From 79c583eca302dbcbfd53c7b92c869f46ba0f602a Mon Sep 17 00:00:00 2001
From: beatz174-bit <beatz174@gmail.com>
Date: Wed, 13 May 2026 08:25:31 +1000
Subject: [PATCH] Add MkDocs GitHub Pages publish workflow

---
 .github/workflows/publish-docs.yml | 70 ++++++++++++++++++++++++++++++
 .gitignore                         |  1 +
 docs/repo-structure.md             |  2 +-
 docs/security-secrets.md           |  6 +--
 docs/terraform-workflows.md        |  2 +-
 mkdocs.yml                         |  6 +++
 6 files changed, 82 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/publish-docs.yml

diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
new file mode 100644
index 0000000..739d4a8
--- /dev/null
+++ b/.github/workflows/publish-docs.yml
@@ -0,0 +1,70 @@
+name: Publish documentation site
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: github-pages
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install tooling
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y graphviz jq python3 python3-pip
+
+          if ! docker compose version >/dev/null 2>&1; then
+            sudo apt-get install -y docker-compose-v2 || sudo apt-get install -y docker-compose || true
+          fi
+
+          if ! docker compose version >/dev/null 2>&1; then
+            echo "docker compose CLI is unavailable on this runner" >&2
+            exit 1
+          fi
+
+          python3 -m pip install --user mkdocs pyyaml jinja2
+
+      - name: Generate documentation
+        run: |
+          chmod +x scripts/docs/*.sh
+          scripts/docs/generate-all.sh
+
+      - name: Build MkDocs site
+        run: |
+          python3 -m mkdocs build --strict
+
+      - name: Configure GitHub Pages
+        uses: actions/configure-pages@v5
+
+      - name: Upload GitHub Pages artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: site
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
diff --git a/.gitignore b/.gitignore
index 645e799..f16243b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@ secrets/*
 !.env.example
 core/traefik/certs/*
 !core/traefik/certs/.gitkeep
+site/
diff --git a/docs/repo-structure.md b/docs/repo-structure.md
index d85e376..f3c674e 100644
--- a/docs/repo-structure.md
+++ b/docs/repo-structure.md
@@ -33,7 +33,7 @@ This page explains where to find authoritative files quickly.
 
 ## Fast path for future Codex runs
 
-1. Read [README.md](../README.md).
+1. Read [README.md](https://github.com/beatz174-bit/docker/blob/main/README.md).
 2. Read [docs/source-of-truth.md](source-of-truth.md).
 3. Read [docs/docker-environment.md](docker-environment.md).
 4. Read [docs/terraform-workflows.md](terraform-workflows.md).
diff --git a/docs/security-secrets.md b/docs/security-secrets.md
index 4389901..1e13b43 100644
--- a/docs/security-secrets.md
+++ b/docs/security-secrets.md
@@ -4,11 +4,11 @@
 
 This page explains how secret material is organized in this repository and where to find both human-readable and machine-readable references.
 
-For machine-readable inventory metadata, use [`../secrets/inventory.json`](../secrets/inventory.json).
+For machine-readable inventory metadata, use [`secrets/inventory.json`](https://github.com/beatz174-bit/docker/blob/main/secrets/inventory.json).
 
 ## Scope and authority
 
-- Canonical example template: [`../secrets/.env.secrets.example`](../secrets/.env.secrets.example)
+- Canonical example template: [`secrets/.env.secrets.example`](https://github.com/beatz174-bit/docker/blob/main/secrets/.env.secrets.example)
 - Runtime-loaded secret env file (local, non-committed): `../secrets/stack-secrets.env`
 - Dynu DNS inventory env file (local, non-committed): `../secrets/dynu.env`
 - Docker secret files (local, non-committed): `../secrets/*.txt`
@@ -30,7 +30,7 @@ Treat the example template as the canonical shape for expected environment varia
 
 ## Machine-readable inventory
 
-- Primary automation source: [`../secrets/inventory.json`](../secrets/inventory.json)
+- Primary automation source: [`secrets/inventory.json`](https://github.com/beatz174-bit/docker/blob/main/secrets/inventory.json)
 - Human guidance source: this page
 
 Automation should parse `secrets/inventory.json` directly rather than scraping Markdown tables.
diff --git a/docs/terraform-workflows.md b/docs/terraform-workflows.md
index 91ca6e2..1ab8637 100644
--- a/docs/terraform-workflows.md
+++ b/docs/terraform-workflows.md
@@ -90,4 +90,4 @@ Treat generated files as:
 
 - [docs/source-of-truth.md](source-of-truth.md)
 - [docs/infrastructure-inventory.md](infrastructure-inventory.md)
-- [infrastructure/terraform/README.md](../infrastructure/terraform/README.md)
+- [infrastructure/terraform/README.md](https://github.com/beatz174-bit/docker/blob/main/infrastructure/terraform/README.md)
diff --git a/mkdocs.yml b/mkdocs.yml
index 0a9985e..8b54c34 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -18,3 +18,9 @@ nav:
 
 theme:
   name: mkdocs
+
+validation:
+  nav:
+    omitted_files: ignore
+exclude_docs: |
+  README.md