Update GHA for 4.4 (#350)

* Update workflows (#347)

* Update workflows

* Update reference to Traversal Framework

* Apply suggestion from @NataliaIvakina

* Fix the xref

Author: NataliaIvakina

.github/workflows/docs-deploy-surge.yml

@@ -10,25 +10,47 @@
 
 name: "Deploy docs preview"
 
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+
 on:
   workflow_run:
     workflows: ["Verify docs PR"]
     types:
       - completed
 
 jobs:
-  publish-docs:
-    # Uncomment this if statement to deploy only when the PR builds cleanly
-    # if: github.event.workflow_run.conclusion == 'success'
+  # [Optional] Restrict automatic dpeloyment to PRs from the upstream repo
+  # For fork PRs, requires manual approval via the "preview" environment.
+  # For PRs from the main repository this job is skipped and deploy-docs runs immediately.
+  # Setup: create a "preview" environment in Settings → Environments with required reviewers.
+  # approve-fork:
+  #   if: github.event.workflow_run.head_repository.full_name != github.repository
+  #   environment: preview
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Fork PR approved for deployment
+  #       run: echo "Approved"
+
+  deploy-docs:
+    # needs: [approve-fork]
+    # Run when approve-fork succeeded (fork, approved) or was skipped (non-fork).
+    # Uncomment the conclusion check to deploy only when the PR builds cleanly:
+    # && github.event.workflow_run.conclusion == 'success'
+    # if: |
+    #   always() &&
+    #   (needs.approve-fork.result == 'success' || needs.approve-fork.result == 'skipped')
 
     runs-on: ubuntu-latest
 
     steps:
       - name: "Download built documentation"
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           RUN_ID: ${{ github.event.workflow_run.id }}
-          WORKSPACE: ${{ github.workspace }}
+          ARTIFACT_DIR: ${{ runner.temp }}/artifacts
         with:
           script: |
             var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -47,7 +69,8 @@ jobs:
                archive_format: 'zip',
             });
             var fs = require('fs');
-            fs.writeFileSync('${{ env.WORKSPACE }}/docs.zip', Buffer.from(downloadDocs.data));
+            fs.mkdirSync(process.env.ARTIFACT_DIR + '/docs', { recursive: true });
+            fs.writeFileSync(process.env.ARTIFACT_DIR + '/docs/docs.zip', Buffer.from(downloadDocs.data));
 
             var matchArtifactChangelog = artifacts.data.artifacts.filter((artifact) => {
               return artifact.name == "changelog"
@@ -58,27 +81,68 @@ jobs:
               artifact_id: matchArtifactChangelog.id,
               archive_format: 'zip',
             });
-            fs.writeFileSync('${{ env.WORKSPACE }}/changelog.zip', Buffer.from(downloadChangelog.data));
+            fs.mkdirSync(process.env.ARTIFACT_DIR + '/changelog', { recursive: true });
+            fs.writeFileSync(process.env.ARTIFACT_DIR + '/changelog/changelog.zip', Buffer.from(downloadChangelog.data));
+
+      - id: suspicious-path-check
+        name: Suspicious paths check
+        env:
+          ARTIFACT_DIR: ${{ runner.temp }}/artifacts/docs
+        run: |
+          cd "$ARTIFACT_DIR"
+          if unzip -l docs.zip | grep -q "\.\./"; then
+            exit 1
+          fi
+
+      - id: hidden-files-check
+        name: Hidden files check
+        env:
+          ARTIFACT_DIR: ${{ runner.temp }}/artifacts/docs
+        run: |
+          cd "$ARTIFACT_DIR"
+          HIDDEN_FILES=$(find . -type f -name ".*" | wc -l)
+          if [ "$HIDDEN_FILES" -ne 0 ]; then
+            echo "Security Alert: Unexpected hidden files detected!"
+            exit 1
+          fi
 
       - id: unzip-docs
-        run: unzip docs.zip
+        name: Unzip docs artifact
+        env:
+          ARTIFACT_DIR: ${{ runner.temp }}/artifacts/docs
+        run: |
+          cd "$ARTIFACT_DIR"
+          unzip docs.zip
 
-      - id: get-top-dir
+      - id: find-changelog
+        name: Get changelog
         run: |
-          root=$(ls -d */index.html | sed -r 's/(.*)\/index\.html/\1/')
-          echo "top-dir=$root" >> $GITHUB_OUTPUT
+          if [ -f "${{ runner.temp }}/artifacts/changelog/changelog.zip" ]; then
+            echo "has-changelog=true" >> $GITHUB_OUTPUT
+          else
+            echo "has-changelog=false" >> $GITHUB_OUTPUT
+          fi
 
       - id: unzip-changelog
-        if: ${{ hashFiles('changelog.zip') != '' }}
-        run: unzip changelog.zip
+        name: Unzip changelog artifact
+        if: ${{ steps.find-changelog.outputs.has-changelog == 'true' }}
+        env:
+          ARTIFACT_DIR: ${{ runner.temp }}/artifacts/changelog
+        run: |
+          cd "$ARTIFACT_DIR"
+          unzip changelog.zip
       
