ci(docs): publish mdbook to GitHub Pages#331
Conversation
Adds a workflow that builds the mdbook on docs/book.toml changes, runs lychee link-check on PRs, and deploys to the gh-pages branch on push to main. Closes #123. Note: GitHub Pages must be manually configured in repo settings to serve from the gh-pages branch after the first successful run.
🤖 Claude Code ReviewHere is my review of PR #331: PR #331 — CI: Publish mdBook to GitHub PagesWhat it does: Adds a GitHub Actions workflow that builds, link-checks, and deploys the mdBook docs site to GitHub Pages. Triggered on changes to Correctness & Functionality
Security & Permissions
# Remove the top-level permissions block, then add per-job:
jobs:
build:
permissions:
contents: read
link-check:
permissions:
contents: read
deploy:
permissions:
contents: writeThis follows the principle of least privilege, especially relevant since Concurrency
Design Notes
SummaryThe workflow is well-structured and follows the ethrex reference model appropriately. Two items warrant fixes before merge:
The Automated review by Claude (Anthropic) · sonnet · custom prompt |
🤖 Kimi Code ReviewThis PR adds a GitHub Actions workflow for publishing mdBook documentation. This is infrastructure code and does not modify consensus-critical logic (fork choice, XMSS, SSZ, state transition), so the review focuses on CI/CD correctness and security. Critical Issues
Security & Permissions
Logic & Performance
Minor
Summary Automated review by Kimi (Moonshot AI) · kimi-k2.5 · custom prompt |
🤖 Codex Code Review
No consensus-layer code is touched in this PR, so I do not have findings on fork choice, state transition, attestation, XMSS, or SSZ logic here. I did not run the workflow locally; Automated review by OpenAI Codex · gpt-5.4 · custom prompt |
Greptile SummaryThis PR adds a GitHub Actions workflow to build the mdBook documentation site and publish it to GitHub Pages on pushes to Confidence Score: 5/5Safe to merge — only one P2 style finding; all core logic is correct and well-guarded No P0 or P1 issues found. The single finding is a P2 suggestion to pin No files require special attention
|
| Filename | Overview |
|---|---|
| .github/workflows/pr-main_mdbook.yml | New workflow to build mdBook docs and publish to GitHub Pages; well-structured with per-job permissions and concurrency, but uses a floating @master reference for dtolnay/rust-toolchain |
| Makefile | Adds --locked to both cargo install calls in docs-deps for reproducible installs; clean improvement |
| book.toml | Adds optional = true to skip linkcheck2 when not installed, and warning-policy = "error" to fail CI on broken internal links; correct and well-commented |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
trigger["Trigger: push/PR on docs/**, book.toml\nor workflow_dispatch"]
trigger --> build
subgraph build["Build job"]
checkout1["checkout@v6"]
setupMdbook["Setup mdBook 0.5.2"]
setupRust["Setup Rust stable"]
installLC2["Install mdbook-linkcheck2 0.12.0"]
makeDocs["make docs → book/html/"]
uploadCheck{{"ref == main?"}}
upload["upload-artifact@v7\ndocs artifact"]
checkout1 --> setupMdbook --> setupRust --> installLC2 --> makeDocs --> uploadCheck
uploadCheck -- yes --> upload
uploadCheck -- no --> skipUpload["skip upload"]
end
build --> linkcheck
build --> deployCheck
subgraph linkcheck["Link Check job"]
checkout2["checkout@v6"]
lychee["lychee-action@v2\nexternal URL check on docs/"]
checkout2 --> lychee
end
deployCheck{{"ref == main?"}}
deployCheck -- yes --> deploy
deployCheck -- no --> nodeploy["skip deploy"]
subgraph deploy["Deploy job (contents:write)"]
download["download-artifact@v8\ndocs artifact"]
ghpages["actions-gh-pages@v4\npublish to gh-pages branch"]
download --> ghpages
end
Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
.github/workflows/pr-main_mdbook.yml:41
**Unpinned `@master` reference for rust-toolchain action**
`dtolnay/rust-toolchain@master` is a floating, mutable reference — any commit pushed to `master` silently changes the action's behavior in CI. All other actions in this workflow use stable version tags (`@v2`, `@v4`, etc.). Pinning to a SHA or a stable tag improves reproducibility and reduces supply-chain risk.
