directory.
+This prevents stale documentation and coverage reports from looking like active
+review artifacts.
+
+Branch Protection Interactions
+------------------------------
+
+Protected branches usually block direct pushes, require status checks, and may
+require signed commits or linear history. The preview workflows are designed to
+respect those rules:
+
+- bot commits update the pull request branch, not ``main``;
+- final wiki publication runs after the merge into ``main``;
+- final reports publication runs from the already-accepted ``main`` revision;
+- preview branches such as ``pr-123`` are temporary review targets.
+
+If a repository restricts bot pushes to pull request branches, maintainers
+should either allow the workflow token to update PR branches or require authors
+to refresh generated pointers manually. The preferred path is to allow bot
+updates on PR branches while keeping ``main`` protected.
+
+At a high level, the workflows need permission to read repository contents,
+write generated preview commits, update pull request comments, and publish Pages
+content. Keep those permissions scoped to the workflow jobs that actually need
+them.
+
+Resolving ``.github/wiki`` Pointer Conflicts
+--------------------------------------------
+
+Submodule pointer conflicts happen when ``main`` and the pull request point to
+different generated wiki commits. Resolve them by rebasing the pull request and
+choosing the preview wiki commit that belongs to the pull request.
+
+For pull request ``123``:
+
+.. code-block:: bash
+
+    git fetch origin main
+    git rebase origin/main
+    git -C .github/wiki fetch origin master pr-123
+    git -C .github/wiki switch --detach origin/pr-123
+    git add .github/wiki
+    git rebase --continue
+    git push --force-with-lease
+
+If the conflict appears after the preview job has already produced a newer bot
+commit, prefer the latest ``pr-123`` wiki commit. If the wiki branch no longer
+exists because the pull request was closed or merged, rerun the wiki workflow or
+regenerate the wiki locally before updating the pointer.
+
+Operational Checklist
+---------------------
+
+- Keep source changes and generated pointer updates in the same pull request.
+- Review PR preview links before merging documentation-heavy changes.
+- Merge only through the protected ``main`` flow.
+- Let the post-merge wiki job publish to ``master``.
+- Let closed pull requests clean up their report preview directories.
+
+See :doc:`consumer-automation` for how reusable workflows and consumer stubs fit
+into this model, and :doc:`../usage/github-actions` for the workflow summary.

docs/advanced/branch-protection-and-bot-commits.rst

@@ -36,16 +36,23 @@ How GitHub Pages Publishing Works
 ---------------------------------
 
 - ``.github/workflows/reports.yml`` runs ``composer dev-tools reports``.
-- The workflow uploads ``public/`` as the Pages artifact.
-- On the ``main`` branch, GitHub Pages serves the generated site.
+- Pull requests publish previews under ``previews/pr-<number>/``.
+- On the ``main`` branch, GitHub Pages serves the generated site from the root
+  of the Pages branch.
 
 How Wiki Publishing Works
 -------------------------
 
 - ``.github/workflows/wiki.yml`` runs
   ``composer dev-tools wiki -- --target=.github/wiki``.
-- The workflow commits the wiki submodule contents.
-- The parent repository then commits the updated submodule pointer.
+- Pull requests publish generated wiki content to branches such as
+  ``pr-123``.
+- The parent repository then commits the updated submodule pointer to the pull
+  request branch.
+- After merge, the preview content is promoted to the wiki ``master`` branch.
+
+See :doc:`branch-protection-and-bot-commits` for the branch protection model,
+bot commit behavior, and ``.github/wiki`` conflict resolution steps.
 
 Producer Impact
 ---------------

docs/advanced/consumer-automation.rst

@@ -9,5 +9,6 @@ custom Rector and PHPDoc behavior.
    :maxdepth: 1
 
    consumer-automation
+   branch-protection-and-bot-commits
    phpunit-extension
    rector-and-phpdoc

docs/advanced/index.rst

@@ -18,6 +18,9 @@ Example of an inherited workflow:
 
 This approach ensures that all libraries in the ecosystem benefit from infrastructure updates without requiring manual changes to every repository.
 
+For the protected-branch-safe preview and publish model, see
+:doc:`../advanced/branch-protection-and-bot-commits`.
+
 Fast Forward Reports
 --------------------
 
@@ -48,6 +51,8 @@ The ``wiki.yml`` workflow synchronizes the documentation generated by the ``dev-
 
 .. note::
    See :doc:`../configuration/repository-setup` for mandatory initial setup required for the Wiki workflow to function.
+   See :doc:`../advanced/branch-protection-and-bot-commits` for branch
+   protection, bot commit, and submodule pointer conflict guidance.
 
