fix(.github/workflows/deploy-docs.yaml): drop self-trigger from paths#25285
Conversation
Editing this workflow no longer auto-fires a production Algolia reindex. Reindexes now require a docs/** change or manual workflow_dispatch. Refs DOCS-121, DOCS-122, DOCS-124.
|
/coder-agents-review |
There was a problem hiding this comment.
Clean incident response. A 4-line patch that removes the self-trigger from deploy-docs.yaml's paths: filter, fixing the root cause of DOCS-121 (production Algolia index wipe). Eight reviewers examined the change; none found a code defect. The fix is proportional, the comment is informative, and the handler-side guard is properly deferred to DOCS-122.
Three Notes below, all advisory.
"I tried to build a case against this and couldn't. The problem is correctly understood, the solution is proportional, and the fix is at the right causal level." (Pariston)
🤖 This review was automatically generated with Coder Agents.
| @@ -31,8 +31,10 @@ on: | |||
| - main | |||
| - "release/*" | |||
| paths: | |||
There was a problem hiding this comment.
Note [DEREM-2] The self-reference that caused DOCS-121 was introduced by PR #25049 (merged May 12), which added the paths: entry while simultaneously writing the changes job that falls back to whole-branch reindex on empty diff. The agent had the information to predict this failure mode but did not trace the "workflow-only change" execution path. (Mafu-san)
🤖
|
/coder-agents-review |
There was a problem hiding this comment.
Re-review, no new findings. Four reviewers (Mafu-san, Mafuuu, Pariston, Meruem) verified prior findings and author responses.
DEREM-1 closed: author filed DOCS-129 and shipped a full sibling audit in PR #25288 (removed docs-ci.yaml self-ref, added comments to kept refs). DEREM-3 closed: DOCS-122 confirmed High/active with a contract test in coder.com#777. DEREM-2 remains an open Note (process observation, no action requested).
Mafuuu noted that the header comment ("whenever this branch's docs/** content changes") was previously dishonest because the workflow also triggered on its own edits; the trigger now matches the stated contract.
"I tried to build a case against this change and could not." (Pariston, for the second time)
🤖 This review was automatically generated with Coder Agents.
|
Security review (on behalf of @jdomeracki-coder, generated by Coder Agents) No blocking security issues. This is a positive security fix. Observations:
|
Edits to
.github/workflows/deploy-docs.yamlpreviously self-triggered the workflow on push tomainandrelease/*because the file was listed in its ownpaths:. On 2026-05-12, this caused merge of #25049 to fire a production reindex with nodocs/**changes, which entered the empty-paths_jsonwhole-branch path in the Algolia handler and wiped thedocsindex (see DOCS-121).This change removes
.github/workflows/deploy-docs.yamlfrompaths:so the workflow only runs against real docs content. Reindexes from a workflow edit alone now requireworkflow_dispatch, which already accepts arefinput and anactionchoice ofindexordelete. The other safety net (a workflow-levelpaths_json=[]guard inalgolia-and-isr) is tracked separately in DOCS-122.Refs DOCS-121, DOCS-122, DOCS-124.
Coder Agents on behalf of @nickvigilante.