The yq JSON roundtrip was mangling the entire mkdocs.yml file
(indentation, quoting, comments), causing mike deploy to fail.
Extract a Python script that surgically replaces only the Dev Notes
nav block, leaving all other content byte-identical.
- Update post date from 2026-03-11 to 2026-04-14 so it appears as the
newest post on the devnotes page.
- Replace raw <img> tags with markdown image syntax so mkdocs rewrites
relative paths correctly for the blog plugin's slug-based URLs.
- Overlay mkdocs.yml from HEAD in publish-devnotes workflow so new nav
entries are included in devnotes-only rebuilds.
* ci: add workflow to publish devnotes independently of releases
Adds a GitHub Actions workflow that rebuilds the `latest` docs alias
when devnotes change on main, so blog posts go live without cutting
a package release.
* ci: pin actions to commit SHAs and restrict default permissions
Address Greptile review findings:
- Pin checkout, setup-uv, and download-artifact to commit SHAs
matching the pattern from #517
- Add top-level permissions: {} to restrict default token scope
* ci: build devnotes from last deployed state, not main
Instead of building the full site from main (which could include
unreleased docs), checkout the commit that latest was last built
from (tracked in gh-pages commit messages) and overlay only
docs/devnotes/ from main. Download notebooks from the last
successful build-docs run instead of rebuilding them.
* ci: add actions:read permission for notebook download
The gh run list/download calls need actions:read on GITHUB_TOKEN,
which is denied by the top-level permissions: {} block.
