docs: add Sphinx documentation site with Bazel#88
docs: add Sphinx documentation site with Bazel#88ltekieli merged 3 commits intoeclipse-score:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a Bazel-built Sphinx documentation site for ITF (how-to, reference, concepts) and wires CI to verify/build and publish docs via GitHub Pages, while making the existing ITF workflow reusable for composition.
Changes:
- Introduces a new
docs/Sphinx site (how-to guides, Bazel macro/rule reference, plugin reference, architecture + PlantUML diagram). - Adds a root
//:docsBazel target and thescore_docs_as_codemodule dependency. - Adds GitHub Actions workflows for docs verification/build + makes
itf.ymlcallable viaworkflow_call.
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/reference/plugins.rst | Adds plugin catalog, capability table, and per-plugin CLI argument reference. |
| docs/reference/index.rst | Adds Reference section index and toctree. |
| docs/reference/bazel_macros.rst | Documents py_itf_test and py_itf_plugin usage and attributes. |
| docs/index.rst | Adds landing page with grid navigation + sitemap toctree. |
| docs/how-to/write_tests.md | Adds Docker/QEMU/capability-based testing guide and examples. |
| docs/how-to/plugins.md | Adds plugin usage guide and custom plugin example. |
| docs/how-to/index.rst | Adds How-To section index and toctree. |
| docs/how-to/get_started.md | Adds from-scratch setup guide including Bazel module + first test. |
| docs/conf.py | Adds minimal Sphinx configuration using score_sphinx_bundle. |
| docs/concepts/itf_architecture.puml | Adds PlantUML architecture diagram source. |
| docs/concepts/index.rst | Adds Concepts section index and toctree. |
| docs/concepts/architecture.rst | Adds architecture narrative + embeds PlantUML diagram. |
| MODULE.bazel | Adds score_docs_as_code dependency. |
| BUILD | Adds docs() macro target for building the Sphinx site. |
| .gitignore | Ignores Sphinx build output and auto-generated config file. |
| .github/workflows/itf.yml | Adds workflow_call trigger for reusability. |
| .github/workflows/docs.yml | Adds docs verify + build/deploy workflow using reusable workflows. |
| .bazelrc | Sets Java 17 toolchain flags (to support PlantUML). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 17 out of 18 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
This might be out of scope for now though may will reduce future work time. Might be better to adapt this earlier than later. |
Fixed it and matched the folder structure. Leaving stubs since there is nothing to document in some directories. |
@PandaeDo can you have a look if this looks right as a first option? |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 22 out of 23 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
PandaeDo
left a comment
PandaeDo
left a comment
There was a problem hiding this comment.
@clanghans If you like I can give you an introduction into the processes. We have also templates available that can easily copied and filled out. I'm pretty sure that you can use all of your content. But as the module might not be the only place to document it I'm sure that we can find this also easily out to speed the step of archiving compliance a litte bit up.
PandaeDo
left a comment
PandaeDo
left a comment
There was a problem hiding this comment.
As discussed with @clanghans it's fine from the perspective of the process community to use it as a initial version and update afterwards according to the processes and templates
|
I guess we've discussed the boilerplate at length now. @ltekieli can you have a look at the actual content? |
ltekieli
left a comment
ltekieli
left a comment
There was a problem hiding this comment.
Hey @clanghans, I took a look at the workflow security setup. The current docs.yml uses pull_request_target, which is risky because the reusable workflows from cicd-workflows check out the PR's head ref and then run bazel run on it. Under pull_request_target that code executes with a GITHUB_TOKEN that has contents: write, pages: write, and id-token: write — so a malicious fork PR could get arbitrary code execution with write access to the repo and Pages.
I'd suggest the following changes (same pattern we already use in itf-qnx.yml):
- Replace
pull_request_targetwithpull_request— this ensures fork PRs never get a write-scoped token. - Skip fork PRs on
docs-verifyusing the same guard asitf-qnx.yml:if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
- Run
docs-buildonly in merge queue / push to main / release — not on PRs at all. The verification step already catches docs issues during PR review; the full build + deploy only needs to happen after reviews are done:if: github.event_name != 'pull_request'
- Tighten top-level permissions to
contents: read— the broad write permissions are only needed bydocs-build, which already declares them at job level.