```suggestion
uses: dtolnay/rust-toolchain@stable
```
Reviews (2): Last reviewed commit: "ci(docs): exclude eprint.iacr.org from l..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
The linkcheck2 preprocessor is already configured in book.toml and matches what `make docs-deps` installs locally. Drop the lychee job and let `mdbook build` fail on broken internal links by setting `warning-policy = "error"`. CI installs mdbook-linkcheck2 so the optional renderer actually runs. Verified locally: `mdbook build` exits 101 when SUMMARY.md is missing an entry referenced from another page.
`cargo install` without --locked regenerates the lockfile from semver constraints, so a transitive dep can update overnight and break the install. Use the lockfile published with each tool for reproducible installs locally and in CI.
mdbook-linkcheck2 only validates internal links (follow-web-links is off so contributors don't get blocked by transient external failures or rate limits). Lychee covers the external side: bitrot in linked papers, blog posts, and other clients' READMEs. Lychee runs alongside deploy on main; deploy doesn't depend on it, so a flaky external server can't block a release.
Addresses bot-review feedback on PR #331: - Default workflow permissions to `contents: read`, scope `contents: write` to the deploy job only. Limits blast radius of any compromise in the build/link-check toolchain. - Add `cancel-in-progress: true` to the build concurrency group so a new push drops the stale build. Keep deploy as `cancel-in-progress: false` and split the group key so a fresh build does not cancel an in-flight deploy mid-push. - Add `Makefile` to path filters so changes to `make docs` retrigger the workflow. - Add a header comment linking the ethrex workflow used as a model. Skipped feedback (intentional): - `actions/checkout@v6` is current (v6.0.2) and matches `ci.yml`. - `deploy needs: build` (not link-check) is by design: a flaky external URL should not gate a docs deploy. Internal links are enforced inside the build via `warning-policy = "error"`.
The pinned `@v4` tags were three (upload) and four (download) major versions behind. No breaking changes affect our usage: - We download by `name:`, not `artifact-ids:`, so the v5 download-artifact path consistency change is irrelevant. - The v6/v7 Node.js 24 bumps require runner ≥ 2.327.1, which GitHub-hosted runners already satisfy. - The v7 upload-artifact direct-upload feature is opt-in (`archive: false`); default behavior is unchanged. - The v8 download-artifact hash-mismatch default of `error` is a security improvement, transparent on successful runs.
🤖 Kimi Code ReviewCritical: Invalid GitHub Actions versions The workflow references action versions that do not exist. These must be corrected or the workflow will fail:
Security/Reproducibility
Code Quality Observations
Consensus-layer note: This PR contains only documentation infrastructure changes (CI, Makefile, mdbook config). No consensus logic (fork choice, state transition, XMSS, SSZ) was modified and therefore requires no security review for those components. Automated review by Kimi (Moonshot AI) · kimi-k2.5 · custom prompt |
The IACR preprint server returns 403 to lychee's default User-Agent (anti-bot protection); links work fine in a browser. Treating these as broken adds noise without catching real bitrot.
🤖 Claude Code ReviewHere is the review of PR #331: PR #331 —
|
🤖 Codex Code Review
Aside from that, the Automated review by OpenAI Codex · gpt-5.4 · custom prompt |
1 participant
Summary
.github/workflows/pr-main_mdbook.ymlto build and publish the mdBook docs site to GitHub Pages.docs/**andbook.tomlchanges:peaceiris/actions-mdbook@v2(mdBook 0.5.2, matchingMakefile).lycheeverse/lychee-action@v2(excludeslocalhostand127.0.0.1, which appear in operations docs).gh-pagesbranch on push tomainusingpeaceiris/actions-gh-pages@v4.Closes #123.
Notes
mainrun, GitHub Pages must be enabled manually in Settings → Pages with source set to thegh-pagesbranch.book/html/becausebook.tomldeclares both[output.html]and[output.linkcheck2]. mdBook auto-generates a.nojekyllfile there.make docsbuilds cleanly with mdBook 0.5.2 and producesbook/html/.nojekyll.Test plan
BuildandLink Checkjobs successfully.Deployjob runs and creates/updates thegh-pagesbranch.gh-pagesbranch.https://lambdaclass.github.io/ethlambda/serves the rendered book.