ci: harden pages deploy follow-up

.github/workflows/pages.yml

@@ -23,22 +23,49 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    outputs:
+      pages_enabled: ${{ steps.pages-check.outputs.enabled }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Detect GitHub Pages configuration
+        id: pages-check
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          status_code=$(curl -sS -o /tmp/pages-response.json -w "%{http_code}" \
+            -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/repos/${GITHUB_REPOSITORY}/pages")
+
+          if [[ "${status_code}" == "200" ]]; then
+            echo "enabled=true" >> "${GITHUB_OUTPUT}"
+            echo "GitHub Pages is enabled."
+          elif [[ "${status_code}" == "404" ]]; then
+            echo "enabled=false" >> "${GITHUB_OUTPUT}"
+            echo "GitHub Pages is not enabled; deployment steps will be skipped."
+          else
+            echo "Unexpected GitHub Pages API status: ${status_code}" >&2
+            cat /tmp/pages-response.json >&2
+            exit 1
+          fi
+
       - name: Validate catalog
         run: python3 scripts/validate_shop_catalog.py
 
       - name: Build manifest
         run: python3 scripts/build_armory_manifest.py --out docs/data/armory-manifest.v1.json
 
       - name: Upload Pages artifact
+        if: steps.pages-check.outputs.enabled == 'true'
         uses: actions/upload-pages-artifact@v3
         with:
           path: docs
 
   deploy:
+    if: needs.build.outputs.pages_enabled == 'true'
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
@@ -48,3 +75,11 @@ jobs:
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v4
+
+  pages-disabled:
+    if: needs.build.outputs.pages_enabled != 'true'
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Skip deploy
+        run: echo "GitHub Pages is disabled for this repository. Skipping deployment job."

docs/audits/public-logic-audit-2026-02-22.md

@@ -30,14 +30,17 @@
 | `python3 scripts/ci/check_manifest_determinism.py` | PASS | Manifest output deterministic per current source state |
 | `python3 scripts/ci/secret_hygiene.py` | PASS | Secret hygiene checks passed |
 | `python3 scripts/ci/validate_trust_store.py` | PASS | Trust store checks passed (bundle mode absent) |
+| Pages workflow fail-safe | PASS | Added GitHub Pages configuration detection and graceful skip path when Pages is disabled |
 
 ## Findings Register
 | Severity | Area | Repro | Status | Fix |
 |---|---|---|---|---|
 | P3 | Manifest workflow ergonomics | Running `build_armory_manifest.py` updates commit-pinned URLs and generated metadata | Mitigated | Verified deterministic behavior; kept source unchanged for this wave to avoid commit-ref churn |
+| P1 | Workflow reliability | `Armory Pages` deploy failed with `404 Not Found` when Pages was not enabled | Fixed | Added Pages API precheck and conditional deploy skip in `.github/workflows/pages.yml` |
 
 ## Residual Risks / Follow-ups
 - If manifest regeneration is needed in future waves, run it as an intentional release-adjacent change and review generated commit reference updates.
+- If Pages is intentionally enabled later, the workflow will auto-deploy without additional code changes.
 
 ## Attestation
 - This wave is maintenance and hardening only.