03 — Deployment & Management
Pipeline
Section titled “Pipeline”Local edit → git push → GitHub PR ↓GitHub Actions: mkdocs build --strict (validates links, syntax) ↓Cloudflare Pages: build preview deployment for the PR ↓Reviewer reads preview URL (gated by Access) ↓Merge to main → Pages builds production → docs.adventive.devGitHub Actions workflow
Section titled “GitHub Actions workflow”.github/workflows/build.yml:
name: Validate docs buildon: pull_request: branches: [main]
jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.12" - run: pip install -r requirements.txt - run: mkdocs build --strict # fails on broken links, missing filesStrict mode catches broken internal links before they hit production. This is the single most useful CI gate — Markdown drift across 50+ files will produce broken links eventually.
DNS & TLS
Section titled “DNS & TLS”- DNS:
docs.adventive.devCNAME →adventive-engineering-docs.pages.dev(Cloudflare creates this automatically when the custom hostname is added to the Pages project; the zone is already on Cloudflare). - TLS: handled by Cloudflare. Universal cert. The
.devTLD is on the HSTS preload list — every connection is HTTPS by default. - WAF: default Pages protections. No additional rules needed for a static site.
Observability (per house standard, telemetry against New Relic)
Section titled “Observability (per house standard, telemetry against New Relic)”For a static read-only site, the bar is low — but follow the house standard of designing telemetry intentionally:
| Signal | Source | Why it matters |
|---|---|---|
| Request volume + 4xx/5xx rate | Cloudflare Pages analytics (free) | Tells us whether the site is reachable and being read |
| Access denials | Cloudflare Access logs | Detects unauthorized attempts; confirms the gate works |
| Build failures | GitHub Actions + Pages build status | Catches mkdocs errors before content drifts |
| Page-level engagement (optional) | New Relic Browser agent | Only add if a stakeholder asks for “which docs are read” — otherwise overkill |
Default: skip the New Relic Browser agent for v1. Re-evaluate after 90 days if engagement data becomes a business question.
Backup & recovery
Section titled “Backup & recovery”The repo IS the backup. GitHub holds full history. To restore from total loss:
git clone git@github.com:adventive/adventive-engineering-docs.git- Reconnect Pages to the repo
- Reapply Cloudflare Access policy (saved as code in this folder; see
04-runbook.md)
RTO: < 30 minutes. RPO: 0 (last commit).
Rollback
Section titled “Rollback”Cloudflare Pages keeps deployment history. To roll back: Pages → Deployments → pick prior good deployment → “Rollback to this deployment”. Fast and reversible — no DNS change required.
| Component | Cost |
|---|---|
| Cloudflare Pages | $0 (free tier covers our volume by ~1000x) |
| Cloudflare Access | $0 incremental (covered by existing Zero Trust seats) |
| GitHub Actions | $0 (private repo, well within free minute allowance) |
| Domain | already owned |
| Total | ~$0/month |