Harden docs CI and workflow governance

Author: rwilliamspbg-ops

.github/workflows/deploy.yml

@@ -4,9 +4,19 @@ on:
   push:
     branches:
       - main
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+      - "Documentation/**"
+      - ".github/workflows/docs-*.yml"
   pull_request:
     branches:
       - main
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+      - "Documentation/**"
+      - ".github/workflows/docs-*.yml"
   workflow_dispatch:
 
 env:

.github/workflows/docs-markdownlint.yml

@@ -6,12 +6,18 @@ on:
       - "README.md"
       - "docs/**"
       - ".github/workflows/docs-markdownlint.yml"
+      - "CONTRIBUTING.md"
+      - "Documentation/**"
+      - ".markdownlint-docs.json"
   push:
     branches: [main]
     paths:
       - "README.md"
       - "docs/**"
       - ".github/workflows/docs-markdownlint.yml"
+      - "CONTRIBUTING.md"
+      - "Documentation/**"
+      - ".markdownlint-docs.json"
 
 jobs:
   markdownlint:
@@ -27,15 +33,13 @@ jobs:
 
       - name: Run markdownlint (targeted docs)
         run: |
-          cat > /tmp/markdownlint-docs.json <<'EOF'
-          {
-            "default": true,
-            "MD013": false,
-            "MD007": false,
-            "MD033": false
-          }
-          EOF
           npx --yes markdownlint-cli2 \
-            --config /tmp/markdownlint-docs.json \
+            --config .markdownlint-docs.json \
             README.md \
-            docs/ALERT_RUNBOOKS.md
+            CONTRIBUTING.md \
+            docs/ALERT_RUNBOOKS.md \
+            docs/index.md \
+            docs/README.md \
+            Documentation/README.md \
+            docs/DOCUMENTATION_MAINTENANCE.md \
+            Documentation/Project/REPO_SETTINGS_ADMIN_RUNBOOK.md

.github/workflows/docs-pages.yml

@@ -6,6 +6,7 @@ on:
     paths:
       - "README.md"
       - "docs/**"
+      - "scripts/check_markdown_assets.py"
       - ".github/workflows/docs-pages.yml"
   workflow_dispatch:
 
@@ -39,6 +40,11 @@ jobs:
       - name: Install markdown renderer
         run: python -m pip install --upgrade pip markdown
 
+      - name: Validate docs image assets
+        run: |
+          mapfile -t markdown_files < <(find docs -type f -name '*.md' | sort)
+          python scripts/check_markdown_assets.py README.md "${markdown_files[@]}"
+
       - name: Build docs site
         run: |
           python - <<'PY'
@@ -116,6 +122,12 @@ jobs:
           (root / '.nojekyll').write_text('', encoding='utf-8')
           PY
 
+      - name: Pages build smoke test
+        run: |
+          test -f .pages-site/index.html
+          test -s .pages-site/index.html
+          echo "Pages build smoke test passed"
+
       - name: Upload Pages artifact
         uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:

.github/workflows/docs-quality.yml

@@ -4,18 +4,20 @@ on:
   pull_request:
     paths:
       - "README.md"
-      - "docs/README.md"
-      - "Documentation/README.md"
-      - "docs/DOCUMENTATION_MAINTENANCE.md"
+      - "CONTRIBUTING.md"
+      - "docs/**"
+      - "Documentation/**"
+      - ".markdownlint-docs.json"
       - "scripts/check_markdown_links_subset.py"
       - ".github/workflows/docs-quality.yml"
   push:
     branches: [main]
     paths:
       - "README.md"
-      - "docs/README.md"
-      - "Documentation/README.md"
-      - "docs/DOCUMENTATION_MAINTENANCE.md"
+      - "CONTRIBUTING.md"
+      - "docs/**"
+      - "Documentation/**"
+      - ".markdownlint-docs.json"
       - "scripts/check_markdown_links_subset.py"
       - ".github/workflows/docs-quality.yml"
   workflow_dispatch:
@@ -43,25 +45,23 @@ jobs:
 
