Skip to content

Fix gh-pages deploy: restore java lock URL and build docs on PRs#402

Merged
horgh merged 2 commits into
mainfrom
greg/fix-pages-mise-lock
Jun 30, 2026
Merged

Fix gh-pages deploy: restore java lock URL and build docs on PRs#402
horgh merged 2 commits into
mainfrom
greg/fix-pages-mise-lock

Conversation

@oschwald

@oschwald oschwald commented Jun 30, 2026

Copy link
Copy Markdown
Member

The "Deploy to GitHub Pages" workflow failed on main after #401 merged (run 28465860134).

Root cause

The deploy's Setup mise step runs mise install --locked, which installs the full toolchain — including java. The mise.lock update in #401 (commit 3b9ddb1) replaced java's per-platform url/checksum entry with a bare [tools.java.options] shorthand_vendor = "openjdk". With no locked URL, the install fails:

mise ERROR Failed to install core:java@latest: No lockfile URL found for java@26.0.1 on platform linux-x64 (--locked mode)

It wasn't caught on the PR because pages.yml only triggered on push: [main], and the PR job that uses mise (links.yml) installs lychee-only (install: false) — so no PR ran the full locked install.

Changes (two commits)

  1. Restore java platform URL in mise.lock — recovers mise install --locked so the Pages deploy works again. (Restored byte-identical to the pre-Clarify Windows memory-map file locking and fix Javadoc issues #401 lockfile entry; the hugo/lychee/maven bumps from Clarify Windows memory-map file locking and fix Javadoc issues #401 are untouched.)
  2. Build docs on pull requestspages.yml now also runs on pull_request, executing Setup mise (full mise install --locked) + Build docs, with the gh-pages publish step gated to pushes on main. A broken lockfile or docs build now fails the PR before merge. Concurrency group is scoped per-ref so PR runs don't cancel the main deploy.

Companion to maxmind/GeoIP2-java#734, which had the same failure.

Note: commits are unsigned because the local 1Password signing agent was unavailable at authoring time.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features
    • GitHub Pages builds now run for pull requests and manual triggers.
  • Bug Fixes
    • Prevented preview builds from publishing to the live Pages site.
    • Improved workflow concurrency so only the latest run for a ref continues.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The GitHub Pages workflow now triggers on pull_request events in addition to workflow_dispatch, sets workflow-level permissions to empty, and scopes concurrency by git ref with cancel-in-progress enabled. The gh-pages publish step is now conditional, only running on pushes to main.

Changes

Pages Workflow Update

Layer / File(s) Summary
Trigger, permissions, and concurrency settings
.github/workflows/pages.yml
Adds pull_request trigger, sets permissions: {}, and changes concurrency group to be ref-scoped with cancel-in-progress: true.
Conditional gh-pages publish step
.github/workflows/pages.yml
Restricts the "Push rendered site to gh-pages" step to run only on push events to refs/heads/main, with comments noting PRs only build/test.

Sequence Diagram(s)

Not applicable; this PR is a CI workflow configuration change without multi-component application logic.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hopped through YAML fields so neat,
Now PRs get builds, but main keeps the seat. 🐇
No more clashing runs, concurrency's tight,
Permissions empty, locked down right.
Hop, build, test — then publish in flight! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main changes: fixing the Pages deploy and enabling docs builds on pull requests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch greg/fix-pages-mise-lock

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates mise.lock to specify a Java platform entry for linux-x64. The review feedback notes that omitting other common platforms (like macOS and Windows) will cause local development installation failures under locked mode, and suggests running mise lock to populate all target platforms.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread mise.lock
Comment on lines +39 to +41
[tools.java."platforms.linux-x64"]
checksum = "sha256:2f2802d57b5fc414f1ddf6648ba12cc9a6454cf67b32ac95407c018f2e6ab0b0"
url = "https://download.java.net/java/GA/jdk26.0.1/458fda22e4c54d5ba572ab8d2b22eb83/8/GPL/openjdk-26.0.1_linux-x64_bin.tar.gz"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

While restoring the linux-x64 platform entry fixes the GitHub Actions CI/CD pipeline, mise.lock is still missing entries for other common developer platforms (such as macos-arm64, macos-x64, windows-x64, and linux-arm64) for java.\n\nBecause the enter hook in mise.toml runs mise install --quiet --locked automatically when entering the directory, any developer on macOS or Windows will experience a failure like:\n\nmise ERROR Failed to install core:java@latest: No lockfile URL found for java@26.0.1 on platform macos-arm64 (--locked mode)\n\n\nTo resolve this and support cross-platform local development, please run mise lock locally to automatically populate mise.lock with the URLs and checksums for all target platforms, and commit the updated lockfile.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Claude, replying on Greg's behalf.)

