fix: revert "ci: remove redundant docs workflow"

[miyoungc]

Reverts #725

Summary by CodeRabbit

• Chores
  • Added automated documentation validation to pull requests that modify documentation files, configuration files, and related workflows.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file has been added to automatically validate documentation on pull requests. The workflow triggers on changes to documentation, README, dependencies, or the workflow itself, installing dependencies and building Sphinx documentation in strict mode with a 10-minute execution limit.

Changes

Cohort / File(s)	Summary
Documentation Workflow .github/workflows/docs.yaml	New GitHub Actions workflow that validates documentation builds. Triggers on docs/**, README.md, pyproject.toml, uv.lock, and the workflow file. Installs Python 3.11, sets up uv, syncs docs dependencies, and builds Sphinx HTML output with strict mode enabled (-W flag).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A workflow emerges, so bright and so new,
Docs build with strictness, through and through,
With Python and Sphinx in harmonious dance,
Ten minutes to verify every glance,
Our documentation blooms, thanks to this chance! 📚✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: reverting a previous commit that removed a docs workflow, and the new file additions confirm this intent.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch revert-725-ci/remove-duplicate-workflows

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ericksoa]

LGTM — straightforward revert restoring the docs build validation on PRs.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/docs.yaml (2)

39-40: Use --locked flag to enforce reproducible CI builds.

Line 40 should explicitly enforce that the lockfile is up to date and prevent it from being modified during installation. Use --locked to fail if uv.lock is out of sync with pyproject.toml, ensuring deterministic behavior in CI.

Suggested change

      - name: Install doc dependencies
-       run: uv sync --group docs
+       run: uv sync --group docs --locked

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docs.yaml around lines 39 - 40, Update the "Install doc
dependencies" step so the install command uses the --locked flag to enforce the
lockfile; specifically modify the command referenced ("uv sync --group docs") to
"uv sync --group docs --locked" so CI fails if uv.lock is out of sync with
pyproject.toml and prevents lockfile changes during the run.

---

29-37: Pin external actions to immutable SHAs for stronger supply-chain integrity.

Lines 29, 32, and 37 use floating major version tags. SHA pinning (e.g., actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v6.2.0) is GitHub's recommended best practice for supply-chain security, as version tags are mutable and can be updated to point to malicious code. Pinning to commit SHAs prevents this risk, particularly for third-party actions like astral-sh/setup-uv@v7. Consider adding comments with the corresponding version tag to allow automated tools like Dependabot to track updates.

Note: This pattern appears across multiple workflows in the repository; consider standardizing as part of a repo-wide security hardening effort.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docs.yaml around lines 29 - 37, The workflow uses floating
major-version tags for external actions (actions/checkout@v6,
actions/setup-python@v6, astral-sh/setup-uv@v7); replace each action reference
with the corresponding immutable commit SHA (pin to the action's full commit
hash) and optionally keep the human-readable tag as a comment (e.g., "# v6.2.0")
so Dependabot/maintainers can track updates; apply the same SHA-pinning pattern
for any other workflows that reference third-party actions to harden
supply-chain security.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/docs.yaml:
- Around line 39-40: Update the "Install doc dependencies" step so the install
command uses the --locked flag to enforce the lockfile; specifically modify the
command referenced ("uv sync --group docs") to "uv sync --group docs --locked"
so CI fails if uv.lock is out of sync with pyproject.toml and prevents lockfile
changes during the run.
- Around line 29-37: The workflow uses floating major-version tags for external
actions (actions/checkout@v6, actions/setup-python@v6, astral-sh/setup-uv@v7);
replace each action reference with the corresponding immutable commit SHA (pin
to the action's full commit hash) and optionally keep the human-readable tag as
a comment (e.g., "# v6.2.0") so Dependabot/maintainers can track updates; apply
the same SHA-pinning pattern for any other workflows that reference third-party
actions to harden supply-chain security.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0a9b1e74-6855-42e5-8448-4e9a6b7185e5

📥 Commits

Reviewing files that changed from the base of the PR and between 280227f and 8903e45.

📒 Files selected for processing (1)

• .github/workflows/docs.yaml