docs

ci: set contents read as default workflow permissions #154

	name: docs

	# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
	permissions:
	contents: read

	on:
	workflow_dispatch:
	push:
	tags:
	- '*'
	paths:
	- '.github/workflows/docs.yml'
	- 'docs/**'
	- 'CHANGELOG.md'
	- 'mkdocs.yml'
	pull_request:
	paths:
	- '.github/workflows/docs.yml'
	- 'docs/**'
	- 'CHANGELOG.md'
	- 'mkdocs.yml'

	jobs:
	publish:
	runs-on: ubuntu-latest
	permissions:
	# required to push to gh-pages
	contents: write
	steps:
	-
	name: Checkout
	uses: actions/checkout@v3
	with:
	fetch-depth: 0
	-
	name: Prepare
	id: prepare
	run: \|
	VERSION=edge
	RELEASE=false
	if [[ $GITHUB_REF == refs/tags/* ]]; then
	VERSION=${GITHUB_REF#refs/tags/}
	fi
	if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
	RELEASE=true
	fi
	echo "RELEASE=${RELEASE}" >> $GITHUB_ENV
	-
	name: Build mkdocs Docker image
	run: \|
	docker build -t mkdocs -f ./docs/Dockerfile ./docs/
	-
	name: Build docs
	run: \|
	docker run --rm -v "$(pwd):/docs" mkdocs build --strict
	sudo chown -R $(id -u):$(id -g) ./site
	-
	name: Check GitHub Pages status
	uses: crazy-max/ghaction-github-status@v3
	with:
	pages_threshold: major_outage
	-
	name: Deploy
	if: github.event_name != 'pull_request' && (endsWith(github.ref, github.event.repository.default_branch) \|\| env.RELEASE == 'true')
	uses: crazy-max/ghaction-github-pages@v3
	with:
	target_branch: gh-pages
	build_dir: site
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback