Add docs workflow

[alexkorovko]

Summary by CodeRabbit

• Chores
  • Automated documentation build and deployment infrastructure established. Documentation is automatically built and validated when documentation files change or when pull requests are submitted. Successful builds on the main branch trigger automatic deployment to the documentation site. Manual deployment can be triggered on demand.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow .github/workflows/docs.yml is added. It builds Sphinx HTML documentation on pushes to main and on pull requests when docs/** or the workflow file changes, then conditionally uploads and deploys the output to GitHub Pages only on non-PR events.

Changes

Sphinx Docs Build and Deploy Workflow

Layer / File(s)	Summary
Docs build and deploy workflow .github/workflows/docs.yml	Adds the complete docs.yml workflow with path-filtered push/PR triggers and manual dispatch, concurrency cancellation, a build job that installs Sphinx requirements, runs sphinx-build -W --keep-going, and uploads docs/build as a Pages artifact only on non-PR events, and a deploy job that conditionally publishes to the github-pages environment via actions/deploy-pages@v4.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hippity-hop, the docs now deploy,
A workflow so tidy, a rabbit's great joy!
Sphinx builds the pages with warnings-as-errors,
On pushes to main it becomes the new bearers.
Pull requests just build — no pages released,
The docs bunny hops on, forever at peace! 📄✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add docs workflow' directly and accurately summarizes the main change: adding a new GitHub Actions workflow for documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev/ak/docs

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docs.yml:
- Line 33: Replace all tag-based action references with immutable commit SHAs to
reduce supply-chain tampering risk. The actions/checkout action at line 33 and
other third-party actions at lines 35, 47, and 69 are currently using version
tags (like `@v5`) instead of commit SHAs. For each of these action references,
replace the tag with the specific commit SHA (e.g., @{full-40-character-SHA}) to
ensure the exact version is pinned and prevent unexpected changes from tag
updates.
- Line 33: The actions/checkout step at line 33 is leaving credentials available
to later workflow steps, which is a security risk. Add the `persist-credentials:
false` option to the actions/checkout@v5 action configuration to disable
credential persistence, ensuring credentials are not available to subsequent
steps unless explicitly needed for push operations.
- Around line 39-43: The pip install and sphinx build commands are currently
executed inline in the YAML workflow. Extract these commands from the run steps
"Install dependencies" and "Build HTML docs" into separate shell scripts in the
repository (for example, under a scripts directory), then update the
corresponding run steps to call those scripts instead of executing the commands
directly in YAML. This ensures build and test logic is versioned with the
repository and follows the workflow path rule.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Enterprise

Run ID: 1d0765f3-8092-4696-ae45-54495f51c8f2

📥 Commits

Reviewing files that changed from the base of the PR and between d0aa5a2 and 0bf7e8d.

📒 Files selected for processing (1)

• .github/workflows/docs.yml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin all third-party actions to commit SHAs.

Lines 33, 35, 47, and 69 use tag-based action refs. Pinning to immutable SHAs is required by the stated policy and reduces supply-chain tampering risk.

Proposed change

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@<full_commit_sha>
...
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@<full_commit_sha>
...
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@<full_commit_sha>
...
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@<full_commit_sha>

Also applies to: 35-35, 47-47, 69-69

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 33-33: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml at line 33, Replace all tag-based action
references with immutable commit SHAs to reduce supply-chain tampering risk. The
actions/checkout action at line 33 and other third-party actions at lines 35,
47, and 69 are currently using version tags (like `@v5`) instead of commit SHAs.
For each of these action references, replace the tag with the specific commit
SHA (e.g., @{full-40-character-SHA}) to ensure the exact version is pinned and
prevent unexpected changes from tag updates.

Source: Linters/SAST tools

---

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden checkout by disabling credential persistence.

actions/checkout currently leaves credentials available to later steps; set persist-credentials: false unless push operations are required.

Proposed change

       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v5
	- uses: actions/checkout@v5
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 33-33: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml at line 33, The actions/checkout step at line 33
is leaving credentials available to later workflow steps, which is a security
risk. Add the `persist-credentials: false` option to the actions/checkout@v5
action configuration to disable credential persistence, ensuring credentials are
not available to subsequent steps unless explicitly needed for push operations.

Source: Linters/SAST tools

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Move inline build/install commands into repo scripts.

Line 40 and Line 43 execute build logic inline in YAML, which violates the workflow path rule and makes CI behavior harder to reuse/version.

Proposed change

-      - name: Install dependencies
-        run: pip install -r docs/sphinx/requirements.txt
-
-      - name: Build HTML docs
-        run: python -m sphinx -b html -W --keep-going docs/sphinx docs/build
+      - name: Build HTML docs
+        run: ./docs/build_docs_ci.sh

As per path instructions, "Build and test commands must not appear inline in YAML; they should call scripts."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 39 - 43, The pip install and sphinx
build commands are currently executed inline in the YAML workflow. Extract these
commands from the run steps "Install dependencies" and "Build HTML docs" into
separate shell scripts in the repository (for example, under a scripts
directory), then update the corresponding run steps to call those scripts
instead of executing the commands directly in YAML. This ensures build and test
logic is versioned with the repository and follows the workflow path rule.

Source: Path instructions