feat: add CI workflow to auto-update CLI docs (#31)

[boxcee-interview]

Closes #31

Adds a GitHub Actions workflow that automatically updates CLI command reference documentation in the crossplane/docs repository.

Changes

• New .github/workflows/update-docs.yml workflow triggered on push to main and on release tags
• Builds the CLI via Nix, runs crossplane generate-docs, then creates a PR to crossplane/docs via peter-evans/create-pull-request

How to Test

Requires a DOCS_WRITE_TOKEN secret with write access to crossplane/docs repo. The workflow will create a PR to that repo when triggered on push to main or a new tag.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow (Update CLI Docs) is added. It triggers on pushes to main and version tags (v*), builds the CLI using Nix, generates command-reference.md, checks out the crossplane/docs repo, determines the target directory based on tag vs. branch, and opens a pull request when the generated docs differ.

Changes

Automated CLI Docs Update Workflow

Layer / File(s)	Summary
Workflow triggers and permissions .github/workflows/update-docs.yml	Declares the Update CLI Docs workflow with push triggers for main and v* tags, workflow-level contents: read, and job-level write permissions for contents and pull requests.
CLI build and doc generation .github/workflows/update-docs.yml	Checks out the repo, installs Nix with Cachix, builds the CLI via nix build, copies the binary to /tmp, and runs it to produce generated-docs/command-reference.md.
Docs repo checkout, diff detection, and PR creation .github/workflows/update-docs.yml	Checks out crossplane/docs with DOCS_WRITE_TOKEN, resolves the target directory (content/cli/<version> for tags, content/cli/master for main), copies the generated markdown, detects changes via git diff, and conditionally opens a PR on branch auto/update-cli-docs using peter-evans/create-pull-request.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• crossplane/cli#106: Adds the same Nix-based CLI doc generation and auto-PR flow targeting content/cli/master in the docs repo, which this PR extends with versioned tag support.
• crossplane/cli#120: Shares the same PR branch name (auto/update-cli-docs) and commit message template used here for docs-update PRs.
• crossplane/cli#121: Adjusts commit metadata for docs PR commits in the same GitHub Actions automation context.

Suggested reviewers

• jcogilvie
• tampakrap
• jbw976

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is descriptive, under the length limit, and matches the main change of adding a CI workflow to auto-update CLI docs.
Description check	✅ Passed	The description clearly relates to the new workflow and its docs automation behavior.
Linked Issues check	✅ Passed	The workflow updates docs on main and release tags and opens PRs automatically, matching the linked issue's core automation goals.
Out of Scope Changes check	✅ Passed	The changes are confined to the new docs-update workflow and stay within the requested CI automation scope.
Breaking Changes	✅ Passed	Only .github/workflows/update-docs.yml changed; no apis/** or cmd/** public API/flag edits were made.
Feature Gate Requirement	✅ Passed	The PR only adds a CI workflow for docs generation; it doesn’t touch apis/** or introduce runtime/experimental behavior, so no feature flag is needed.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-docs.yml:
- Around line 14-18: The update-docs workflow can have overlapping runs writing
to the shared auto/update-cli-docs branch, which can cause out-of-order docs
updates. Add workflow-level serialization in update-docs and/or make the PR
branch name unique per target directory before the branch is reused, so only one
run of the update-docs job can write at a time and the generated docs PR stays
current.
- Around line 60-67: The docs change detection in the Update Docs step misses
newly created untracked files, so first-time release docs can be skipped. Update
the gate in the Update Docs workflow to use a status check that includes
untracked files, or stage the generated docs before checking, so the
`docs-changed` flag is set when `command-reference.md` is newly added. Use the
`Update Docs` step and its `git diff --quiet` check as the location to adjust.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9ba7c8c3-3946-4d7d-85f8-97b202caf5d1

📥 Commits

Reviewing files that changed from the base of the PR and between 86f5f7a and 1b8069c.

📒 Files selected for processing (1)

• .github/workflows/update-docs.yml

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Serialize this workflow before reusing auto/update-cli-docs.

Appreciate the automation here. Because every main push and every release tag writes to the same branch at Line 82, overlapping runs can update that branch out of order and leave the docs PR pointing at older generated content. Could we add concurrency or derive the PR branch from the target directory so only one writer owns the branch at a time?