       - name: Markdown lint (targeted files)
         run: |
-          cat > /tmp/markdownlint-docs-quality.json <<'EOF'
-          {
-            "default": true,
-            "MD013": false,
-            "MD007": false,
-            "MD033": false
-          }
-          EOF
           npx --yes markdownlint-cli2 \
-            --config /tmp/markdownlint-docs-quality.json \
+            --config .markdownlint-docs.json \
             README.md \
+            CONTRIBUTING.md \
             docs/README.md \
             Documentation/README.md \
-            docs/DOCUMENTATION_MAINTENANCE.md
+            docs/DOCUMENTATION_MAINTENANCE.md \
+            docs/index.md \
+            Documentation/Project/REPO_SETTINGS_ADMIN_RUNBOOK.md
 
       - name: Local markdown link check (targeted files)
         run: |
           python scripts/check_markdown_links_subset.py \
             README.md \
+            CONTRIBUTING.md \
             docs/README.md \
             Documentation/README.md \
-            docs/DOCUMENTATION_MAINTENANCE.md
+            docs/DOCUMENTATION_MAINTENANCE.md \
+            docs/index.md \
+            Documentation/Project/REPO_SETTINGS_ADMIN_RUNBOOK.md

.github/workflows/lint.yml

@@ -4,8 +4,18 @@ on:
   workflow_dispatch:
   push:
     branches: [ main ]
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+      - "Documentation/**"
+      - ".github/workflows/docs-*.yml"
   pull_request:
     branches: [ main ]
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+      - "Documentation/**"
+      - ".github/workflows/docs-*.yml"
 
 permissions:
   contents: read

.github/workflows/workflow-action-pin-check.yml

@@ -41,3 +41,68 @@ jobs:
           fi
 
           echo "All workflow action references are SHA-pinned."
+
+      - name: Verify pinned SHAs resolve
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          python - <<'PY'
+          import os
+          import re
+          import sys
+          import urllib.error
+          import urllib.request
+          from pathlib import Path
+
+          token = os.environ.get('GITHUB_TOKEN', '')
+          uses_re = re.compile(r"^\s*uses:\s*([^\s#]+)")
+          sha_re = re.compile(r"^[0-9a-fA-F]{40}$")
+          refs = set()
+
+          for workflow in sorted(Path('.github/workflows').glob('*.yml')):
+              for line in workflow.read_text(encoding='utf-8', errors='ignore').splitlines():
+                  m = uses_re.match(line)
+                  if not m:
+                      continue
+                  ref = m.group(1)
+                  if ref.startswith('./') or ref.startswith('docker://'):
+                      continue
+                  if '@' not in ref:
+                      continue
+                  action, rev = ref.rsplit('@', 1)
+                  if not sha_re.fullmatch(rev):
+                      continue
+                  refs.add((action, rev, workflow.as_posix()))
+
+          if not refs:
+              print('No pinned action SHAs found to resolve.')
+              sys.exit(0)
+
+          headers = {
+              'Accept': 'application/vnd.github+json',
+              'User-Agent': 'workflow-action-pin-check',
+          }
+          if token:
+              headers['Authorization'] = f'Bearer {token}'
+
+          failures = []
+          for action, rev, workflow in sorted(refs):
+              url = f'https://api.github.com/repos/{action}/commits/{rev}'
+              req = urllib.request.Request(url, headers=headers)
+              try:
+                  with urllib.request.urlopen(req, timeout=20) as resp:
+                      if resp.status != 200:
+                          failures.append((workflow, action, rev, f'HTTP {resp.status}'))
+              except urllib.error.HTTPError as exc:
+                  failures.append((workflow, action, rev, f'HTTP {exc.code}'))
+              except Exception as exc:
+                  failures.append((workflow, action, rev, str(exc)))
+
+          if failures:
+              print('Found unresolved pinned action SHAs:')
+              for workflow, action, rev, reason in failures:
+                  print(f'- {workflow}: {action}@{rev} -> {reason}')
+              sys.exit(1)
+
+          print(f'All pinned action SHAs resolved successfully ({len(refs)} refs).')
+          PY

.markdownlint-docs.json

@@ -0,0 +1,4 @@
+{
+  "default": true,
+  "MD013": false
+}

CONTRIBUTING.md

@@ -118,3 +118,17 @@ At minimum, require these checks:
 - `Windows Client EXE Build / Build Windows Client EXE`
 - `macOS Client Smoke / macOS Client Smoke`
 - `Observability CI / Validate Dashboard Queries`
+- `docs-markdownlint / markdownlint`
+- `Docs Quality / markdown-lint-and-links`
+- `Docs Pages / deploy`
+
+Branch protection alignment rule:
+
+- If a workflow or job name is renamed, update required checks in repository settings in the same change window. Stale required check names can block merges even when CI is healthy.
+
+## Repository Settings (Admin Only)
+
+Metadata updates for description, homepage, and topics require repository admin permissions. Use:
+
+- Runbook: `Documentation/Project/REPO_SETTINGS_ADMIN_RUNBOOK.md`
+- Fallback helper: `scripts/repo_settings_fallback.sh`

