From beb18852f6fdad76363fe49cdc9eb192eda7f678 Mon Sep 17 00:00:00 2001
From: Alexander Lanin <Alexander.Lanin@etas.com>
Date: Mon, 15 Jun 2026 23:01:54 +0200
Subject: [PATCH 1/2] chore(docs/cicd): make docs workflow secure

---
 .github/workflows/docs.yml    | 43 -----------------------------------
 .github/workflows/on-docs.yml | 33 +++++++++++++++++++++++++++
 .github/workflows/on-pr.yml   | 18 +++++++++++++++
 3 files changed, 51 insertions(+), 43 deletions(-)
 delete mode 100644 .github/workflows/docs.yml
 create mode 100644 .github/workflows/on-docs.yml

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
deleted file mode 100644
index 46f09bc19ff..00000000000
--- a/.github/workflows/docs.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-# *******************************************************************************
-# Copyright (c) 2025 Contributors to the Eclipse Foundation
-#
-# See the NOTICE file(s) distributed with this work for additional
-# information regarding copyright ownership.
-#
-# This program and the accompanying materials are made available under the
-# terms of the Apache License Version 2.0 which is available at
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# SPDX-License-Identifier: Apache-2.0
-# *******************************************************************************
-
-name: Documentation
-
-permissions:
-  contents: write
-  pages: write
-  pull-requests: write
-  id-token: write
-
-on:
-  pull_request_target:
-    types: [opened, reopened, synchronize] # Handles forked PRs
-  push:
-    branches:
-      - main # docs are built only on push to main branch, for feature branches there are PR builds
-  merge_group:
-    types: [checks_requested]
-  release:
-    types: [created]
-
-jobs:
-  docs-build:
-    uses: eclipse-score/cicd-workflows/.github/workflows/docs.yml@829b3e11ccbf924a5782f7bfed647cb1619fdf78 # v0.0.1
-    permissions:
-      contents: write
-      pages: write
-      pull-requests: write
-      id-token: write
-    with:
-      bazel-target: "//:docs -- --github_user=${{ github.repository_owner }} --github_repo=${{ github.event.repository.name }}"
-      retention-days: 3
diff --git a/.github/workflows/on-docs.yml b/.github/workflows/on-docs.yml
new file mode 100644
index 00000000000..2fa542aba36
--- /dev/null
+++ b/.github/workflows/on-docs.yml
@@ -0,0 +1,33 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+name: Publish Documentation
+
+on:
+  workflow_run:
+    workflows: ["PR"]
+    types:
+      - completed
+
+concurrency:
+  group: pages-deploy
+  cancel-in-progress: false
+
+jobs:
+  docs-deploy:
+    uses: eclipse-score/cicd-workflows/.github/workflows/docs-publish.yml@dev
+    permissions:
+      pages: write
+      id-token: write
+      contents: write
+      pull-requests: write
diff --git a/.github/workflows/on-pr.yml b/.github/workflows/on-pr.yml
index e4009cba6a3..18fb1ee100f 100644
--- a/.github/workflows/on-pr.yml
+++ b/.github/workflows/on-pr.yml
@@ -54,3 +54,21 @@ jobs:
 
   bazel-lock:
     uses: eclipse-score/cicd-workflows/.github/workflows/bzlmod-lock-check.yml@93aac16ada7d247bbb6ae926509ddea74cf5213a # main in 2026-06-11
+
+  docs-build:
+    name: Build documentation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out
+        uses: actions/checkout@v6
+
+      - name: Build documentation
+        run: bazel run //:docs
+
+      - name: Upload documentation artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: github-pages
+          path: _build
+          retention-days: 1
+          if-no-files-found: error

From a6f3fe707dc7f78dbfa23e951c9b14d32c65ff3c Mon Sep 17 00:00:00 2001
From: Alexander Lanin <Alexander.Lanin@etas.com>
Date: Tue, 16 Jun 2026 14:16:30 +0200
Subject: [PATCH 2/2] reusable docs

---
 .github/workflows/on-pr.yml | 16 +---------------
 1 file changed, 1 insertion(+), 15 deletions(-)

diff --git a/.github/workflows/on-pr.yml b/.github/workflows/on-pr.yml
index 18fb1ee100f..9b557081a2d 100644
--- a/.github/workflows/on-pr.yml
+++ b/.github/workflows/on-pr.yml
@@ -57,18 +57,4 @@ jobs:
 
   docs-build:
     name: Build documentation
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out
-        uses: actions/checkout@v6
-
-      - name: Build documentation
-        run: bazel run //:docs
-
-      - name: Upload documentation artifact
-        uses: actions/upload-artifact@v7
-        with:
-          name: github-pages
-          path: _build
-          retention-days: 1
-          if-no-files-found: error
+    uses: eclipse-score/cicd-workflows/.github/workflows/docs.yml@dev