One simple hardening option

 jobs:
   update-docs:
+    concurrency:
+      group: update-cli-docs
+      cancel-in-progress: true
     permissions:
       contents: write
       pull-requests: write

Also applies to: 69-83

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-docs.yml around lines 14 - 18, The update-docs
workflow can have overlapping runs writing to the shared auto/update-cli-docs
branch, which can cause out-of-order docs updates. Add workflow-level
serialization in update-docs and/or make the PR branch name unique per target
directory before the branch is reused, so only one run of the update-docs job
can write at a time and the generated docs PR stays current.

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Handle untracked release docs when deciding whether to open a PR.

Thanks for wiring this up. On a first release for a new target directory, Line 63 creates an untracked command-reference.md, but Line 65 uses git diff --quiet, which ignores untracked files. In that case docs-changed never flips to true, so the workflow skips PR creation exactly when a new release doc needs to be added. Could we switch this gate to git status --porcelain (or stage intent-to-add) so new files count too?

Proposed fix

       - name: Update Docs
         run: |
           mkdir -p docs/${{ steps.target.outputs.dir }}
           cp generated-docs/command-reference.md docs/${{ steps.target.outputs.dir }}/command-reference.md
           cd docs
-          if ! git diff --quiet; then
+          if [[ -n "$(git status --porcelain --untracked-files=all)" ]]; then
             echo "docs-changed=true" >> "$GITHUB_ENV"
           fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Update Docs
	run: |
	mkdir -p docs/${{ steps.target.outputs.dir }}
	cp generated-docs/command-reference.md docs/${{ steps.target.outputs.dir }}/command-reference.md
	cd docs
	if ! git diff --quiet; then
	echo "docs-changed=true" >> "$GITHUB_ENV"
	fi
	- name: Update Docs
	run: |
	mkdir -p docs/${{ steps.target.outputs.dir }}
	cp generated-docs/command-reference.md docs/${{ steps.target.outputs.dir }}/command-reference.md
	cd docs
	if [[ -n "$(git status --porcelain --untracked-files=all)" ]]; then
	echo "docs-changed=true" >> "$GITHUB_ENV"
	fi

🧰 Tools

🪛 zizmor (1.26.1)

[info] 62-62: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

---

[info] 63-63: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-docs.yml around lines 60 - 67, The docs change
detection in the Update Docs step misses newly created untracked files, so
first-time release docs can be skipped. Update the gate in the Update Docs
workflow to use a status check that includes untracked files, or stage the
generated docs before checking, so the `docs-changed` flag is set when
`command-reference.md` is newly added. Use the `Update Docs` step and its `git
diff --quiet` check as the location to adjust.

[adamwg]

Thanks for taking a look at this!

We already have automated docs updates working on the main branch as part of the Validate Docs job in the ci workflow. No objection to centralizing the updates if we can have a single workflow handle both releases and main updates, but we shouldn't do it twice.

For releases, I think we shouldn't update docs until the release has been promoted to the stable channel. It might make sense to attach the docs update to the promote workflow.

[adamwg]

Note that the docs are versioned per minor version, not for each patch. The tag will be (e.g.) v2.4.1, so this logic needs to strip the patch portion to make the directory name v2.4.

[boxcee-interview]

Addressed review feedback:

• Removed main branch trigger — the job already handles docs updates on main pushes, so this workflow now triggers only on release tags.
• Added concurrency group — prevents overlapping runs from writing to the same branch simultaneously.
• Fixed version directory naming — strip patch version so → (per your inline comment about minor-version directory structure).
• Fixed untracked file detection — switched from to so newly created release docs aren't silently skipped.

Regarding the promote workflow question: happy to discuss whether attaching the docs update to the promote workflow makes more sense. For now, keeping the tag-triggered workflow as a first pass.

[boxcee-interview]

Addressed review feedback:

• Removed main branch trigger — the ci.yml validate-docs job already handles docs updates on main pushes, so this workflow now triggers only on release tags.
• Added concurrency group — prevents overlapping runs from writing to the same branch simultaneously.
• Fixed version directory naming — strip patch version so v2.4.1 → content/cli/2.4 (per your inline comment about minor-version directory structure).
• Fixed untracked file detection — switched from git diff --quiet to git status --porcelain so newly created release docs are not silently skipped.

Regarding the promote workflow question: happy to discuss whether attaching the docs update to the promote workflow makes more sense. For now, keeping the tag-triggered workflow as a first pass.