Documentation/Project/REPO_SETTINGS_ADMIN_RUNBOOK.md

@@ -0,0 +1,56 @@
+# Repository Settings Admin Runbook
+
+Use this runbook when repository metadata updates are needed and automation cannot apply them due to permission limits.
+
+## Required Permissions
+
+- Repository admin rights on this repository
+- A GitHub CLI token with `repo` scope for private repos (or `public_repo` for public-only repos)
+
+Recommended token refresh command:
+
+```bash
+gh auth refresh -h github.com -s repo,read:org
+```
+
+## Metadata Values to Keep Current
+
+- Description
+- Homepage URL
+- Topics
+
+## Admin Update Commands
+
+```bash
+gh repo edit rwilliamspbg-ops/Sovereign_Map_Federated_Learning \
+  --description "Formally verified federated learning runtime with hierarchical trust, TPM sovereignty, and auditable zk-style proof paths."
+
+gh repo edit rwilliamspbg-ops/Sovereign_Map_Federated_Learning \
+  --homepage "https://rwilliamspbg-ops.github.io/Sovereign_Map_Federated_Learning/"
+
+gh repo edit rwilliamspbg-ops/Sovereign_Map_Federated_Learning \
+  --add-topic federated-learning \
+  --add-topic byzantine-fault-tolerance \
+  --add-topic tpm \
+  --add-topic zero-knowledge \
+  --add-topic post-quantum-cryptography \
+  --add-topic distributed-systems \
+  --add-topic observability
+```
+
+## Verification
+
+```bash
+gh repo view rwilliamspbg-ops/Sovereign_Map_Federated_Learning \
+  --json description,homepageUrl,repositoryTopics
+```
+
+## Branch Protection Required Checks Alignment
+
+After any workflow rename, verify required check names still match the active workflow/job names in branch protection settings.
+
+At minimum, keep these docs checks aligned:
+
+- `docs-markdownlint / markdownlint`
+- `Docs Quality / markdown-lint-and-links`
+- `Docs Pages / deploy`

README.md

@@ -69,6 +69,8 @@ flowchart TB
         A --> O[Grafana + HUD]
 ```
 
+<!-- markdownlint-disable MD033 -->
+
 <p align="center">
     <img src="docs/screenshots/hud-operations-overview.png" alt="HUD operations overview" width="400" />
     <img src="docs/screenshots/grafana-operations-overview.png" alt="Grafana operations overview" width="400" />
@@ -98,6 +100,8 @@ flowchart TB
 
 </details>
 
+<!-- markdownlint-enable MD033 -->
+
 ## Community and Contribution
 
 The project is open to contributors who want to work on practical scale and verification problems.
@@ -108,6 +112,7 @@ The project is open to contributors who want to work on practical scale and veri
 - License: [LICENSE](LICENSE)
 - Roadmap: [Documentation/Project/ROADMAP.md](Documentation/Project/ROADMAP.md)
 - Research notes: [documentation/RESEARCH_FINDINGS.md](documentation/RESEARCH_FINDINGS.md)
+- Repo settings admin runbook: [Documentation/Project/REPO_SETTINGS_ADMIN_RUNBOOK.md](Documentation/Project/REPO_SETTINGS_ADMIN_RUNBOOK.md)
 
 Looking for help with:
 
@@ -381,10 +386,7 @@ The following environment variables are available for safe runtime tuning:
 - `RUNTIME_PROFILE=ultra_latency|balanced|throughput` (default `balanced`)
 - `MEMORY_PRESSURE_SAMPLE_SECONDS` (default `5.0`)
 - Runtime API endpoint: `GET/POST /runtime/profile`
-- `GET /metrics_summary` now includes:
-    - `runtime_profile`
-    - `provider_execution_policy`
-    - `memory_pressure`
+- `GET /metrics_summary` includes `runtime_profile`, `provider_execution_policy`, and `memory_pressure`
 
 Runtime profile quick commands: