Improve CI workflows for docs and publishing

[adamamer20]

Documentation:

1. PRs that touch docs/** build once with a read-only token, upload the static site as an artifact, and a separate workflow_run deployer publishes to gh-pages under preview/{branch}/{short_sha}/. This split keeps fork PRs safe (no secrets exposed to untrusted builds) while still delivering live previews.
2. We convert docs/general/**/*.py jupytext notebooks to.ipynb during the build, so tutorials stay human-readable in git history while still rendering as notebooks.

Publishing:

1. Switch to using uv to manage hatch
2. Automatically prepend release notes into CHANGELOG.md and push to main so release metadata stays in sync.

Summary by CodeRabbit

Release Notes

• Chores
  • Enhanced documentation build pipeline with automated notebook processing and separated main/preview deployments; PR previews now generated under dedicated subfolders.
  • Streamlined release workflow with automated changelog generation and improved dependency tooling integration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.23%. Comparing base (907c2b6) to head (be0abd2).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #187   +/-   ##
=======================================
  Coverage   89.23%   89.23%           
=======================================
  Files          14       14           
  Lines        2007     2007           
=======================================
  Hits         1791     1791           
  Misses        216      216           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[adamamer20]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Refactors GitHub Actions workflows to modernize tooling and deployment orchestration. The documentation workflow restructures into separate build and deploy jobs with artifact-based deployment paths. The publish workflow replaces direct tool invocations with UV-based execution and introduces automated changelog generation from release notes.

Changes

Cohort / File(s)	Summary
Documentation deployment restructuring .github/workflows/docs-gh-pages.yml	Splits single job into multi-job architecture: build job (new steps for jupytext conversion, MkDocs, and Sphinx builds with artifact upload and short SHA output) and parallel deploy-main/deploy-preview jobs (with explicit needs dependencies and distinct deployment strategies including per-PR preview paths).
Tooling modernization & changelog management .github/workflows/publish.yml	Replaces direct Python tool invocations with UV-based equivalents (uvx hatch, uv pip); adds new steps for changelog generation from release notes, prepending to CHANGELOG.md, and committing updates with modified version branch and bump logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• docs-gh-pages.yml: Job orchestration logic with artifact handling, short SHA output chaining, and conditional deployment paths (main vs. preview with subfolder construction) require verification
• publish.yml: Changelog generation logic, CHANGELOG.md mutation and commit handling, and version retrieval via UV need careful validation to ensure release notes flow is correct
• Both files: Confirm all job dependencies resolve correctly and that artifact upload/download mechanics work as intended

Suggested labels

ci

Suggested reviewers

• EwoutH
• Ben-geo

Poem

🐰 A workflow once tangled, now neatly arranged,
With UV at the helm and deployments exchanged—
From single to multi, with artifacts passed,
Preview paths flourish, changelogs amassed! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Improve CI workflows for docs and publishing' accurately captures the main changes, which involve reworking documentation and publishing GitHub Actions workflows with enhanced features like preview deployments and changelog automation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch split/gh-workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

.github/workflows/publish.yml (1)

65-88: CRITICAL: CHANGELOG updates won't reach main due to detached HEAD state.

The workflow commits CHANGELOG changes while on a detached HEAD (at the release tag), then attempts git push origin main || true. Since no local main branch exists at this point, the push is silently skipped. The subsequent git checkout main (line 106) resets the worktree, leaving CHANGELOG stale on main.

This is the issue flagged in the previous review. To fix, checkout main before committing the CHANGELOG update:

-    - name: Commit and push CHANGELOG update
-      env:
-        TAG: ${{ steps.notes.outputs.tag }}
-      run: |
-        git config user.name github-actions
-        git config user.email [email protected]
+    - name: Commit and push CHANGELOG update
+      env:
+        TAG: ${{ steps.notes.outputs.tag }}
+      run: |
+        git config user.name github-actions
+        git config user.email [email protected]
+        git checkout main
         git add CHANGELOG.md
         # Avoid CI cycles
         git commit -m "Changelog: add notes for ${TAG} [skip ci]" || echo "No changelog changes to commit"
         git push origin main || true

.github/workflows/docs-gh-pages.yml (2)

82-96: CRITICAL: deploy-preview will fail for fork PRs due to read-only token.

