diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 0c89252..8fa58fe 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -23,10 +23,35 @@ concurrency: jobs: build: runs-on: ubuntu-latest + outputs: + pages_enabled: ${{ steps.pages-check.outputs.enabled }} steps: - name: Checkout uses: actions/checkout@v4 + - name: Detect GitHub Pages configuration + id: pages-check + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -euo pipefail + status_code=$(curl -sS -o /tmp/pages-response.json -w "%{http_code}" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/pages") + + if [[ "${status_code}" == "200" ]]; then + echo "enabled=true" >> "${GITHUB_OUTPUT}" + echo "GitHub Pages is enabled." + elif [[ "${status_code}" == "404" ]]; then + echo "enabled=false" >> "${GITHUB_OUTPUT}" + echo "GitHub Pages is not enabled; deployment steps will be skipped." + else + echo "Unexpected GitHub Pages API status: ${status_code}" >&2 + cat /tmp/pages-response.json >&2 + exit 1 + fi + - name: Validate catalog run: python3 scripts/validate_shop_catalog.py @@ -34,11 +59,13 @@ jobs: run: python3 scripts/build_armory_manifest.py --out docs/data/armory-manifest.v1.json - name: Upload Pages artifact + if: steps.pages-check.outputs.enabled == 'true' uses: actions/upload-pages-artifact@v3 with: path: docs deploy: + if: needs.build.outputs.pages_enabled == 'true' environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} @@ -48,3 +75,11 @@ jobs: - name: Deploy to GitHub Pages id: deployment uses: actions/deploy-pages@v4 + + pages-disabled: + if: needs.build.outputs.pages_enabled != 'true' + runs-on: ubuntu-latest + needs: build + steps: + - name: Skip deploy + run: echo "GitHub Pages is disabled for this repository. Skipping deployment job." diff --git a/docs/audits/public-logic-audit-2026-02-22.md b/docs/audits/public-logic-audit-2026-02-22.md index 7fce095..d1aa85a 100644 --- a/docs/audits/public-logic-audit-2026-02-22.md +++ b/docs/audits/public-logic-audit-2026-02-22.md @@ -30,14 +30,17 @@ | `python3 scripts/ci/check_manifest_determinism.py` | PASS | Manifest output deterministic per current source state | | `python3 scripts/ci/secret_hygiene.py` | PASS | Secret hygiene checks passed | | `python3 scripts/ci/validate_trust_store.py` | PASS | Trust store checks passed (bundle mode absent) | +| Pages workflow fail-safe | PASS | Added GitHub Pages configuration detection and graceful skip path when Pages is disabled | ## Findings Register | Severity | Area | Repro | Status | Fix | |---|---|---|---|---| | P3 | Manifest workflow ergonomics | Running `build_armory_manifest.py` updates commit-pinned URLs and generated metadata | Mitigated | Verified deterministic behavior; kept source unchanged for this wave to avoid commit-ref churn | +| P1 | Workflow reliability | `Armory Pages` deploy failed with `404 Not Found` when Pages was not enabled | Fixed | Added Pages API precheck and conditional deploy skip in `.github/workflows/pages.yml` | ## Residual Risks / Follow-ups - If manifest regeneration is needed in future waves, run it as an intentional release-adjacent change and review generated commit reference updates. +- If Pages is intentionally enabled later, the workflow will auto-deploy without additional code changes. ## Attestation - This wave is maintenance and hardening only.