This also removes the always() condition on docs-build since it no longer runs on PRs and the simple needs: [docs-verify] dependency is sufficient.
- Remove the commented-out
unit-testsblock entirely. Leaving it in withsecrets: inheritis a footgun — when someone uncomments it,itf.ymlhas nopermissions:block, so it would inherit the caller's write permissions and all secrets while running untrusted code. Better to remove it now and add it back properly in a dedicated PR where the permissions can be set up correctly (at minimumitf.ymlwould need an explicitpermissions: { contents: read }block, andsecrets: inheritshould be reconsidered).
|
A few additional findings from reviewing the documentation content against the source code: Documentation accuracy
Minor observations
|
|
One more thing — the PR currently has 30 commits with a lot of back-and-forth (fixups, merge commits, co-authored suggestions). Before merging, I'd suggest squashing them down into three logical commits:
This keeps the history clean and makes it easy to revert or cherry-pick each concern independently. |
This we most likely should fix everywhere if this is still an issue in some places. |
|
It wasn't meant as everywhere in this repo but more like an esclipse-score wide everywhere. Not specifically for this repo. Sorry for making it vague |
clanghans
force-pushed
the
feature/docs-as-code-initial
branch
from
74c0a87 to
9f0d3d0
Compare
|
@ltekieli thanks for your review and the constructive feedback. I have addressed them.
|
|
Please remove the merge commit and do a rebase instead. We can then merge the PR. |
clanghans
force-pushed
the
feature/docs-as-code-initial
branch
from
c1f0674 to
d31ae9a
Compare
done |
|
Verification step fails: https://github.com/eclipse-score/itf/actions/runs/25369536664/job/74389135618?pr=99 |
clanghans
force-pushed
the
feature/docs-as-code-initial
branch
from
d31ae9a to
abe9902
Compare
- Add score_docs_as_code v4.0.1 dependency to MODULE.bazel - Configure Java 17 in .bazelrc for PlantUML smetana layout - Add docs() Bazel target to BUILD (load() at top per buildifier) - Ignore Sphinx _build/ output and generated ubproject.toml - Add docs/conf.py with project metadata and score_sphinx_bundle
Add full documentation under docs/ covering: - How-to guides: get started, write tests, plugin usage - Reference: Bazel macros/rules, plugin CLI args, Target API - Concepts: architecture overview with PlantUML diagram, plugin system, capability model, plugin loading order - Stub sections for manual, release, safety_mgt, security_mgt, verification_report per S-CORE module folder structure spec
- Add docs.yml: runs docs-verify on pull requests (fork PRs skipped), docs-build on push/merge_group/release only; top-level permissions locked to contents: read; write permissions scoped to job level
clanghans
force-pushed
the
feature/docs-as-code-initial
branch
from
abe9902 to
194e5f6
Compare
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-project-automation
Bot
moved this from Backlog
to Done
in TST - Testing Community
Summary
how-to guides, Bazel macro reference, plugin reference, and architecture
concepts
with stub sections for manual, release notes, safety, security, and
verification report
the docs pipeline
What's included
Infrastructure
Documentation (`docs/`)
`git_override`, first test, `@score_itf` load prefix note, attribute plugin
example for requirement traceability
QEMU, capability-based tests, `--keep-target`
`py_itf_plugin` attribute reference
plugin lifecycle, Bazel integration; includes PlantUML component diagram
`!pragma layout smetana` (no Graphviz dependency)
analysis reviews
CI
PR and push to main
Test plan
Notes
test suite is ready to run in CI, uncomment it and add it to
`docs-build.needs`.
`origin/main` HEAD for users who need unreleased fixes.
`verification_report`) contain only a `.. note::` placeholder listing
planned content. They establish the folder structure now to avoid a
separate restructuring PR later.