Migrate Pages to Actions deploy and fix changelog race

[d4rken]

What changed

The website's changelog page on octi.darken.eu will stay in sync with new releases. Until now the rendered changelog could fall behind the actual GitHub Releases, sometimes for weeks, until an unrelated commit happened to land on main.

Technical Context

• Root cause: GitHub Pages used the legacy "Deploy from a branch" mode, so the site rebuilt every time a commit landed on main. Tag pushes do not land on main directly — they trigger release-tag.yml, which then publishes the GitHub Release minutes later. Jekyll's site.github.releases (via jekyll-github-metadata) therefore captured stale data, and the next site rebuild only happened on the next unrelated main push.
• Pages migration: replaces the legacy auto flow with a custom pages.yml. All Pages actions are pinned by SHA and Node-24 native (configure-pages@v6, jekyll-build-pages@v1.0.13, upload-pages-artifact@v5, deploy-pages@v5). JEKYLL_GITHUB_TOKEN is set on the build step so jekyll-github-metadata is authenticated. The build job runs with contents: read only; pages: write and id-token: write are scoped to the deploy job. A sanity-check step asserts _site/index.html and _site/CNAME exist, catching silent Jekyll-output failures (over-aggressive _config.yml excludes, dropped CNAME).
• Trigger architecture: the new workflow is triggered exclusively by workflow_dispatch. After release-github finishes creating the GitHub Release, it calls gh workflow run pages.yml --ref main to chain the rebuild. workflow_dispatch is one of the documented exceptions where secrets.GITHUB_TOKEN-emitted events do create new workflow runs; release: published is not in that exception list, so it would not fire from a release created via the GitHub Token. This is why we did not adopt the release: published trigger pattern used by some sister-project PRs.
• Gemfile relocation: moved root Gemfile/Gemfile.lock into fastlane/. actions/jekyll-build-pages reads SOURCE/Gemfile and the root file only declared gem "fastlane", which conflicted with github-pages. The release-gplay job now points BUNDLE_GEMFILE and ruby/setup-ruby's working-directory at the moved location; bundle exec fastlane … keeps running from the repo root, so lane discovery is unchanged. A bundle exec fastlane --version step right after setup-ruby exercises the wiring on every release — the lane bodies are gated behind !dry_run, so this is the only way to e2e-test the relocation short of a real beta tag.
• Cleanups bundled in: softprops/action-gh-release v2.5.0 → v3.0.0 (Node-24 bump), drop the dead ~/.android/build-cache cache step (AGP 7+ doesn't write to that path), drop redundant Gemfile/Gemfile.lock excludes from _config.yml, add _site/, .jekyll-cache/, vendor/bundle/ to .gitignore.

Review guidance

• One-time settings change required after merge: Settings → Pages → Source: switch from "Deploy from a branch" to "GitHub Actions". Equivalent CLI: gh api -X PUT repos/d4rken-org/octi/pages -f build_type=workflow. Custom domain octi.darken.eu and HTTPS enforcement are preserved across the flip.
• The release-gplay Gemfile relocation can't be exercised via workflow_dispatch dry_run=true (the lane steps are gated behind !dry_run); the new Verify fastlane Bundler wiring step covers it on every release.
• After merge & settings toggle, manually workflow_dispatch pages.yml once to rebuild with the latest releases without waiting for the next tag.

[d4rken]

Heads-up from comparing trigger architectures across the parallel sister-repo PRs (capod#556 is the equivalent on the AirPods repo).

The new gh workflow run pages.yml step here uses secrets.GITHUB_TOKEN. That's fine — workflow_dispatch is one of the events allowed to chain across GITHUB_TOKEN, unlike release: published. But gh workflow run calls POST /repos/{owner}/{repo}/actions/workflows/{id}/dispatches, which requires actions: write on the token, and the release-github job's permissions: block here only declares contents: write.

So whether the chain succeeds depends on this repo's default workflow-token permissions:

• If Settings → Actions → General → Workflow permissions is "Read and write permissions": chain works.
• If it's "Read repository contents and packages permissions" (the default for repos created since Sep 2022): chain returns 403 and Pages silently doesn't rebuild — same broken-chain failure mode the release: published mistake would have produced.

Easy fix: add actions: write to the job's permissions block so it's explicit and independent of the repo's Settings page:

  release-github:
    permissions:
      contents: write
      actions: write