From aa3c637ed26cde243f1dd51b221538beb3567699 Mon Sep 17 00:00:00 2001 From: Nikolay Vlasov Date: Mon, 6 Jul 2026 12:06:07 +1000 Subject: [PATCH] ci: migrate website deploy to first-party GitHub Pages actions Replace the third-party peaceiris/actions-gh-pages publish step with GitHub's first-party Pages actions (configure-pages, upload-pages-artifact, deploy-pages) in a two-job build/deploy workflow. Drop contents: write in favor of the least-privilege OIDC model (contents: read, pages: write, id-token: write) and add a pages concurrency group with cancel-in-progress: false. Remove the now-unused deploymentBranch from docusaurus.config.js, and update website/README.md plus the git-workflow and ci-workflows steering docs to describe the artifact-based deploy (no gh-pages branch push). Requires a one-time repo setting change: Settings -> Pages -> Build and deployment -> Source = "GitHub Actions". Refs: .kiro/specs/github-pages-firstparty-deploy --- .github/workflows/website-deploy.yaml | 50 ++++++++++++++++----------- .kiro/steering/ci-workflows.md | 6 ++-- .kiro/steering/git-workflow.md | 9 ++--- website/README.md | 14 +++++--- website/docusaurus.config.js | 1 - 5 files changed, 48 insertions(+), 32 deletions(-) diff --git a/.github/workflows/website-deploy.yaml b/.github/workflows/website-deploy.yaml index 319f972a..ccb17d74 100644 --- a/.github/workflows/website-deploy.yaml +++ b/.github/workflows/website-deploy.yaml @@ -7,12 +7,22 @@ on: # Review gh actions docs if you want to further define triggers, paths, etc # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#on +# Least-privilege: read the repo, deploy to Pages via OIDC. No contents: write. +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent Pages deploy; never cancel an in-progress production +# publish (cancel-in-progress: false). +concurrency: + group: pages + cancel-in-progress: false + jobs: - deploy: - name: Deploy to GitHub Pages + build: + name: Build Docusaurus site runs-on: ubuntu-latest - permissions: - contents: write defaults: run: shell: bash @@ -26,23 +36,23 @@ jobs: cache-dependency-path: website/package-lock.json - name: Install dependencies run: npm ci + - name: Configure Pages + uses: actions/configure-pages@v5 - name: Build website run: npm run build + - name: Upload Pages artifact + uses: actions/upload-pages-artifact@v3 + with: + path: website/build - # Popular action to deploy to GitHub Pages: - # Docs: https://github.com/peaceiris/actions-gh-pages#%EF%B8%8F-docusaurus + deploy: + name: Deploy to GitHub Pages + needs: build + runs-on: ubuntu-latest + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: - name: Deploy to GitHub Pages - uses: peaceiris/actions-gh-pages@v4 - env: - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - # Build output to publish to the `gh-pages` branch: - publish_dir: ./website/build - # The following lines assign commit authorship to the official - # GH-Actions bot for deploys to `gh-pages` branch: - # https://github.com/actions/checkout/issues/13#issuecomment-724415212 - # The GH actions bot is used by default if you didn't specify the two fields. - # You can swap them out with your own user credentials. - user_name: github-actions[bot] - user_email: github-actions[bot]@users.noreply.github.com + id: deployment + uses: actions/deploy-pages@v4 diff --git a/.kiro/steering/ci-workflows.md b/.kiro/steering/ci-workflows.md index 872a720c..03b22a19 100644 --- a/.kiro/steering/ci-workflows.md +++ b/.kiro/steering/ci-workflows.md @@ -22,8 +22,10 @@ review churn: `tj-actions/changed-files` compromise, CVE-2025-30066) target third-party actions. There are only a handful in this repo, so the cost is small. Especially mandatory for any third-party action that runs with a `write` - permission scope or receives a token (e.g. `peaceiris/actions-gh-pages` in - `website-deploy.yaml`, which has `contents: write`). + permission scope or receives a token. (The website deploy previously used + `peaceiris/actions-gh-pages` with `contents: write`; it now uses GitHub's + first-party Pages actions with OIDC, so no third-party action holds repository + write access.) - **First-party actions (`actions/*`, `github/*`): a major-version tag (e.g. `@v4`) is acceptable.