ci: integrate sync-docs workflow

Signed-off-by: Emilien Escalle <[email protected]>

Author: neilime

.github/workflows/__main-ci.yml

@@ -11,16 +11,7 @@ on: # yamllint disable-line rule:truthy
   schedule:
     - cron: "25 8 * * 1"
 
-permissions:
-  actions: write
-  contents: write
-  issues: read
-  packages: write
-  pages: write
-  pull-requests: write
-  security-events: write
-  statuses: write
-  id-token: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,11 +20,25 @@ concurrency:
 jobs:
   ci:
     uses: ./.github/workflows/__shared-ci.yml
+    permissions:
+      actions: read
+      contents: read
+      issues: read
+      packages: write
+      pull-requests: read
+      security-events: write
+      statuses: write
+      id-token: write
     secrets: inherit
 
   clean:
     needs: ci
     uses: ./.github/workflows/prune-pull-requests-images-tags.yml
+    permissions:
+      contents: read
+      pull-requests: read
+      packages: write
+      id-token: write
     with:
       images: |
         [
@@ -46,6 +51,11 @@ jobs:
   clean-with-cache:
     needs: ci
     uses: ./.github/workflows/prune-pull-requests-images-tags.yml
+    permissions:
+      contents: read
+      pull-requests: read
+      packages: write
+      id-token: write
     with:
       prune-cache-images: true
       images: |
@@ -58,6 +68,9 @@ jobs:
     needs: ci
     if: github.event_name != 'schedule'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -71,8 +84,22 @@ jobs:
     needs: ci
     if: github.event_name != 'schedule'
     uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@0717eb404857b7e4a15dc0db5fbece52921e85fb # 0.13.1
+    permissions:
+      contents: read
     with:
       update-all: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }}
       github-app-id: ${{ vars.CI_BOT_APP_ID }}
     secrets:
       github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
+
+  sync-docs:
+    needs: release
+    if: github.event_name != 'schedule' && github.ref_name == github.event.repository.default_branch && needs.release.outputs.artifact-id
+    uses: hoverkraft-tech/public-docs/.github/workflows/sync-docs-dispatcher.yml@c40c17f7d6a8090950b3ef4bfc70502707a6bb9f # 0.3.0
+    permissions:
+      contents: read
+    with:
+      artifact-id: ${{ needs.release.outputs.artifact-id }}
+      github-app-id: ${{ vars.CI_BOT_APP_ID }}
+    secrets:
+      github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}