ci: use current docs helper for release snapshots

[willkill07]

Overview

Fix manual Fern release snapshot reruns for historical tags. The release job should read documentation from the selected tag, but it must use the current workflow helper script so older tags can be repaired after workflow fixes land.

• I confirm this contribution is my own work, or I have the right to submit it under this project's license.
• I searched existing issues and open pull requests, and this does not duplicate existing work.

Details

• Add a separate workflow-checkout in release-version-docs for current workflow tooling.
• Keep source-checkout pinned to the selected release tag so the docs content remains tag-sourced.
• Invoke sync_fern_docs_branch.py from workflow-checkout, fixing manual reruns such as tag=0.3.0 where the tag contains an older helper that does not support --source-root.

Validation:

• Reproduced the failing shape from https://github.com/NVIDIA/NeMo-Relay/actions/runs/26668928588/job/78608028705: source checkout from 0.3.0, helper script from current branch, release-version --source-root ... --tag 0.3.0.
• Verified the snapshot writes fern/pages-v0.3.0 with the detailed release highlights.
• ruby -e 'require "yaml"; Dir[".github/workflows/*.{yml,yaml}"].each { |f| YAML.load_file(f) }; puts "yaml-ok"'
• uv run pre-commit run --files .github/workflows/fern-docs.yml
• uv run pre-commit run --all-files

Where should the reviewer start?

Start with .github/workflows/fern-docs.yml in the release-version-docs job. The important detail is that workflow tools and release docs content now come from different checkouts.

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

• Relates to: https://github.com/NVIDIA/NeMo-Relay/actions/runs/26668928588/job/78608028705

Summary by CodeRabbit

• Chores
  • Updated internal CI/CD workflow configuration for documentation synchronization processes.

Note: This release contains no end-user visible changes. Updates are limited to workflow infrastructure improvements.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: aa70fb95-aabb-444f-9fc8-b03daa17e7de

📥 Commits

Reviewing files that changed from the base of the PR and between 9481899 and c6fa56b.

📒 Files selected for processing (1)

• .github/workflows/fern-docs.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Check / Run

🧰 Additional context used

📓 Path-based instructions (3)

.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/maintain-ci/SKILL.md)

.github/workflows/*.{yml,yaml}: Put permissions: on each job that needs token access in GitHub Actions workflows
Avoid workflow-level permissions unless the repository intentionally centralizes them and the inheritance tradeoff is documented
Keep third-party actions pinned to full commit SHAs and preserve the readable version comment after the SHA
Prefer action-native or ecosystem-native caching over generic actions/cache
Use lockfiles or dependency manifests to drive cache invalidation in GitHub Actions workflows
Keep deploy and publish permissions isolated to the jobs that need them in GitHub Actions
Read both caller and callee when a workflow uses workflow_call in GitHub Actions
Put release-tag validation in the earliest practical caller job when the pipeline has tag-based publish behavior
Keep release-tag policy aligned with RELEASING.md: raw SemVer tags only, no leading v
contents: read is the default minimum permission for checkout-based build, test, docs, and packaging jobs
pull-requests: read is required for PR metadata lookup jobs in GitHub Actions workflows
pages: write and id-token: write should be limited to Pages deployment jobs and callers that invoke them through reusable workflows
For reusable workflows, the caller must grant every permission the called jobs require; the callee cannot elevate beyond what the caller provides
Prefer astral-sh/setup-uv cache support with cache-dependency-glob anchored to uv.lock
Prefer Swatinem/rust-cache with explicit shared-key and workspaces instead of ad hoc target-directory caching
Avoid caching generated outputs that can hide stale behavior unless the repo already relies on them deliberately

Files:

• .github/workflows/fern-docs.yml

.{github/workflows/*.{yml,yaml},gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Ensure CI workflows reference the same package names, install commands, and build commands as local development workflows

Files:

• .github/workflows/fern-docs.yml

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

• .github/workflows/fern-docs.yml

🧠 Learnings (1)

📚 Learning: 2026-05-03T04:23:07.497Z

Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 46
File: .github/workflows/ci_rust.yml:31-64
Timestamp: 2026-05-03T04:23:07.497Z
Learning: In GitHub Actions workflow YAML, it’s valid to conditionally disable a service container by setting the service container’s `image` to an empty string (`''`) via a matrix variable (e.g., `redis_service_image: ''`). This intentionally makes the runner skip service initialization for that matrix entry rather than failing the job. When reviewing workflows, don’t flag this as an error if the workflow uses an empty `image` to disable the service on specific matrix entries (e.g., OS-specific setups); verify the `image` is sourced from the matrix variable and that the service is only expected to be available when a non-empty image is provided.

Applied to files:

• .github/workflows/fern-docs.yml

🔇 Additional comments (2)

.github/workflows/fern-docs.yml (2)

401-407: Confirm workflow-checkout resolves to the intended ref on tag-push triggers.

This step omits ref:, so it checks out github.ref. For workflow_dispatch reruns of historical tags (run on main), that correctly pulls the current helper — the fix you want. But on an actual tag-push trigger (github.ref_type == 'tag'), github.ref is the tag itself, so workflow-checkout and source-checkout resolve to the same tag and the "current helper" isolation provides no benefit. That matches the stated intent (the broken-helper case is only reachable via manual reruns), so this is likely fine — just confirming the assumption is deliberate.

Pinned SHA, persist-credentials: false, and per-job contents: write are all consistent with the repo's conventions here.

---

483-486: LGTM!

---

Walkthrough

The release-version-docs workflow job now checks out workflow tooling into an isolated workflow-checkout directory with credentials disabled, and updates the docs sync script invocation to reference the full path from that directory.

Changes

Workflow Tools Isolation

Layer / File(s)	Summary
Workflow checkout and script path resolution .github/workflows/fern-docs.yml	Adds a checkout step for workflow tools into workflow-checkout with persist-credentials: false, and updates the docs sync script path to resolve from $GITHUB_WORKSPACE/workflow-checkout/scripts/docs/sync_fern_docs_branch.py.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• NVIDIA/NeMo-Relay#194: Modifies the same workflow and sync_fern_docs_branch.py script invocation path with additional arguments like --source-root.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits format with 'ci' type and concise imperative summary, under 72 characters, no trailing period.
Description check	✅ Passed	Description includes all required sections (Overview, Details, Where to start, Related Issues) with comprehensive context and validation steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}