Skip to content

General: Migrate Pages to Actions deploy and refresh Node-20 actions#556

Merged
d4rken merged 8 commits into
mainfrom
fix/ci-node20-deprecation
Apr 28, 2026
Merged

General: Migrate Pages to Actions deploy and refresh Node-20 actions#556
d4rken merged 8 commits into
mainfrom
fix/ci-node20-deprecation

Conversation

@d4rken

@d4rken d4rken commented Apr 28, 2026
edited
Loading

Copy link
Copy Markdown
Member

What changed

No user-facing behavior change.

CI/CD maintenance to clear Node 20 deprecation warnings before GitHub forces Node 24 on 2026-06-02 and removes Node 20 entirely on 2026-09-16 (changelog). Eight focused commits:

  1. action-gh-release v2.5.0 → v3.0.0 in release-tag.yml. v3 is the only line that runs on Node 24; inputs we use (prerelease, tag_name, name, generate_release_notes, files) are unchanged.
  2. Drop the ~/.android/build-cache cache step in common-setup. The path is rarely created by lint / unit-test / assemble-debug jobs, so the cache action emitted Path Validation Error: Path(s) specified in the action for caching do(es) not exist on every run without saving anything useful.
  3. Custom Pages workflow (.github/workflows/pages.yml) replacing GitHub's auto pages-build-deployment (which still pins actions/checkout@v4 + actions/upload-artifact@v4 on Node 20). Uses configure-pages@v6, jekyll-build-pages@v1.0.13, upload-pages-artifact@v5, deploy-pages@v5 — all on Node 24.
  4. Gemfile/Gemfile.lockfastlane/. Fastlane was the only consumer; release-gplay now sets BUNDLE_GEMFILE=fastlane/Gemfile and runs ruby/setup-ruby with working-directory: fastlane; lanes still run from the repo root.
  5. Pages trigger via explicit chain from release-tag.yml + sibling-PR refinements: per-job least-privilege permissions, JEKYLL_GITHUB_TOKEN on the Jekyll build step, Jekyll output sanity check, explicit upload-pages-artifact path, fastlane Bundler wiring sanity step. release-github gains actions: write so the chain dispatch is allowed regardless of repo default workflow-token permissions.
  6. Drop dead Gemfile excludes from _config.yml and ignore Jekyll artifacts in .gitignore (_site/, .jekyll-cache/, vendor/bundle/).
  7. Also rebuild Pages on push: [main] (not just the chain). Lets edits to README.md / _config.yml / _layouts/ / the CHANGELOG.md template publish without manual dispatch. The chain remains so the post-release rebuild captures the just-published release in site.github.releases. concurrency: group: pages, cancel-in-progress: false serialises the two runs around a release. Adds an if: github.ref == 'refs/heads/main' deploy guard so a workflow_dispatch from a non-main branch builds for verification but does not deploy.
  8. Drop stale app-common exclude in _config.yml (the module was merged into app/ in be8f4919).

Technical Context

  • Why explicit gh workflow run and not release: published: events triggered by secrets.GITHUB_TOKEN (which softprops/action-gh-release uses) do not start new workflow runs — only workflow_dispatch and repository_dispatch are exceptions (docs). A release: published trigger would never fire in production. workflow_run was rejected because a release-gplay failure marks the whole run failure and would skip the rebuild even when the GitHub Release succeeded.
  • Why this also fixes a pre-existing race: the legacy auto pages-build-deployment rebuilt as soon as the release commit landed on main, but the GitHub Release itself only appeared minutes later (after the APK build finishes in release-tag.yml). site.github.releases therefore captured a snapshot without the new release. capod's v5.1.1-rc0 release was missed by 1h 41m and only got fixed by an unrelated follow-up push to main. The new chain rebuilds Pages after the release is published, so the changelog page is always current.
  • actions: write on release-github: required for gh workflow run against this repo. Without it, the dispatch returns 403 if repo Settings → Actions → Workflow permissions is on the GitHub default ("Read repository contents and packages permissions").
  • Out of scope here: dorny/test-reporter Node 24 bump (sibling sdmaid-se PR includes it; capod has no test-reports.yml).

Review checklist

  • Pre- or post-merge: flip Pages source from "Deploy from a branch" to "GitHub Actions": gh api -X PUT repos/d4rken-org/capod/pages -f build_type=workflow. Verify cname=capod.darken.eu and https_enforced=true survive the flip.
  • After the flip + merge, confirm a Deploy GitHub Pages run fires on the merge commit (because of the new push: [main] trigger) and https://capod.darken.eu/changelog still shows v5.1.1-rc0 as latest.
  • Run Tagged releases via workflow_dispatch with dry_run=true. The new "Verify fastlane Bundler wiring" step (bundle exec fastlane --version) should pass — it exercises the relocated Gemfile end-to-end without uploading anything.
  • Next real v* tag: confirm the "Trigger GitHub Pages deployment" step ran in release-github, that a chained Deploy GitHub Pages run appears immediately after, and that the changelog page picks up the new release.

d4rken added 4 commits April 28, 2026 10:30
@d4rken
chore(ci): Bump action-gh-release to v3.0.0 (Node 24)
481dd2f
@d4rken
chore(ci): Drop unused Android build-cache step
58d02f6
@d4rken
chore(ci): Migrate Pages to custom workflow with Node 24 actions
ab1f5ad 
Replaces the auto pages-build-deployment (which still uses Node-20 actions/checkout@v4 and actions/upload-artifact@v4) with a custom workflow using configure-pages@v6, jekyll-build-pages@v1.0.13, upload-pages-artifact@v5, deploy-pages@v5.

