Skip to content

ci: migrate website deploy to first-party GitHub Pages actions#268

Merged
frbrkoala merged 1 commit into
mainfrom
ci/website-firstparty-pages-deploy
Jul 6, 2026
Merged

ci: migrate website deploy to first-party GitHub Pages actions#268
frbrkoala merged 1 commit into
mainfrom
ci/website-firstparty-pages-deploy

Conversation

@frbrkoala

@frbrkoala frbrkoala commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Replace the third-party peaceiris/actions-gh-pages publish step with GitHub's first-party Pages actions (configure-pages, upload-pages-artifact, deploy-pages) in a two-job build/deploy workflow. Drop contents: write in favor of the least-privilege OIDC model (contents: read, pages: write, id-token: write) and add a pages concurrency group with cancel-in-progress: false.

Remove the now-unused deploymentBranch from docusaurus.config.js, and update website/README.md plus the git-workflow and ci-workflows steering docs to describe the artifact-based deploy (no gh-pages branch push).

Requires a one-time repo setting change: Settings -> Pages -> Build and deployment -> Source = "GitHub Actions".

Refs: .kiro/specs/github-pages-firstparty-deploy

What does this PR do?

🛑 Please open an issue first to discuss any significant work and flesh out details/direction — we would hate for your time to be wasted.
Consult the CONTRIBUTING guide for submitting pull-requests.

Motivation

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • New blueprint (adding a new protocol — see checklist below)
  • Documentation update
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Testing

  • I have run npm run build successfully
  • I have run npm run test and all tests pass
  • I have run npx cdk synth with a sample .env (e.g. from blueprints/dummy/samples/) and it succeeds
  • I have run pre-commit hooks: npm run run-pre-commit

New Blueprint Checklist (if adding a protocol)

  • Blueprint follows the structure of blueprints/dummy/ (reference implementation)
  • Blueprint README follows the standard template (matches Dummy section titles and ordering)
  • Setup section points to Getting Started (not inline instructions)
  • Deployment section leads with AI-driven deployment (Option 1) and manual as Option 2
  • Sample .env files are provided for at least one network (mainnet or testnet)
  • Configuration scripts follow the install/run dispatch pattern (see blueprints/dummy/)
  • Blueprint page added to website/docs/blueprints/ (.mdx mirror importing README)
  • Client Release Channels table added to README under Additional Resources

Documentation

  • I have updated relevant documentation (if applicable)
  • I have run cd website && npm run build with no broken links (if docs changed)

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Replace the third-party peaceiris/actions-gh-pages publish step with GitHub's
first-party Pages actions (configure-pages, upload-pages-artifact,
deploy-pages) in a two-job build/deploy workflow. Drop contents: write in
favor of the least-privilege OIDC model (contents: read, pages: write,
id-token: write) and add a pages concurrency group with
cancel-in-progress: false.

Remove the now-unused deploymentBranch from docusaurus.config.js, and update
website/README.md plus the git-workflow and ci-workflows steering docs to
describe the artifact-based deploy (no gh-pages branch push).

Requires a one-time repo setting change: Settings -> Pages -> Build and
deployment -> Source = "GitHub Actions".

Refs: .kiro/specs/github-pages-firstparty-deploy
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 3 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/website-deploy.yaml

PackageVersionLicenseIssue Type
actions/configure-pages5.*.*NullUnknown License
actions/deploy-pages4.*.*NullUnknown License
actions/upload-pages-artifact3.*.*NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/configure-pages 5.*.* 🟢 6.1
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 7SAST tool detected but not run on all commits
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
actions/actions/deploy-pages 4.*.* 🟢 5.4
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Fuzzing⚠️ 0project is not fuzzed
Security-Policy🟢 9security policy file detected
SAST🟢 7SAST tool detected but not run on all commits
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
actions/actions/upload-pages-artifact 3.*.* 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 34 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Branch-Protection🟢 8branch protection is not maximal on development and all release branches

Scanned Files

  • .github/workflows/website-deploy.yaml

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Scan for commit: aa3c637 | Updated: 2026-07-06 02:12:21 UTC

🔒 Security Scan Results

Scanned files: 5

⚠️ Security findings detected. Please review and address before merging.

@frbrkoala frbrkoala left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@frbrkoala frbrkoala merged commit 3bf384d into main Jul 6, 2026
7 checks passed
@frbrkoala frbrkoala deleted the ci/website-firstparty-pages-deploy branch July 6, 2026 02:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants