docs workflow: try to fix it a third time

I think I likely found the issue. zizmor seems OK with persisting credentials, see https://github.com/jj-vcs/jj/actions/runs/13559693565/job/37900455060?pr=5820 Both of these workflows run only on commits in `main`, so this doesn't seem like a huge security hole, but we could consider other, better solutions in the future. Follow up to 78177ff. See #5819 for a failed attempt. cc @thoughtpolice @neongreen @martinvonz
2025-05-31 03:42:39 +00:00 · 2025-02-26 21:26:47 -08:00 · 2025-02-26 21:26:47 -08:00 · f399c57466
commit f399c57466
parent 78177ff69e
2 changed files with 6 additions and 5 deletions
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@ -9,6 +9,8 @@ permissions: {}

 jobs:
  prerelease-docs-build-deploy:
+    # IMPORTANT: this workflow also functions as a test for `docs-deploy-website-latest-release` in
+    # releases.yml. Any fixes here should probably be duplicated there.
    permissions:
      contents: write
    if: github.repository_owner == 'jj-vcs' # Stops this job from running on forks
@ -20,7 +22,8 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
-          persist-credentials: false
+          # `.github/scripts/docs-build-deploy` will need to `git push` to the docs branch
+          persist-credentials: true
      - run:  "git fetch origin gh-pages --depth=1"
      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38
        with:
@ -36,7 +39,5 @@ jobs:
          export MKDOCS_SITE_NAME="Jujutsu docs (prerelease)"
          export MKDOCS_PRIMARY_COLOR="blue grey"
          .github/scripts/docs-build-deploy prerelease --push
-        env:
-            GH_TOKEN:  ${{ secrets.GITHUB_TOKEN }}
      - name: "Show `git diff --stat`"
        run: git diff --stat gh-pages^ gh-pages || echo "(No diffs)"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -128,7 +128,8 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
-          persist-credentials: false
+          # `.github/scripts/docs-build-deploy` will need to `git push` to the docs branch
+          persist-credentials: true
      - run:  "git fetch origin gh-pages --depth=1"
      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38
        with:
@ -146,6 +147,5 @@ jobs:
          .github/scripts/docs-build-deploy "${RELEASE_TAG_NAME}" latest --update-aliases --push
        env:
          RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
-          GH_TOKEN:  ${{ secrets.GITHUB_TOKEN }}
      - name: "Show `git diff --stat`"
        run: git diff --stat gh-pages^ gh-pages || echo "(No diffs)"