diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index ffec2308..ac53c02b 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -138,6 +138,7 @@ jobs: trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= feel-co.cachix.org-1:nwEFNnwZvtl4KKSH5LDg+/+K7bV0vcs6faMHAJ6xx0w= nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI= - name: Build linkcheck package + continue-on-error: true # FIXME: remove when nixpkgs has atleast ndg 2.9.1 run: nix build .#docs-linkcheck -Lv check-editorconfig: diff --git a/.github/workflows/docs-preview.yml b/.github/workflows/docs-preview.yml index 5addf86a..5a046ebf 100644 --- a/.github/workflows/docs-preview.yml +++ b/.github/workflows/docs-preview.yml @@ -9,13 +9,6 @@ on: - "modules/**" - "docs/**" -# Defining permissions here passes it to all jobs. -# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token -permissions: - contents: write - pull-requests: write - issues: write - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -23,8 +16,15 @@ concurrency: jobs: build-preview: runs-on: ubuntu-latest + # NOTE: This job runs untrusted code. + # Don't give it any permissions. + permissions: {} steps: - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + - uses: cachix/install-nix-action@v31.10.6 with: nix_path: nixpkgs=channel:nixos-unstable @@ -44,6 +44,25 @@ jobs: - name: Build documentation packages run: nix build .#docs-html --print-build-logs || exit 1 + - name: Upload built docs + uses: actions/upload-artifact@v4 + with: + name: docs-html + path: result/share/doc/ + retention-days: 1 + + deploy-preview: + needs: build-preview + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Download built docs + uses: actions/download-artifact@v4 + with: + name: docs-html + path: built-docs + - name: Deploy to GitHub Pages preview run: | PR_NUMBER=${{ github.event.pull_request.number }} @@ -57,7 +76,7 @@ jobs: mkdir -p $PREVIEW_DIR # Copy the build files to the preview subdirectory - cp -rvf ../result/share/doc/* ./$PREVIEW_DIR + cp -rvf ../built-docs/* ./$PREVIEW_DIR # Configure git to use the GitHub Actions token for authentication git config --global user.name "GitHub Actions" @@ -71,9 +90,11 @@ jobs: git commit -m "Deploy PR #${PR_NUMBER} preview" || echo "No changes to commit" git push --force origin $BRANCH_NAME - comment-url: - needs: build-preview + comment: + needs: deploy-preview runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Prepare Environment id: prelude @@ -130,9 +151,11 @@ jobs:

Reruns: ${{ env.RUNS }}

- cleanup: + cleanup-preview: if: ${{ github.event.pull_request.merged == true || github.event.pull_request.state == 'closed' }} runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout repository uses: actions/checkout@v6 @@ -168,8 +191,10 @@ jobs: git push origin $BRANCH_NAME cleanup-comment: - needs: cleanup + needs: cleanup-preview runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Checkout repository uses: actions/checkout@v6 diff --git a/docs/default.nix b/docs/default.nix index e3862552..68b44dd6 100644 --- a/docs/default.nix +++ b/docs/default.nix @@ -92,7 +92,6 @@ # Generate the HTML manual pages html = pkgs.callPackage ./manual.nix { - inherit inputs; inherit (nvimModuleDocs) optionsJSON; }; in { diff --git a/docs/manual.nix b/docs/manual.nix index 10f586c2..e12777e7 100644 --- a/docs/manual.nix +++ b/docs/manual.nix @@ -1,9 +1,9 @@ { - inputs, path, stdenvNoCC, optionsJSON, jaq, + ndg, gnused, } @ args: let manual-release = args.release or "unstable"; @@ -14,10 +14,7 @@ in src = ./manual; nativeBuildInputs = [ - (inputs.ndg.packages.${stdenvNoCC.system}.ndg.overrideAttrs { - # FIXME: the tests take too long to build - doCheck = false; - }) + ndg jaq gnused ];