The previous review flagged this: the deploy-preview job runs for all PRs, but when triggered from a fork, secrets.GITHUB_TOKEN is read-only, causing peaceiris/actions-gh-pages to fail. This blocks documentation-only PRs from external contributors.

Add a guard condition to skip deployment for fork PRs:

   deploy-preview:
     needs: build
-    if: github.event_name == 'pull_request'
+    if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:

Consider adding a separate step to post the preview URL as a comment for fork PRs (optional enhancement).

---

67-80: Add permissions block to deploy-main job.

The job lacks an explicit permissions statement for GITHUB_TOKEN. Since this job publishes to gh-pages, add a minimal permissions block to limit token scope. This aligns with the permissions patterns used elsewhere in the project (e.g., publish.yml).

Add permissions to this job:

   deploy-main:
     needs: build
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:

Note: The deploy-preview job has the same issue and should also receive a permissions block.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3037456 and 3153696.

📒 Files selected for processing (2)

• .github/workflows/docs-gh-pages.yml (1 hunks)
• .github/workflows/publish.yml (2 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
Repo: projectmesa/mesa-frames PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-08T18:41:11.772Z
Learning: In pull requests, link issues, summarize changes, note API impacts, and add/adjust tests and documentation

📚 Learning: 2025-12-08T18:41:11.772Z

Learnt from: CR
Repo: projectmesa/mesa-frames PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-08T18:41:11.772Z
Learning: Use `docs/` directory for MkDocs and Sphinx content for user and API documentation

Applied to files:

• .github/workflows/docs-gh-pages.yml

📚 Learning: 2025-12-08T18:41:11.772Z

Learnt from: CR
Repo: projectmesa/mesa-frames PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-08T18:41:11.772Z
Learning: Preview documentation using `uv run mkdocs serve`

Applied to files:

• .github/workflows/docs-gh-pages.yml

🪛 actionlint (1.7.9)

.github/workflows/publish.yml

43-43: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/docs-gh-pages.yml

99-99: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

🪛 GitHub Check: CodeQL

.github/workflows/docs-gh-pages.yml

[warning] 68-82: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}

---

[warning] 83-100: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}

🔇 Additional comments (8)

.github/workflows/publish.yml (6)

20-28: UV tooling migration looks good.

The setup and version extraction are implemented correctly. The use of uvx hatch is the correct invocation pattern via uv.

---

29-41: Build, test, and verification steps are correct.

The UV-based commands are properly formatted. The PyPI verification flow is sound.

---

48-64: Changelog generation from release notes is well-structured.

The script safely extracts release data from the GitHub API context with fallback to GITHUB_REF, validates the payload, and handles missing release body gracefully with a clear error message.

---

89-106: Version branch creation logic is sound, but depends on CHANGELOG fix.

Once the CHANGELOG commit issue (lines 79-88) is resolved by checking out main first, this section will execute correctly. The version branch recreation and main checkout are appropriate.

---

107-121: Version bumping and commit are correct.

The UV-based version commands are properly sequenced, and including CHANGELOG.md in the commit is appropriate. This assumes the main branch checkout from the CHANGELOG step completes successfully.

---

43-43: Update softprops/action-gh-release to latest version.

Static analysis flagged action-gh-release@v1 as too old. Please verify and update to the latest stable version.

.github/workflows/docs-gh-pages.yml (2)

1-13: Workflow triggers are well-configured.

Path-based filters appropriately constrain runs to doc changes only. The split between push (main) and pull_request (all branches) is correct.

---

16-66: Build job is well-structured and defensive.

The job properly exports short_sha for downstream use, defensively handles notebook conversion with globstar pattern matching, and artifacts the built site. The separation of build from deploy jobs is a good pattern improvement.

[EwoutH]

Haven’t reviewed line by line, but conceptually this seems useful!