ci: deploy GitHub Pages from main-ci workflow

[AndrewAltimit]

Summary

• Adds a deploy-pages job to main-ci.yml that deploys the site/ folder to GitHub Pages after CI passes
• Runs on the self-hosted runner, only on pushes to main
• Uses actions/upload-pages-artifact@v3 + actions/deploy-pages@v4
• Adds Pages deployment status to the CI summary table

Pre-merge requirement

Set Settings > Pages > Source to "GitHub Actions" (not "Deploy from a branch").

Test plan

• Verify Pages source is set to "GitHub Actions" in repo settings
• Merge to main and confirm the deploy-pages job runs successfully
• Verify site is accessible at the GitHub Pages URL

Generated with Claude Code

[github-actions]

Gemini AI Code Review

Issues (if any)

(none)

Previous Issues (for incremental reviews)

(none)

Suggestions (if any)

• .github/workflows/main-ci.yml:377 - Consider handling the skipped result for deploy-pages in the summary logic. Since it only runs on main, it will show as skipped on tag-only pushes (unless they are also on main), which is correct but might be cleaner if explicitly handled like other conditional jobs if the project grows.

Notes

• The addition of deploy-pages correctly uses the specialized site folder checkout and standard GitHub Actions deployment tools.
• Permissions pages: write and id-token: write are correctly scoped for the deployment job.
• The notify job was properly updated to wait for and report the status of the new deployment stage.

---

Generated by Gemini AI (gemini-3-flash-preview). Supplementary to human reviews.

[github-actions]

Codex AI Code Review

Issues (if any)

• [BUG] .github/workflows/main-ci.yml:336 - Missing contents: read permission in the new deploy-pages job.
  • What's wrong: Job-level permissions overrides default token scopes; with only pages and id-token, the checkout step at line 343 may fail due insufficient repository read access.
  • How to fix (if obvious): Add contents: read under deploy-pages.permissions [UNVERIFIED - File does not exist and is not in PR].

Previous Issues (for incremental reviews)

(none)

Suggestions (if any)

• .github/workflows/main-ci.yml:377 - Consider mapping needs.deploy-pages.result == 'skipped' to N/A in the summary table for tag/manual runs to avoid confusion.

Notes

• 1 claim(s) were automatically filtered as potential hallucinations (file:line content didn't match claims)

• The deploy-pages branch gate (refs/heads/main) is aligned with the workflow trigger strategy.

• The site/ directory exists, so upload-pages-artifact path selection is valid.

---

Generated by Codex AI (gpt-5.3-codex). Supplementary to human reviews.

[AndrewAltimit]

Review Response Agent (Iteration 1)

Status: Changes committed, pushing...

Commit: 018cc2f

Fixed Issues

• [BUG] Missing contents: read permission (Codex, .github/workflows/main-ci.yml:336): Added contents: read to the deploy-pages job permissions. Job-level permissions overrides all defaults in GitHub Actions, so actions/checkout@v4 would fail without explicit read access to repository contents.

Ignored Issues

• Handle skipped result for deploy-pages in summary (Gemini suggestion, Codex suggestion): Cosmetic only. The other conditional jobs (build-release-binaries, create-release) already show skipped the same way. The current behavior is accurate and consistent.

Deferred to Human

• (none)

Notes

• The Codex review correctly identified a real bug despite its own hallucination filter marking it as [UNVERIFIED]. The file does exist and is in the PR; the filter was a false positive.
• The Gemini review found no issues, only the same cosmetic suggestion.

---

Automated summary of agent fixes.

[github-actions]

Gemini AI Incremental Review

This is an incremental review focusing on changes since the last review.

Issues (if any)

(none)

Previous Issues (for incremental reviews)

• [RESOLVED] .github/workflows/main-ci.yml:336 - Missing contents: read permission in the new deploy-pages job.

Suggestions (if any)

(none)

Notes

• The deploy-pages job now includes contents: read permission, required for actions/checkout when job-level permissions are specified.
• The notify job correctly includes deploy-pages in its needs list and summary table, ensuring deployment status is captured in the CI report.
• The sparse-checkout: site optimization for the Pages deployment is a good practice to minimize overhead.

---

Generated by Gemini AI (gemini-3-flash-preview). Supplementary to human reviews.

[github-actions]

Codex AI Incremental Review

This is an incremental review focusing on changes since the last review.

Issues (if any)

(none)

Previous Issues (for incremental reviews)

• [RESOLVED] .github/workflows/main-ci.yml:336 - Missing contents: read permission in the new deploy-pages job.

Suggestions (if any)

(none)

Notes

• Verified the incremental change in .github/workflows/main-ci.yml; no new actionable bugs or security regressions were found in the added/modified lines.
• notify now includes deploy-pages and reports its result; skipped on non-main refs is expected behavior.
• Deployment still depends on repository configuration: Settings > Pages > Source must be set to GitHub Actions.

---

Generated by Codex AI (gpt-5.3-codex). Supplementary to human reviews.

[AndrewAltimit]

Review Response Agent (Iteration 2)

Status: No changes needed

Fixed Issues

• (none — all issues were resolved in iteration 1)

Ignored Issues

• Handle skipped result for deploy-pages in summary (Gemini/Codex suggestion): Already ignored in iteration 1. Cosmetic only; consistent with how build-release-binaries and create-release already display skipped.

Deferred to Human

• (none)

Notes

• Both Gemini and Codex incremental reviews (post-iteration-1) report zero issues and confirm the contents: read fix is resolved.
• No code changes needed in this iteration.

---

The agent reviewed feedback but determined no code changes were required.