Automation model
End-to-end GitLab automation between workflow repositories and docs-portal.
Pipeline sources
| Source | Portal behavior |
|---|---|
Push to develop / master | Lint → validate mirrors → build → Pages |
| Downstream trigger from workflow repo | Sync → validate → commit mirror → build → Pages |
Manual SYNC_MODE=all (web) | Full sync all active workflows |
Workflow repo pipeline (example: superbuild)
Stages: validate → trigger
1. workflow-docs:contract
Runs on develop when docs/**/* changes.
- Confirms
docs/workflow-manifest.yaml,portal-integration.md,navigation-meta.md - Validates manifest
workflow_idand version
2. trigger:docs-portal
Triggers multi-project pipeline:
trigger:
project: libesys/ai-workflows/docs-portal
branch: develop
strategy: depend
forward:
pipeline_variables: true
variables:
WORKFLOW_SYNC_ID: superbuild
WORKFLOW_SYNC_REF: $CI_COMMIT_SHA
WORKFLOW_SYNC_PROJECT: $CI_PROJECT_PATH
SYNC_MODE: single
PORTAL_SYNC_COMMIT: "true"
strategy: depend blocks the workflow pipeline until the portal pipeline completes — failures are visible upstream.
Portal pipeline (docs-portal)
Defined in .gitlab-ci.yml + .gitlab/workflow-sync.yml.
Sync stage (sync:workflow)
When WORKFLOW_SYNC_ID is set:
- Clone workflow repo at
WORKFLOW_SYNC_REFusingCI_JOB_TOKEN python scripts/sync_workflow.py <id> --commit- Update
sidebars*.tsfrom manifestsidebar_order - Commit and push mirror changes to
developwhenPORTAL_SYNC_COMMIT=true
Validate stage
| Job | When |
|---|---|
validate:import | After sync trigger — full manifest/registry validation |
validate:mirrored | Every push — portal-owned files and target dirs exist |
Build and Pages
Unchanged Docusaurus flow:
develop→ https://docs-portal-1c6c85.gitlab.iomaster→ https://esys-ai.org
Numbered end-to-end flow
- Author edits
superbuild-workflow/docs/ondevelop - Workflow CI validates portal contract files
- Workflow CI triggers
docs-portaldownstream pipeline (strategy: depend) - Portal clones superbuild at
WORKFLOW_SYNC_REF sync_workflow.pyupdatesdocs-superbuild/(preservesintro.md)- Sidebar updated from manifest order
validate_workflow_import.pychecks contract coherence- Automated
chore(sync): …commit lands ondevelop(if diff) npm run buildwith branch-appropriateDOCS_SITE_URLpagespublishes preview site- Workflow pipeline marks trigger job pass/fail based on portal result
Required GitLab configuration
docs-portal project
| Setting | Value |
|---|---|
| Settings → CI/CD → Pipeline triggers | Inbound triggers from workflow projects allowed |
| Settings → CI/CD → Job token permissions → Outbound | Enable outbound access; add each workflow project (portal clones upstream) |
| Settings → CI/CD → Job token permissions → Inbound | Add workflow projects that trigger portal (optional hardening) |
| Settings → CI/CD → Job token permissions → Allow Git push | Enable if automated chore(sync): commits push via CI_JOB_TOKEN |
| Pages custom domain | esys-ai.org on production (master) only |
| Variables (optional) | GITLAB_SYNC_TOKEN — project access token with read_repository (clone) and write_repository (push) if job token is insufficient |
Each workflow project
| Setting | Value |
|---|---|
| CI/CD variables | DOCS_PORTAL_PROJECT, WORKFLOW_SYNC_ID (or hardcode in .gitlab-ci.yml) |
| Multi-project pipelines | Permission to trigger docs-portal |
Token scopes (if using project access token)
read_repositoryon workflow repos (portal clone)write_repositoryon docs-portal (automated sync commit push)
Security and governance
- Workflow repos remain source of truth — portal tokens only clone and mirror
- Automated commits use a dedicated bot identity (
docs-portal sync) - Manual edits to mirrored files are discouraged; sync overwrites on next trigger
- Downstream triggers are scoped to
docs/**changes ondevelop
Local parity
Developers run the same sync without CI:
pip install -r requirements-sync.txt
python scripts/sync_workflow.py superbuild --source ../superbuild-workflow
python scripts/validate_workflow_import.py superbuild --source ../superbuild-workflow
npm run build