** These are GitHub-owned and carry a much lower tag-repointing risk. Allowing major tags here removes most Dependabot review diff --git a/.kiro/steering/git-workflow.md b/.kiro/steering/git-workflow.md index ad699982..41b0b990 100644 --- a/.kiro/steering/git-workflow.md +++ b/.kiro/steering/git-workflow.md @@ -28,7 +28,7 @@ Trunk-based development around a single integration branch. |--------|------|-------| | `main` | Default + integration branch. Always releasable. | Protected. No force-push, no deletion. Website auto-deploys from it. | | `v1` | Frozen legacy (pre-rewrite). | Protected. No new features. Security-only fixes if ever. Linked from `CHANGELOG.md`. | -| `gh-pages` | Machine-managed Docusaurus build output. | Never hand-edit; written by `website-deploy.yaml`. | +| `gh-pages` | **Legacy** Docusaurus deploy branch (pre-first-party-Pages). | No longer written — the site now deploys via the first-party Pages artifact model in `website-deploy.yaml`. Delete once the first-party deploy is verified. | | `feat/*`, `fix/*`, `docs/*`, `chore/*`, `ci/*` | Short-lived working branches for non-trivial work. | Branch from `main`, open a PR, delete after merge. | | `dependabot/*` | Automated dependency PRs. | Managed by Dependabot; merge or close, don't push to them. | @@ -187,9 +187,10 @@ supply chain stays protected: second maintainer joins, raise to 1 and add a `CODEOWNERS` file. - **Require linear history** — pairs with squash-merge. - **Signed commits:** recommended if commit signing is set up (SSH/GPG/gitsign). - This rule applies per-branch, so enabling it on `main` does not affect the - `gh-pages` deploy (a separate branch). Dependabot's commits are signed by - GitHub. Optional while solo; enable once your own signing is configured. + The first-party Pages deploy publishes an artifact rather than pushing commits, + so a signed-commits rule on `main` won't interfere with the website deploy. + Dependabot's commits are signed by GitHub. Optional while solo; enable once + your own signing is configured. Revisit these when the contributor base grows: require approvals, add `CODEOWNERS`, and consider promoting ASH to a blocking check. diff --git a/website/README.md b/website/README.md index e6f9731a..7e6a41be 100644 --- a/website/README.md +++ b/website/README.md @@ -26,8 +26,12 @@ This command generates static content into the `build` directory and can be serv ### Deployment -``` -$ GIT_USER= yarn deploy -``` - -If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the `gh-pages` branch. +Deployment is automated. On every push to `main`, the +[`website-deploy.yaml`](../.github/workflows/website-deploy.yaml) GitHub Actions +workflow builds the site and publishes it to GitHub Pages using GitHub's +first-party Pages actions (build → `upload-pages-artifact` → `deploy-pages` to +the `github-pages` environment). There is no manual deploy step and no push to a +`gh-pages` branch. + +The Docusaurus `yarn deploy` / `npm run deploy` command (which would build and +push to a `gh-pages` branch) is **not** used by this repository. diff --git a/website/docusaurus.config.js b/website/docusaurus.config.js index 9995050f..0e04ed96 100644 --- a/website/docusaurus.config.js +++ b/website/docusaurus.config.js @@ -24,7 +24,6 @@ const config = { // If you aren't using GitHub pages, you don't need these. organizationName: 'aws-samples', // Usually your GitHub org/user name. projectName: 'aws-blockchain-node-runners', // Usually your repo name. - deploymentBranch: 'gh-pages', githubHost: 'github.com', markdown: {