Gate gh-pages deployment to push-to-master only

[Copilot]

• Add permissions: contents: write to the build job so the token can push to gh-pages on push events
• Deploy step already gated to push-to-master only (github.event_name == 'push' && github.ref == 'refs/heads/master' && github.actor != 'dependabot[bot]') — no changes needed there

Original prompt

Create a pull request that prevents deployments to gh-pages from running on pull_request events. Specifically, in .github/workflows/main.yml, keep the LaTeX build and pdf2svg steps running for both pushes and PRs, but gate the peaceiris/actions-gh-pages@v3 step so it only runs on push events to the master branch (and also skip when github.actor is dependabot[bot]).

Repository: FerreolS/InverseProblemsCookbook
PR context: Existing PR #4 fails because the workflow tries to push to gh-pages during a pull_request run and gets a 403.

Acceptance criteria:

• actions-gh-pages deploy step does not run on pull_request.
• Deploy step runs on push to master.
• Deploy step is skipped for Dependabot.
• Workflow YAML remains valid.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for failing job 73769684955. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The job isn’t failing in the LaTeX build step; it’s failing when trying to publish the generated PDFs/SVGs to the gh-pages branch:

• Error in logs:
  remote: Permission to FerreolS/InverseProblemsCookbook.git denied to github-actions[bot].
fatal: ... returned error: 403

This happens because the workflow/job does not grant the required repository permissions for the token used by the Pages publish action, so the push to gh-pages is rejected.

Fix: grant contents: write (and Pages permissions if you use GitHub Pages) to the build job

Edit .github/workflows/main.yml (ref b0fd7ec...), and add explicit permissions for the build job (or at workflow top-level). Minimal fix for pushing to gh-pages:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v2
      - uses: xu-cheng/latex-action@v4
        with:
          root_file: IPCookbook.tex
      - run: sudo apt-get -y install pdf2svg
      - run: pdf2svg IPCookbook.pdf IPCookbook%d.svg all
      - run: mkdir pdf
      - run: mv *{.svg,.pdf} pdf/.
      - uses: peaceiris/actions-gh-pages@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ./pdf
          force_orphan: true

If your repo uses the newer GitHub Pages deployment permissions

Some configurations also require these additional permissions (safe to include if you’re unsure):

permissions:
  contents: write
  pages: write
  id-token: write

You can place permissions: at the workflow level (top of the file) or per job; per-job is fine here.

Optional cleanup (not required, but improves reliability)

1. Update checkout action (v2 is quite old):

- uses: actions/checkout@v4

2. The log line git remote rm origin failing with “No such remote: 'origin'” is coming from the publish action’s internal setup and is not the root cause. The real failure is the 403 permission denial; once permissions are fixed, the publish should succeed.

After adding permissions: contents: write to the build job, the action should be able to push to gh-pages and the job should pass.

User: PR shouldn't deploy on gh-papges

Assistant: Don’t grant push permissions on PRs. Instead, skip the actions-gh-pages deploy step unless the event is a push to master (and optionally also skip when actor is Dependabot).

In your workflow (.github/workflows/main.yml at ref b0fd7ec887dadd4a26a038ede17d3da164bcbcb8), change the deploy step to be conditional:

# ...
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: xu-cheng/latex-action@v4
        with:
          root_file: IPCookbook.tex
      - run: sudo apt-get -y install pdf2svg
      - run: pdf2svg IPCookbook.pdf IPCookbook%d.svg all
      - run: mkdir pdf
      - run: mv *{.svg,.pdf} pdf/.
      - uses: peaceiris/actions-gh-pages@v3
        if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.actor != 'dependabot[bot]'
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ./pdf
          force_orphan: true
# ...

Why this fixes PR #4:

• PRs run under pull_request where the token typically must not be allowed to push to your repo/gh-pages.
• With the if: guard, the job can still build/convert PDFs for PR validation, but deployment won’t run (so no 403 failure).

If you still want artifacts from PRs, add an actions/upload-artifact step (separate from deployment).

User: make a PR to do that

Assistant: I’ve kicked off the PR creation, but I need you to acce...

This pull request was created from Copilot chat.