Already addressed in a force-push after this review. The lockfile was regenerated with mise lock java, so the current head includes all five platforms (linux-arm64, linux-x64, macos-arm64, macos-x64, windows-x64) plus the [tools.java.options] block. mise install --locked now works for macOS/Windows developers and the enter hook too.

oschwald and others added 2 commits June 30, 2026 19:10
A prior mise.lock regeneration left the core:java entry with only
[tools.java.options] and no per-platform url/checksum entries. Under
the mise version used in CI, 'mise install --locked' then fails with
'No lockfile URL found for java@26.0.1', which broke the gh-pages
deploy (it runs the full locked install). Regenerated with 'mise lock
java' to populate the per-platform entries.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Pages workflow only ran on pushes to main, so a broken mise.lock or
docs build was not detected until after merge (when the deploy runs the
full 'mise install --locked'). Run the build on pull requests too, and
gate the gh-pages publish step to pushes on main so PRs validate without
deploying. Scope the concurrency group per ref so PR runs do not cancel
the main deploy.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@oschwald oschwald force-pushed the greg/fix-pages-mise-lock branch from a749d46 to 3b65b5c Compare June 30, 2026 19:10

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/pages.yml (1)

16-19: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoff

Scope contents: write to the publish step only.

permissions: contents: write is declared at the job level, so for same-repo (non-fork) PR runs the GITHUB_TOKEN keeps write access during checkout/mise-install/build-docs even though those steps only need read access — only the gated gh-pages push (Line 39) needs write. Fork PRs are forced read-only by GitHub regardless, but same-repo PRs are not. Consider splitting into a build job (contents: read) and a deploy job (contents: write, gated on push to main) to keep PR validation runs least-privileged.

♻️ Suggested split
 jobs:
-  build-and-deploy:
+  build:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
       ...
       - name: Build docs
         ...
+
+  deploy:
+    needs: build
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      ... (rebuild or reuse artifact)
+      - name: Push rendered site to gh-pages
+        uses: peaceiris/actions-gh-pages@84c30a85c19949d7eee79c4ff27748b70285e453 # v4.1.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./docs/public
+          publish_branch: gh-pages
+          keep_files: true
+          user_name: "github-actions[bot]"
+          user_email: "41898282+github-actions[bot]`@users.noreply.github.com`"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pages.yml around lines 16 - 19, Scope the GitHub Actions
token permissions more narrowly in build-and-deploy: the current job-level
contents: write gives unnecessary write access during checkout, mise-install,
and build-docs. Refactor the workflow so the build portion runs with contents:
read and only the publish path that pushes to gh-pages uses contents: write,
ideally by splitting the existing build-and-deploy job into separate build and
deploy jobs with the deploy job gated to the main-branch publish step.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/pages.yml:
- Around line 16-19: Scope the GitHub Actions token permissions more narrowly in
build-and-deploy: the current job-level contents: write gives unnecessary write
access during checkout, mise-install, and build-docs. Refactor the workflow so
the build portion runs with contents: read and only the publish path that pushes
to gh-pages uses contents: write, ideally by splitting the existing
build-and-deploy job into separate build and deploy jobs with the deploy job
gated to the main-branch publish step.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 57f50b22-4738-44d7-a52b-9124de3cb1af

📥 Commits

Reviewing files that changed from the base of the PR and between 78bd2d3 and 3b65b5c.

⛔ Files ignored due to path filters (1)
  • mise.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • .github/workflows/pages.yml

@oschwald

Copy link
Copy Markdown
Member Author

(Claude, commenting on Greg's behalf.)

Re: CodeRabbit's out-of-diff suggestion to scope contents: write by splitting pages.yml into separate build (read-only) and deploy (write) jobs —

Leaving it as a single job for now: the publish step is gated to push-on-main, PRs are same-repo (no fork / untrusted code runs), and the workflow passes zizmor. The split would add artifact upload/download plumbing (or a duplicate build) for a marginal gain on same-repo runs — consistent with CodeRabbit's own "poor tradeoff" tag. Worth revisiting if this repo ever accepts fork PRs for docs.

(Same rationale applies to the identical change in maxmind/GeoIP2-java#734.)

@horgh horgh merged commit 3db8147 into main Jun 30, 2026
31 checks passed
@horgh horgh deleted the greg/fix-pages-mise-lock branch June 30, 2026 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants