ci: add reo and update build docs workflow

[moabu]

Summary by CodeRabbit

• New Features

  • Added a documentation notice when viewing an outdated version, linking to the latest release.

• Chores

  • Modernized CI/CD workflows: updated actions, expanded nightly triggers, and added environment-driven branch handling.
  • Improved docs and release pipeline: integrated signing for packaged artifacts, adjusted permissions for keyless signing, and refined artifact/version handling.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Updated GitHub workflows: nightly workflow adds env vars, target-branch guard, and newer actions; docs build workflow upgrades actions, switches permissions for OIDC, adds JDK17 and Cosign signing for Helm charts; documentation template now shows an "outdated" notice linking to the latest version.

Changes

Cohort / File(s)	Summary
Nightly workflow \.github/workflows/activate-nightly-build.yml	Replaced older actions with newer versions, added GH_TOKEN and TARGET_BRANCH env vars, allowed workflow_dispatch, removed in-workflow gh install, added quoting and a default guard for TARGET_BRANCH, and adjusted delete/push messaging.
Docs build & signing workflow \.github/workflows/build-docs.yml	Updated action/tool versions and runner setup, changed permissions (contents: read, id-token: write), added JDK 17 setup, installed Cosign, added chart packaging and Cosign OIDC signing producing .sigstore.json artifacts, and updated packaging/commit steps to include signatures and use updated mike commands.
Documentation override docs/overrides/main.html	Inserted an "outdated" notice block linking to the latest version and moved original content into a {{ super() }} content block; minor block/format adjustments.

Sequence Diagram(s)

sequenceDiagram
    participant Runner as GitHub Actions Runner
    participant Checkout as Repo Checkout
    participant Build as Docs Build (JDK/Python/Poetry)
    participant Helm as Helm Packaging
    participant Cosign as Cosign (OIDC)
    participant Sigstore as Sigstore Registry
    participant Git as GitHub Repo

    rect rgba(100,150,240,0.5)
    Runner->>Checkout: checkout repo
    Checkout->>Build: set up JDK17, Python, build docs
    end

    rect rgba(120,200,100,0.5)
    Build->>Helm: package charts (gluu-*.tgz)
    Helm->>Cosign: sign-blob (uses id-token/OIDC)
    Cosign->>Sigstore: upload signature metadata (.sigstore.json)
    end

    rect rgba(200,120,180,0.5)
    Cosign->>Runner: emit .sigstore.json artifacts
    Runner->>Git: add/commit/push charts + .sigstore.json (create PR/release)
    Git-->>Runner: push result / PR created
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• ci: add reo integration #2687 — Modifies docs build pipeline and docs/overrides/main.html (different changes to same workflow/template).

Suggested labels

area-documentation

Suggested reviewers

• iromli

Poem

🐰
I hopped through workflows, neat and spry,
Set JDK, signed charts up in the sky,
OIDC whiskers twitch, signatures sing,
Docs now point where latest versions cling,
A tiny hop — release takes wing! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'ci: add reo and update build docs workflow' is unclear and misleading. 'reo' is undefined and doesn't match the actual changes (workflow version updates, Cosign integration, and permission changes), and the phrase 'add reo' doesn't correspond to any identifiable change in the provided summary.	Revise the title to accurately reflect the main changes, such as 'ci: integrate Cosign signing and update workflow actions' or 'ci: add Cosign artifact signing to build-docs workflow'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-update-build-docs

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/activate-nightly-build.yml:
- Line 32: The if condition contains a reference to an undeclared input
`github.event.inputs.nightly` (in the line starting with "if: github.event_name
== 'schedule' || github.event.inputs.nightly == 'true' || github.event_name ==
'workflow_dispatch'"); remove the `github.event.inputs.nightly == 'true'` clause
from that condition (or alternatively declare `nightly` under
`workflow_dispatch.inputs`) so the condition only uses valid inputs (e.g., "if:
github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'").

In @.github/workflows/build-docs.yml:
- Around line 208-210: The mv command uses the wrong glob name: replace the
incorrect janssen-*.tgz.sigstore.json with gluu-*.tgz.sigstore.json so the
produced artifact matches the move; update the line with mv ../gluu-*.tgz
../gluu-*.tgz.sigstore.json ./charts/ (and keep the subsequent git add
gluu-*.tgz gluu-*.tgz.sigstore.json && git update-index --refresh) to ensure the
files are moved and staged correctly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cc285e8e-0da9-4a6e-8701-d3a41ad6ca98

📥 Commits

Reviewing files that changed from the base of the PR and between 02137ce and 5c3c225.

📒 Files selected for processing (3)

• .github/workflows/activate-nightly-build.yml
• .github/workflows/build-docs.yml
• docs/overrides/main.html

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build-docs.yml (1)

218-226: ⚠️ Potential issue | 🟠 Major

The stable build uses replace-janssen-version but leaves replace-flex-version tokens unreplaced in 14+ documentation files.

The nightly build properly replaces flex-related version tokens (replace-flex-version-stable and replace-flex-version), which appear across 14 documentation files. However, the stable build (line 224) only replaces replace-janssen-version, which exists in just 2 files (getting-started-rancher.md and faq.md). This means the stable build leaves unreplaced version placeholders in the majority of the documentation, resulting in broken docs. Either the stable build should also replace flex tokens, or the flex tokens should be removed from stable documentation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-docs.yml around lines 218 - 226, The stable branch
in the workflow's LATEST handling only runs the replace for
"replace-janssen-version" leaving flex tokens unreplaced; update the stable path
inside the if/else block that checks LATEST to also run replacements for
"replace-flex-version-stable" and "replace-flex-version" (the same sed/egrep
invocations used in the nightly branch) or remove those tokens from stable docs;
modify the code around the LATEST conditional so both branches handle the flex
tokens consistently, referencing the LATEST variable and the tokens
replace-flex-version-stable, replace-flex-version and replace-janssen-version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build-docs.yml:
- Around line 56-61: Remove the unused Java setup step from the workflow: delete
the job step titled "Set up JDK 17" that uses
actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 along with its
inputs (java-version: '17', distribution: 'adopt', cache: maven); ensure any
surrounding indentation and step ordering remain valid so the remaining
Python/Helm/mkdocs steps (and the generated-cn-docs.sh invocation) still run
correctly.

---

Outside diff comments:
In @.github/workflows/build-docs.yml:
- Around line 218-226: The stable branch in the workflow's LATEST handling only
runs the replace for "replace-janssen-version" leaving flex tokens unreplaced;
update the stable path inside the if/else block that checks LATEST to also run
replacements for "replace-flex-version-stable" and "replace-flex-version" (the
same sed/egrep invocations used in the nightly branch) or remove those tokens
from stable docs; modify the code around the LATEST conditional so both branches
handle the flex tokens consistently, referencing the LATEST variable and the
tokens replace-flex-version-stable, replace-flex-version and
replace-janssen-version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8ff36cf8-871a-413d-804b-9d1b3e8733e9

📥 Commits

Reviewing files that changed from the base of the PR and between 5c3c225 and 91e0709.

📒 Files selected for processing (2)

• .github/workflows/activate-nightly-build.yml
• .github/workflows/build-docs.yml

[sonarqubecloud]

Quality Gate passed for 'Gluu Admin UI'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud