ci: publish per-tag web client and seed /client/stable/

[yanziz-nvidia]

Summary

• Add tag trigger (v[1-9]*.[0-9]*.[0-9]*) to docs.yaml so each release tag publishes the web client to /client/<tag>/ (e.g. /client/v1.1.5/), alongside the existing /client/main/ and /client/release-x.y.z/ paths.
• On tag push, also (re)point /client/stable/ at the highest v* tag — backports to older lines won't drag stable backward.
• New promote-stable-client.yaml workflow re-resolves /client/stable/ on tag deletion (rollback path) and on manual workflow_dispatch. Tag creation is handled by docs.yaml.
• Release-branch deploys no longer rewrite the root /client/index.html; only main owns it. Self-heals on the next main push.

Held for follow-up

The root /client/ redirect is intentionally left at → ./main/ for now. Users on main are pulling 1.2.x fixes that aren't yet in tagged 1.1.x; flipping the root to ./stable/ today would regress them. Once v1.2.0 is tagged, the flip is a one-line PR (change the meta http-equiv value in the heredoc).

Resulting layout

Path	Source
/client/	redirect → /client/main/ (flip → ./stable/ in follow-up)
/client/stable/	redirect → /client/<highest v*>/ (new)
/client/v1.1.5/, /client/v1.0.193/ …	per-tag, immutable (new)
/client/main/	branch HEAD of main (unchanged)
/client/release-1.3.x/	branch HEAD, pre-tag preview (unchanged)

Test plan

• Push a throwaway v0.0.1-test tag against a sandbox repo / fork: confirm client/v0.0.1-test/ lands and client/stable/ redirects to whichever real tag wins sort -uV | tail.
• Delete the throwaway tag: confirm promote-stable-client.yaml fires and client/stable/ rewrites back.
• Push to main: confirm client/main/ updates and client/index.html still redirects to ./main/ (no premature flip).
• Push to release/1.3.x (or wait for next sync): confirm client/release-1.3.x/ updates and client/index.html is not touched.
• workflow_dispatch of promote-stable-client.yaml: confirm it resolves and pushes without errors.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced deployment workflow to organize releases into versioned paths based on git tags
  • Introduced automatic stable version routing that points users to the latest available release
  • Added automatic pointer updates when releases are deleted to maintain version consistency

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds version-aware documentation deployment to GitHub Pages. The main workflow now detects tag pushes matching v<major>.<minor>.<patch> patterns and deploys the built web app under docs/build/client/<version>/. A new conditional step resolves the latest v* tag from the remote and writes docs/build/client/stable/index.html as a redirect to that version, establishing a stable URL. A supplementary workflow runs on tag deletion to re-resolve and update the stable pointer, ensuring it always points to the highest remaining version.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title clearly and specifically describes the main changes: adding per-tag web client publishing and seeding the /client/stable/ redirect path.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch yanziz/web-stable-version

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docs.yaml:
- Around line 25-26: The workflow's tag filter must match the publish trigger to
avoid selecting non-semver tags (e.g., v2-dev) for client/stable; update the
tags pattern here to the stricter semver regex used by the publish step (the
same 'v[1-9]*.[0-9]*.[0-9]*' / semver pattern) or add an explicit semver
validation before computing stable_slug so stable_slug only points to tags that
were actually published; modify the YAML tags entry or the stable_slug selection
logic (where stable_slug is computed) to enforce the same semver constraint.
- Around line 189-193: Update the checkout step to pin actions/checkout to a
full commit SHA and add persist-credentials: false (change the step using
actions/checkout@v6 to the exact commit SHA and include persist-credentials:
false) so the step doesn't leak write credentials; also make the tag selector
used with git ls-remote (the command that currently uses 'v[1-9]*') match the
workflow trigger regex (v[1-9]*\.[0-9]*\.[0-9]*) so stable tag resolution only
considers tags the workflow deploys (adjust the git ls-remote pattern to
'v[1-9]*\.[0-9]*\.[0-9]*').

In @.github/workflows/promote-stable-client.yaml:
- Line 67: The workflow currently uses the mutable tag "uses:
peaceiris/actions-gh-pages@v4"; replace each occurrence of that string with the
same action pinned to the full commit SHA (e.g. "uses:
peaceiris/actions-gh-pages@<full-commit-sha>") by looking up the canonical
commit for v4 in the peaceiris/actions-gh-pages repository and substituting the
tag with the immutable SHA in all workflows that reference it.
- Around line 31-33: Pin the workflow actions to immutable commit SHAs and
disable credential persistence: replace the floating action references
(actions/checkout@v6 and peaceiris/actions-gh-pages@v4) with their corresponding
commit SHAs, and add persist-credentials: false under the actions/checkout step
to avoid leaving the GITHUB_TOKEN available to subsequent steps; update the
peaceiris/actions-gh-pages reference to the specific commit SHA as well so both
actions are fixed to exact commits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ce90c6b6-04d9-4826-addc-1ea5dfee213e

📥 Commits

Reviewing files that changed from the base of the PR and between 08babf4 and 4991411.

📒 Files selected for processing (2)

• .github/workflows/docs.yaml
• .github/workflows/promote-stable-client.yaml