Add jekyll-build composite action and reusable deploy/health-check workflows

[Copilot]

Bootstraps opennews-actions as a shared GitHub Actions automation repo for OpenNews Jekyll/static sites.

New files

• jekyll-build/action.yml — Composite action: checkout → setup-ruby (.ruby-version + bundler-cache) → validate_yaml → check → build → test. Both run-checks and run-tests are boolean inputs (default true) so callers can skip either.

• .github/workflows/jekyll-deploy.yml — Reusable workflow (workflow_call only). Calls jekyll-build@v1, extracts bucket/staging_bucket/cloudfront_distribution_id from _config.yml via inline Ruby, authenticates AWS via OIDC (configure-aws-credentials@v6), syncs _site/ to S3, conditionally invalidates CloudFront (production + CF ID present), and brackets the deploy with GitHub Deployment create/status via github-script@v8.

• .github/workflows/jekyll-health-check.yml — Reusable workflow (workflow_call only). Runs build (checks/tests off), captures bundle outdated output, asserts _site/index.html exists, opens a labeled GitHub Issue on failure — skipping creation if a matching open issue already exists. Schedule trigger stays in the consumer's workflow.

• .github/dependabot.yml — github-actions ecosystem only, weekly Monday, ci: prefix. No bundler/npm blocks.

Consumer usage

# deploy.yml in a consuming repo
jobs:
  deploy:
    uses: OpenNews/opennews-actions/.github/workflows/jekyll-deploy.yml@v1
    with:
      environment: ${{ github.ref == 'refs/heads/main' && 'production' || 'staging' }}
      production-url: https://example.opennews.org
    secrets:
      AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}

Consuming repos must define deployment.bucket, deployment.staging_bucket, and optionally deployment.cloudfront_distribution_id in their _config.yml.

Original prompt

Start the shared automation repo with no Ruby Gem work (no Gemfile/Rakefile/rake tasks).

Scope: Shared GitHub Actions automation only

• No Gem-authoring, no Ruby code, no Ruby task files.
• Only add composite action and reusable workflow YAML for use across OpenNews Jekyll/static site repos.

1. jekyll-build/action.yml (composite action for build/test)

• Composite Action, 'using: composite'.
• Each job step uses 'shell: bash'.
• Steps: checkout@v6, ruby/setup-ruby@v1 (with .ruby-version, bundler-cache), bundle exec rake validate_yaml, bundle exec rake check (input: run-checks), bundle exec rake build, bundle exec rake test (input: run-tests).
• Inputs: run-checks (default: true), run-tests (default: true).
• No secrets, no permissions block.

2. .github/workflows/jekyll-deploy.yml (reusable workflow)

• 'on: workflow_call' only.
• Inputs: environment (required, 'staging'|'production'), production-url (optional), aws-region (default: 'us-east-1'), run-checks (default true), run-tests (default true).
• Secrets: AWS_ROLE_ARN (required)
• permissions: contents: read, id-token: write, deployments: write
• Call 'OpenNews/opennews-actions/jekyll-build@v1' composite action (with run-checks/run-tests inputs).
• Extract deploy config from _config.yml (bucket, staging_bucket, cloudfront_distribution_id) using inline Ruby.
• Configure AWS creds with aws-actions/configure-aws-credentials@v6.
• Create Deployment with actions/github-script@v8. S3 sync. CloudFront invalidate if prod/cloudfront present. Deployment status update (success/failure) with github-script@v8.

3. .github/workflows/jekyll-health-check.yml (reusable workflow)

• 'on: workflow_call' only.
• Inputs: issue-labels (optional, default 'automated,health-check,bug').
• permissions: contents: read, issues: write
• Steps: Call jekyll-build@v1 (with run-checks: false, run-tests: false), bundle outdated || true, check build output (_site, index.html) exists, create issue on failure via github-script@v8 with provided labels (but only if not already present).
• No schedule trigger (must be in consumer's workflow).

4. .github/dependabot.yml (github-actions only)

• Only GitHub actions ecosystem, weekly on Monday, label dependencies+github-actions, prefix: ci.
• Omit bundler/npm blocks entirely (this PR is Actions-only).

5. README.md

• Short, focused on usage of the composite action and workflows for use in consuming repos.
• Example configuration for using each.
• Warn that this repo does not provide shared Ruby code or tasks, only Actions logic.

Constraints

• Do NOT add or reference a shared Gem, or any Ruby code/rake files.
• No test.yml implementation in this PR, as that has repo-specific logic/ignores.
• Pin all 3rd party actions to major versions as appropriate.
• Composite action path: jekyll-build/action.yml.
• Place reusable workflows in .github/workflows.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: The following public GitHub repos for OpenNews/ have been upgraded to pretty much the same core GitHub Actions based deploy mechanisms, rake tasks and developer-experience configuration files. It's repetitive and rife for code and functionality drift and should be consolidated into a Shared Composite Action.

Plan that action, if I were to upgrade the repos that still have Travis driving CI/CD work to follow the patterns in the latest Actions-focused upgrades but try to consolidate fixes and upgrades to a Shared Composition Action repo for the Org.

Upgraded to Actions:

• OpenNews/opennews-website
• OpenNews/srccon-site-starterkit
• OpenNews/srccon
• OpenNews/srccon-2026

In need of upgrade:

• OpenNews/datainstitute-website
• OpenNews/knight-eta-2024-website
• OpenNews/etherpad-lite

Assistant: Good. I have enough context. Let me now produce the plan.

---

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

Bootstraps opennews-actions as a shared GitHub Actions automation repository for OpenNews Jekyll/static sites by adding a composite build action, reusable deploy/health-check workflows, and release/dependency automation.

Changes:

• Added jekyll-build composite action to standardize checkout → Ruby setup → validate/check/build/test.
• Added reusable jekyll-deploy and jekyll-health-check workflows for consumers to call via workflow_call.
• Added release automation (release.yml + .github/release.yml) and Dependabot configuration for GitHub Actions updates.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
jekyll-build/action.yml	Composite action to run the standard Jekyll/Rake build pipeline in consuming repos.
.github/workflows/jekyll-deploy.yml	Reusable deploy workflow: build, read _config.yml deployment config, assume AWS role, sync to S3, optional CloudFront invalidation, GitHub Deployment statuses.
.github/workflows/jekyll-health-check.yml	Reusable health-check workflow: build (without checks/tests), report bundle outdated, validate _site/index.html, create an issue on failure.
.github/workflows/release.yml	Auto-release workflow on pushes to main (tagging + GitHub Release creation + floating tag update).
.github/release.yml	Release notes category configuration based on PR labels.
.github/dependabot.yml	Dependabot config to update GitHub Actions dependencies on a weekly cadence.
README.md	Usage and versioning documentation for consumers and maintainers.
.gitignore	Simplified ignore rules (now only ignores /tmp/).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tiffehr]

@copilot Some prior review findings were cut to new Issues. Some were fixed. Re-Review.

[Copilot]

@copilot Some prior review findings were cut to new Issues. Some were fixed. Re-Review.

Re-reviewed the current state. Found three remaining single-quoted JS string interpolations that hadn't been addressed:

• inputs.environment in the "Create GitHub Deployment" step
• inputs.production-url in "Update Deployment Status (success)"
• inputs.issue-labels in "Create issue on failure" (health-check)

All three are now using toJSON() (commit 86bc0af). The automated code review came back clean after the fix.