feat(.github/workflows/deploy-docs.yaml): trigger reindex on release.published (DOCS-327)#26070
Conversation
…published (DOCS-327)
When a stable vX.Y.Z release is published on coder/coder, the docs
reindex workflow now fires automatically against the corresponding
release/X.Y branch. Eliminates the manual workflow_dispatch step from
the mainline rotation runbook.
Behavior:
* release.types: [published] is added alongside the existing push and
workflow_dispatch triggers.
* The 'Compute action and ref' step gains a release-event branch that:
- Skips prereleases (github.event.release.prerelease == true) with a
workflow notice and a clean exit 0, so backport release candidates
do not trigger an index.
- Matches the tag against ^v([0-9]+)\\.([0-9]+)\\.[0-9]+$ and
translates v2.35.0 to release/2.35 (etc).
- Falls through with a notice and exit 0 for any tag that does not
match the plain semver shape (e.g. v2.35, v2.35.0-rc.1).
* The downstream validation, HMAC body construction, and POST step are
unchanged.
This change is intentionally inert until coder.com's INDEXED_REFS_BY_CORPUS
allowlist becomes self-rotating (filed under DOCS-210). Until then, the
handler still rejects new minors with {action: "skipped", reason:
"...not in INDEXED_REFS_BY_CORPUS"}, and this workflow logs the skip.
Pre-wiring lets both halves land roughly in parallel so the next
release cut after both ship is automatic.
|
/coder-agents-review |
|
Chat: Review in progress | View chat deep-review v0.7.1 | Round 1 | Last posted: Round 1, 1 findings (1 P2), COMMENT. Review Finding inventoryFindings
Round logRound 1About deep-reviewCRF = Coder Review Finding (P0-P4, Nit, Note)
|
There was a problem hiding this comment.
First-pass review (Netero). This is a mechanical scan only; the full review panel has not yet reviewed this PR. The panel will review after this finding is addressed.
The wiring for the new release.published trigger is well-structured: the tag-to-branch translation is clear, the prerelease and non-semver gates are defensive, and the comment updates accurately describe the new three-source trigger model. The 11-scenario hand-trace in the description is thorough.
One P2 found.
"Base code had no early-exit paths; ACTION and REF were always populated before reaching $GITHUB_OUTPUT. The two exit 0 calls are new in this PR." -- Netero
🤖 This review was automatically generated with Coder Agents.
| if [ "${EVENT_NAME:-}" = "release" ]; then | ||
| if [ "${RELEASE_PRERELEASE:-false}" = "true" ]; then | ||
| echo "::notice::Skipping prerelease ${RELEASE_TAG:-<unknown>}; no docs reindex." | ||
| exit 0 |
There was a problem hiding this comment.
P2 [CRF-1] Early exit 0 on prerelease skip (line 286) and regex miss (line 294) succeed the "Compute action and ref" step without writing action or ref to $GITHUB_OUTPUT. The downstream "POST to coder.com docs indexer" step (line 350) has no if: guard on steps.input.outputs.action, so it runs unconditionally with empty ACTION and REF env vars, sending {"action":"","corpus":"v2","ref":"","paths":[]} to the production handler.
The handler's allowlist likely rejects the empty ref, so this is not data-corrupting. But every prerelease publish and every non-semver tag release would send unintended traffic to production and produce a confusing error in the step summary.
Before this PR, no early-exit paths existed; ACTION and REF were always populated before reaching $GITHUB_OUTPUT.
Fix: add if: steps.input.outputs.action != '' to the POST step (line 350). This is a clean sentinel because the step only writes action on the success path. (Netero)
🤖
Closes DOCS-327.
What
Add
release: { types: [published] }to.github/workflows/deploy-docs.yamlso that publishing a stablevX.Y.ZGitHub Release on this repo auto-dispatches the docs-sync handler against the correspondingrelease/X.Ybranch. The existingpushandworkflow_dispatchtriggers are unchanged.The
Compute action and refstep gains a release-event branch that:github.event.release.prerelease == true) with a workflow notice.^v([0-9]+)\.([0-9]+)\.[0-9]+$and translatesv2.35.0torelease/2.35.exit 0for any tag that doesn't match the plain semver shape (v2.35,v2.35.0-rc.1, etc.).Downstream validation, HMAC body construction, and the POST step are unchanged.
Why
Today, every mainline rollover requires a human to dispatch this workflow manually with
action=index, ref=release/X.Y. We just hit this rotation friction on DOCS-324 (v2.34 launch) and the resulting empty-search-results incident on/docs/@v2.34.x/....release.publishedis the right cue: it fires exactly when a version becomes user-visible, not when its release branch is cut weeks earlier with possibly-incomplete docs.Coupling (important)
This change is intentionally inert until coder.com's
INDEXED_REFS_BY_CORPUSallowlist becomes self-rotating (filed under DOCS-210). Until that lands, the handler still rejects new minors with{action: "skipped", reason: "...not in INDEXED_REFS_BY_CORPUS"}and this workflow logs the skip. Pre-wiring lets both halves land roughly in parallel so the next release cut after both ship is automatic.Reviewers: feel free to merge this independently. There is no downside to the wiring being live before the allowlist half ships; worst case, every release-publish event creates a no-op workflow run.
Behavior trace (the cases the bash handles)
11 event scenarios I walked through by hand
index,ref=main(existing)index,ref=release/2.34(existing)index,ref=release/2.34(existing)delete,ref=release/2.31(existing)v2.35.0falseindex,ref=release/2.35(new)v2.35.0-rc.1trueexit 0(new)v2.35.0-rc.1falseexit 0, regex miss (new)v2.35falseexit 0, regex miss (new)release-2.35falseexit 0, regex miss (new)v0.0.0falseindex,ref=release/0.0then handler rejects via allowlist (defense in depth)<unknown>+exit 0Safety
{action: "skipped"}responses until DOCS-210's allowlist-derivation lands. No risk of indexing an unintended ref.case "$REF" in main|release/*)) rejects any translation output that isn'trelease/<int>.<int>. Defense in depth in case the regex ever loosens by accident.release.published, not push-on-paths. Workflow file edits cannot induce a release event.concurrency: { group: deploy-docs-${{ github.ref }} }already exists. Release events havegithub.ref=refs/tags/vX.Y.Z, distinct from push events on the same release branch. A theoretical race resolves through the handler's atomic deleteBy+saveObjects.Verification
actionlint .github/workflows/deploy-docs.yamlclean.make pre-commit-lightclean:fmt/shfmt,fmt/markdown,lint/actions/actionlint,lint/shellcheck,lint/markdown,lint/emdash,lint/typos, etc.Out of scope
main).Coder Agents on behalf of @nickvigilante.