Triggered by release publication so the changelog Liquid template (which reads site.github.releases) only rebuilds when a release actually exists. workflow_dispatch is kept for manual rebuilds when debugging Pages content.
@d4rken
chore(ci): Move Gemfile to fastlane/ for tidier layout
a755a0b 
The root Gemfile only ever declared the fastlane gem and lived next to fastlane configuration anyway. Moving it under fastlane/ matches that ownership and keeps the repo root cleaner.

release-gplay job now sets BUNDLE_GEMFILE=fastlane/Gemfile and runs ruby/setup-ruby with working-directory=fastlane so bundler-cache resolves the moved Gemfile. fastlane lanes still run from the repo root.
@d4rken d4rken changed the title General: Move release pipeline to Node 24 actions General: Migrate Pages to Actions deploy and refresh Node-20 actions Apr 28, 2026
d4rken added 2 commits April 28, 2026 11:40
@d4rken
chore(ci): Chain Pages deploy from release-tag.yml and adopt org refi…
40c1b5d 
…nements

release: published events triggered by secrets.GITHUB_TOKEN do not start new workflow runs (only workflow_dispatch and repository_dispatch are exceptions). The Pages workflow's release: published trigger would never have fired in production since release-tag.yml's softprops/action-gh-release uses GITHUB_TOKEN to publish.

Fix: drop the release: published trigger and have release-tag.yml's release-github job explicitly run gh workflow run pages.yml --ref main after the release is created. release-github gains actions: write to authorize the dispatch.

Also adopts refinements from sibling org PRs (permission-pilot#356, bluemusic#220):

- Top-level permissions reduced to contents: read; pages: write and id-token: write moved to the deploy job only (least privilege)

- JEKYLL_GITHUB_TOKEN on the build step so jekyll-github-metadata authenticates when fetching site.github.releases

- Sanity-check step (test -f _site/index.html && _site/CNAME) fails fast if Jekyll produced nothing

- Explicit upload-pages-artifact path: ./_site matches the build's destination

- Verify fastlane Bundler wiring step (bundle exec fastlane --version) lets workflow_dispatch dry_run=true exercise the relocated Gemfile before the next real release
@d4rken
chore: Drop dead Gemfile excludes and ignore Jekyll artifacts
67143d3 
After moving Gemfile/Gemfile.lock to fastlane/, the - Gemfile / - Gemfile.lock entries in _config.yml's exclude list are no-ops; the parent fastlane exclude already covers everything inside.

.gitignore picks up _site/, .jekyll-cache/, vendor/bundle/ so local Jekyll runs don't leave tracked artifacts.
@d4rken

d4rken commented Apr 28, 2026

Copy link
Copy Markdown
Member Author

Cross-flagging from a parallel migration in octi#251 — the on: release: { types: [published] } trigger here likely won't fire as intended.

Per GitHub's docs on triggering a workflow from a workflow:

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.

release-tag.yml creates the release with softprops/action-gh-release using secrets.GITHUB_TOKEN. release: published is not in the exception list, so the release event from a token-emitted release will not start pages.yml. Net effect: after merge + settings flip, the only path that rebuilds the site is the manual workflow_dispatch, which is the same as the pre-PR state for automatic updates.

The two ways out:

  1. Switch the trigger to workflow_dispatch only and add a chained gh workflow run pages.yml --ref main step at the end of the release-github job (after Create release). workflow_dispatch is in the exception list, so it does fire across the token boundary. This is the path we took in octi#251.
  2. Use a PAT instead of GITHUB_TOKEN for the release-creation step. The non-GITHUB_TOKEN path doesn't have the chain restriction, but it pulls a PAT into your CI surface.

Easy to verify on a draft tag: tag a dry_run-disabled *-beta and watch whether pages.yml actually runs from the release event. If it doesn't, option 1 is the cleanest fix.

d4rken added 2 commits April 28, 2026 11:53
@d4rken
chore(ci): Also rebuild Pages on main pushes for content edits
878de24 
Adds push: [main] alongside workflow_dispatch so edits to README.md, _config.yml, _layouts, or the CHANGELOG.md template publish without a manual dispatch. The chain step in release-tag.yml still runs after release publish to guarantee the new release is in site.github.releases by the time Pages rebuilds — concurrency: cancel-in-progress: false serialises the two runs.

Adds an if: github.ref == 'refs/heads/main' guard on the deploy job so workflow_dispatch from a non-main branch builds for verification but doesn't deploy.
@d4rken
chore: Drop stale app-common exclude from _config.yml
93c6494 
app-common module was merged into app/ in be8f491; the exclude has been a no-op since.
@d4rken d4rken mentioned this pull request Apr 28, 2026
Merged
6 tasks
@d4rken d4rken merged commit 367c8d2 into main Apr 28, 2026
10 checks passed
@d4rken d4rken deleted the fix/ci-node20-deprecation branch April 28, 2026 10:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@d4rken