       - id: get-deploy-id
+        name: Get deploy ID
+        env:
+          ARTIFACT_DIR: ${{ runner.temp }}/artifacts/docs
         run: |
-          deployid=$(<deployid)
+          deployid=$(<"$ARTIFACT_DIR/deployid")
           case "$deployid" in ''|*[!0-9]*) echo "Provided PR number is not an integer"; exit 1 ;; esac
           echo "deploy-id=$deployid" >> "$GITHUB_OUTPUT"
 
       - id: get-deploy-url
+        name: Get deploy URL
         env:
           ORG: ${{ github.event.repository.owner.login }}
           REPO: ${{ github.event.repository.name }}
@@ -87,38 +151,53 @@ jobs:
           deployurl=$ORG-$REPO-$DEPLOYID.surge.sh
           echo "deploy-url=$deployurl" >> $GITHUB_OUTPUT
       
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: lts/*
+
+      - id: prepare-deploy-dir
+        name: Prepare deploy directory
+        shell: bash
+        env:
+          DOCS_SRC_DIR: ${{ runner.temp }}/artifacts/docs
+          DOCS_DEPLOY_DIR: ${{ runner.temp }}/deploy-docs
+        run: |
+          mkdir -p "$DOCS_DEPLOY_DIR"
+          # Copy only the built docs into a clean directory for deployment
+          cp -R "$DOCS_SRC_DIR"/. "$DOCS_DEPLOY_DIR"/
       
-      - name: Deploy docs to surge
+      - id: surge-deploy
+        name: Deploy docs to surge
         shell: bash
         env:
           DEPLOY_URL: ${{ steps.get-deploy-url.outputs.deploy-url }}
           SURGE_TOKEN: "${{ secrets.DOCS_SURGE_TOKEN }}"
-          SITE_DIR: ${{ steps.get-top-dir.outputs.top-dir }}
+          DEPLOY_DIR: ${{ runner.temp }}/deploy-docs
         run: |
           npm install -g surge
-          surge ./$SITE_DIR $DEPLOY_URL --token "$SURGE_TOKEN"
+          cd "$DEPLOY_DIR"
+          surge . "$DEPLOY_URL" --token "$SURGE_TOKEN"
 
       # If the PR artifacts include a changelog file, add it to the PR as a comment
       # The changelog contains links to new and changed files in the deployed docs
-      - name: Comment on PR (changelog)
-        if: ${{ hashFiles('changelog') != '' }}
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 #v2.9.0
+      - id: comment-changelog
+        name: Prepare changelog comment
+        if: ${{ steps.find-changelog.outputs.has-changelog == 'true' }}
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3
         with:
           number: ${{ steps.get-deploy-id.outputs.deploy-id }}
           recreate: true
           header: docs-pr-changes
-          path: changelog
+          path: ${{ runner.temp }}/artifacts/changelog/changelog
           GITHUB_TOKEN: ${{ secrets.DOCS_PR_COMMENT_TOKEN }}
 
       # If there's no changelog, add a generic comment to the PR
-      - name: Comment on PR (no changelog)
-        if: ${{ hashFiles('changelog') == '' }}
+      - id: comment-no-changelog
+        name: Comment on PR (no changelog)
+        if: ${{ steps.find-changelog.outputs.has-changelog == 'false' }}
         env:
           DEPLOY_URL: ${{ steps.get-deploy-url.outputs.deploy-url }}
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 #v2.9.0
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3
         with:
           number: ${{ steps.get-deploy-id.outputs.deploy-id }}
           header: docs-pr-changes