 Fast Forward Tests
 ------------------

docs/usage/github-actions.rst

@@ -11,5 +11,6 @@ task-oriented guidance instead of class-by-class reference.
    testing-and-coverage
    documentation-workflows
    github-actions
+   migrating-consumer-repositories
    syncing-packaged-skills
    syncing-consumer-projects

docs/usage/index.rst

@@ -0,0 +1,146 @@
+Migrating Consumer Repositories
+===============================
+
+Use this guide when an existing PHP package repository is adopting
+``fast-forward/dev-tools`` for the first time. The goal is to introduce the
+shared Composer scripts, workflow stubs, wiki setup, skills, and repository
+defaults in a reviewable pull request.
+
+This page complements :doc:`syncing-consumer-projects`; it focuses on the
+migration path instead of the full command reference.
+
+Preflight Checks
+----------------
+
+Before installing DevTools, confirm the repository has:
+
+- a committed ``composer.json`` with the package name, PHP constraint, license,
+  and autoload settings already reviewed;
+- a clean working tree;
+- a configured ``origin`` remote that points to the GitHub repository;
+- agreement on whether the repository should publish GitHub Pages reports and a
+  GitHub Wiki;
+- a maintainer who can review workflow, Dependabot, and branch protection
+  changes.
+
+If the repository already has custom workflows or generated documentation, list
+the files that must be preserved before running sync. The sync command protects
+many existing files by default, but maintainers should still review the outcome
+as infrastructure code.
+
+Install DevTools
+----------------
+
+Install the package as a development dependency:
+
+.. code-block:: bash
+
+    composer require --dev fast-forward/dev-tools
+
+Commit the Composer changes separately only if the repository prefers very small
+review steps. For most migrations, it is reasonable to keep the Composer update
+and generated sync changes in the same pull request so reviewers can understand
+the complete automation model.
+
+Run Sync Safely
+---------------
+
+Run the sync command from the repository root:
+
+.. code-block:: bash
+
+    composer dev-tools:sync
+
+Then inspect the result before staging anything:
+
+.. code-block:: bash
+
+    git status --short
+    git diff
+
+Expected changes can include:
+
+.. list-table::
+   :header-rows: 1
+
+   * - Area
+     - Expected change
+     - Review focus
+   * - ``composer.json``
+     - Adds shared ``dev-tools`` scripts and GrumPHP defaults.
+     - Keep existing package metadata, scripts, and project-specific settings.
+   * - ``.github/workflows/*.yml``
+     - Adds thin workflow stubs that call reusable Fast Forward workflows.
+     - Compare with any existing CI, release, docs, or Pages workflows.
+   * - ``.editorconfig``
+     - Adds the shared editor defaults when missing.
+     - Confirm indentation and line-ending expectations match the project.
+   * - ``.github/dependabot.yml``
+     - Adds the shared Dependabot template when missing.
+     - Confirm update cadence and ecosystem coverage.
+   * - ``.github/wiki``
+     - Adds the wiki submodule when missing.
+     - Confirm the wiki repository exists and branch protection is compatible.
+   * - ``.agents/skills``
+     - Links packaged skills for issue, PR, tests, docs, README, and style work.
+     - Preserve existing custom skills and non-symlink directories.
+   * - ``LICENSE``
+     - Adds the packaged license file when missing.
+     - Confirm it matches the package metadata.
+   * - ``.gitignore`` and ``.gitattributes``
+     - Adds repository defaults when missing.
+     - Keep existing project-specific ignores and export rules.
+
+Handling Existing Custom Files
+------------------------------
+
+When a target file already exists, treat the migration as a comparison exercise:
+
+1. keep the existing file in place;
+2. compare it with the corresponding packaged file or workflow stub;
+3. copy only the entries that make sense for the repository;
+4. leave a pull request note explaining any intentional divergence.
+
+This is especially important for custom CI workflows, release automation,
+repository-specific ``.gitignore`` rules, and existing Dependabot policies.
+Shared defaults are meant to reduce repeated maintenance, not erase local
+constraints.
+
+Branch Protection and Bot Commits
+---------------------------------
+
+Consumer repositories commonly protect ``main``. That is compatible with the
+Fast Forward model:
+
+- pull requests receive generated previews and bot updates on the PR branch;
+- report previews are published under PR-specific Pages paths;
+- wiki previews use branches such as ``pr-123`` before merge;
+- post-merge jobs publish final reports and wiki content from ``main``.
+
+If branch protection blocks bot commits to pull request branches, either adjust
+the repository policy to allow workflow updates on PR branches or document that
+maintainers must refresh generated pointers manually before merge.
+
+Suggested Pull Request Rollout
+------------------------------
+
+Use one migration pull request per consumer repository:
+
+1. install ``fast-forward/dev-tools``;
+2. run ``composer dev-tools:sync``;
+3. review and adapt generated files;
+4. run the smallest relevant local verification command;
+5. open the pull request and let GitHub Actions create previews;
+6. verify report and wiki preview links before merge;
+7. merge through the protected ``main`` branch.
+
+After merge, confirm that the final reports and wiki pages reflect the merged
+revision. If they do not, inspect the workflow logs before making follow-up
+changes.
+
+Related References
+------------------
+
+- :doc:`syncing-consumer-projects`
+- :doc:`syncing-packaged-skills`
+- :doc:`github-actions`

docs/usage/migrating-consumer-repositories.rst

@@ -5,6 +5,8 @@ The ``dev-tools:sync`` command is the bridge between this repository and the
 libraries that consume it.
 
 For the focused skills-only workflow, see :doc:`syncing-packaged-skills`.
+For a first-time adoption path, see
+:doc:`migrating-consumer-repositories`.
 
 What the Command Changes
 ------------------------