From b4d8af722838c3bbfa41b21eb4853b1edad20b06 Mon Sep 17 00:00:00 2001
From: Nikita Ivanov <kesha.plovec02@gmail.com>
Date: Sat, 2 May 2026 13:26:04 +0000
Subject: [PATCH] fix(ci): stage prod deploy to _site/ so install.sh ships to
 gh-pages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous deploy used folder: . which rsynced the repo's root
.gitignore into the gh-pages temp clone. The action's git add --all
then honored that .gitignore and excluded install.sh — making
https://agentlinux.org/install.sh return 404 (the canonical curl-pipe
URL was broken after the gh-pages migration in #4).

Anchoring install.sh in #9 was a partial fix (cleaner intent on master)
but did not solve the root issue, since /install.sh still matches the
file at the rsync target's root.

Stage only the served files into _site/ — no .gitignore is shipped, so
git add --all in the temp clone happily includes _site/install.sh.

Side benefit: gh-pages and agentlinux.org no longer publish plugin/,
docs/, .planning/, CLAUDE.md, etc. — the security review's hygiene
note from #4 is now addressed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yml | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 937d750..80708d4 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -23,18 +23,30 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      # Pattern 5 (Pitfall 7 anti-drift) — the canonical curl-installer lives
-      # at packaging/curl-installer/install.sh (Plan 06-02). Pages must serve
-      # those exact bytes at agentlinux.org/install.sh so the documented
-      # `curl https://agentlinux.org/install.sh | sudo bash` UX works. A
-      # sync-on-deploy `cp` avoids two maintained copies (the repo-root copy
-      # is gitignored and CI-generated on every Pages deploy).
-      - name: Stage install.sh for GH Pages (Pattern 5 — Pitfall 7 anti-drift)
-        run: cp packaging/curl-installer/install.sh install.sh
+
+      # Stage only the served files into _site/ so that:
+      #   1. The repo's root .gitignore (which ignores install.sh) is NOT
+      #      shipped to gh-pages — otherwise the action's `git add --all`
+      #      runs inside a tree that ignores the very file we're trying
+      #      to publish, and `agentlinux.org/install.sh` 404s.
+      #   2. Repo bloat (plugin/, .planning/, docs/, etc.) does not get
+      #      published at agentlinux.org/<dir>/.
+      # Pattern 5 (Pitfall 7 anti-drift): install.sh comes from the single
+      # editable source at packaging/curl-installer/install.sh.
+      - name: Assemble site bundle
+        run: |
+          mkdir -p _site
+          cp packaging/curl-installer/install.sh _site/install.sh
+          cp index.html _site/
+          cp CNAME _site/
+          cp sitemap.xml _site/
+          cp robots.txt _site/
+          cp -r assets _site/
+
       - name: Deploy to gh-pages branch
         uses: JamesIves/github-pages-deploy-action@v4
         with:
-          folder: .
+          folder: _site
           branch: gh-pages
           # clean-exclude protects pr-preview/* from being wiped by prod deploys.
           # Without this, every push to master would delete all open PR previews.