.github/workflows/docs-generate-html.yml

@@ -0,0 +1,92 @@
+
+name: "Generate HTML"
+
+# edit the list of branches according to your repository
+# the list of branches should contain all the branches in your Antora publish playbooks
+on:
+  push:
+    branches:
+    - "main"
+    - "dev"
+    - "5.x"
+    - "4.4"
+  workflow_dispatch:
+
+# change `dev` and `main` according to your repository's branch names
+# `dev` is the branch you use to build and publish to staging
+# `main` is the branch you use to build and publish to neo4j.com/docs
+# in some cases, PROD_BRANCH and DEV_BRANCH may be the same branch
+env:
+  DEV_BRANCH: 'dev'
+  PROD_BRANCH: 'main'
+
+jobs:
+
+  prepare-ref-env:
+    name: Set build branch and environments
+    runs-on: ubuntu-latest
+    outputs:
+      build-ref: ${{ steps.set-ref-env.outputs.build-ref }}
+      environments: ${{ steps.set-ref-env.outputs.environments }}
+    steps:
+      - name: Set Build Ref
+        id: set-ref-env
+        run: |
+          if [[ "${GITHUB_REF}" == "refs/heads/${{ env.DEV_BRANCH }}" ]]; then
+            build_from=${{ env.DEV_BRANCH }}
+            environments='["dev"]'
+          else
+            build_from=${{ env.PROD_BRANCH }}
+            environments='["prod"]'
+          fi
+          # if dev branch = prod branch publish to both
+          if [[ "${{ env.DEV_BRANCH }}" == "${{ env.PROD_BRANCH }}" ]]; then
+            environments='["dev","prod"]'
+          fi
+          echo "build-ref=${build_from}" >> $GITHUB_OUTPUT
+          echo "environments=${environments[@]}" >> $GITHUB_OUTPUT
+
+  docs-build:
+    name: Generate HTML
+    needs: prepare-ref-env
+    uses: neo4j/docs-tools/.github/workflows/reusable-docs-build.yml@v2
+    with:
+      package-script: 'verify:publish'
+      build-ref: ${{needs.prepare-ref-env.outputs.build-ref}}
+      fetch-depth: 0
+
+  docs-verify:
+    name: Verify HTML
+    needs: docs-build
+    uses: neo4j/docs-tools/.github/workflows/reusable-docs-verify.yml@v2
+    with:
+      failOnWarnings: true
+
+  publish-html:
+    name: Publish HTML
+    needs: [docs-verify, prepare-ref-env]
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        environments: ${{ fromJson(needs.prepare-ref-env.outputs.environments) }}
+
+    steps:
+      - name: Publish to ${{ matrix.environments }}
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 #v4
+        with:
+          token: ${{ secrets.DOCS_DISPATCH_TOKEN }}
+          repository: neo4j/docs-publish
+          event-type: publish-html
+          client-payload: |-
+            {
+              "org": "${{ github.repository_owner }}",
+              "repo": "${{ github.event.repository.name }}",
+              "run_id": "${{ github.run_id }}",
+              "publish_env": "${{ matrix.environments }}"
+            }
+
+      - name: Echo
+        if: ${{ matrix.environments == 'prod' }}
+        run: |
+          echo "If this step runs then approval has been granted" >> $GITHUB_STEP_SUMMARY

.github/workflows/docs-pr-checks.yml

@@ -1,19 +1,22 @@
-
 name: "Verify docs PR"
 
+permissions:
+  contents: read
+  pull-requests: read
+
 on:
   pull_request:
     branches:
-    - "main"
-    - "dev"
-    - "5.x"
-    - "4.4"
+      - "main"
+      - "dev"
+      - "5.x"
+      - "4.4"
 
 jobs:
 
   #  Generate HTML
   docs-build-pr:
-    uses: neo4j/docs-tools/.github/workflows/reusable-docs-build.yml@v1.2.0
+    uses: neo4j/docs-tools/.github/workflows/reusable-docs-build.yml@v2
     with:
       deploy-id: ${{ github.event.number }}
       retain-artifacts: 14
@@ -23,7 +26,7 @@ jobs:
   # By default, the job fails if there are errors, passes if there are warnings only.
   docs-verify-pr:
     needs: docs-build-pr
-    uses: neo4j/docs-tools/.github/workflows/reusable-docs-verify.yml@v1.2.0
+    uses: neo4j/docs-tools/.github/workflows/reusable-docs-verify.yml@v2
     with:
       failOnWarnings: true
 
@@ -40,22 +43,22 @@ jobs:
     steps:
       - name: Get file changes
         id: get-file-changes
-        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47
         with:
           separator: ','
           files_yaml: |
             pages:
-            - modules/**/pages/**/*.adoc
+            - '**/modules/**/pages/**/*.adoc'
             asciidoc:
-            - modules/**/*.adoc
+            - '**/modules/**/*.adoc'
 
   # Generate a PR comment if the docs are using the pageList extension
   # The extension maps asciidoc source files to their HTML output paths
   # The comment will contain links to new and changed pages in the deployed HTML docs
   docs-updates-comment-pr:
     if: needs.docs-build-pr.outputs.pages-listed == 'success'
     needs: [docs-build-pr, docs-changes-pr]
-    uses: neo4j/docs-tools/.github/workflows/reusable-docs-pr-changes.yml@v1.2.0
+    uses: neo4j/docs-tools/.github/workflows/reusable-docs-pr-changes.yml@v2
     with:
       pages-modified: ${{ needs.docs-changes-pr.outputs.pages-modified }}
       pages-added: ${{ needs.docs-changes-pr.outputs.pages-added }}

.github/workflows/docs-teardown.yml

@@ -1,13 +1,18 @@
 #  copy this workflow into your repo
 name: "Documentation Teardown"
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   pull_request_target:
     branches:
     - "main"
     - "dev"
     - "5.x"
     - "4.4"
+
     types:
       - closed
 
@@ -16,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #v6
         with:
           node-version: lts/*
 
@@ -39,7 +44,7 @@ jobs:
           surge teardown $DEPLOY_URL --token "$SURGE_TOKEN"
 
       - name: Comment on PR
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 #v2.9.0
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3
         with:
           number: ${{ github.event.pull_request.number }}
           header: docs-pr-changes