Skip to content

feat: GitHub Pages docs site with MkDocs Material (closes #347)#1186

Merged
imran-siddique merged 2 commits intomicrosoft:mainfrom
tomjwxf:feat/github-pages-docs
Apr 17, 2026
Merged

feat: GitHub Pages docs site with MkDocs Material (closes #347)#1186
imran-siddique merged 2 commits intomicrosoft:mainfrom
tomjwxf:feat/github-pages-docs

Conversation

@tomjwxf
Copy link
Copy Markdown
Contributor

@tomjwxf tomjwxf commented Apr 16, 2026

Summary

Closes #347. Adds a production-grade documentation site using MkDocs Material, organizing AGT's extensive existing documentation into a structured, searchable, navigable site.

66 pages organized into 7 sections. Zero new content written. This is purely a publishing, navigation, and presentation improvement over the existing docs.

What's included

Site structure

Section Pages Content source
Getting Started 3 QUICKSTART.md, docs/ARCHITECTURE.md, docs/GLOSSARY.md
Packages 11 packages/*/README.md
Tutorials 28 docs/tutorials/*.md (all 27 + index)
Deployment 5 docs/deployment/*.md
Security 4 docs/THREAT_MODEL.md, OWASP-COMPLIANCE.md, security-scanning.md, tenant-isolation
Architecture Decisions 5 docs/adr/*.md
Reference 5 BENCHMARKS.md, COMPARISON.md, nist-rfi-mapping.md, CHANGELOG.md, CONTRIBUTING.md

MkDocs Material features

  • Dark / light mode toggle
  • Instant navigation (no full page reloads)
  • Built-in search with suggestions and highlighting
  • Code block copy buttons
  • Sticky navigation tabs
  • Table of contents with scroll tracking
  • Edit-on-GitHub links for every page
  • Mobile-responsive

Deployment

GitHub Actions workflow at `.github/workflows/docs.yml`:

  • Triggers on push to main (when docs change)
  • Also supports manual trigger via workflow_dispatch
  • Builds with MkDocs Material + minify plugin
  • Deploys to GitHub Pages via actions/deploy-pages
  • Build time: ~4.5 seconds

How content is organized

All content comes from existing repo files. The `site/docs/` directory contains copies organized for MkDocs navigation. The 27 tutorials are categorized into 4 groups (Foundations, Security, Advanced Patterns, SDK Guides) with a table-of-contents index page.

Each package gets its own page sourced from its README.md. Deployment guides, security docs, and ADRs each have index pages for navigation.

Testing

```bash
pip install mkdocs-material mkdocs-minify-plugin
mkdocs build --config-file mkdocs.yml --site-dir _site

Documentation built in 4.55 seconds, zero errors

```

Only warnings are anchor-link mismatches in existing tutorial content (not introduced by this PR).

Acceptance criteria from #347

  • Repository has a GitHub Pages deployment workflow
  • A public docs homepage is published from the repo
  • Existing docs are organized into a clear navigation structure
  • Site includes: overview, quick start, architecture, tutorials/guides, and package navigation
  • Search
  • Automatic deployment on merge to main

Notes

  • The Ecosystem Integrations section on the landing page includes links to protect-mcp, SINT Protocol, and other governed examples that are already merged into the repo
  • `docs_dir: site/docs` keeps the MkDocs source separate from the existing `docs/` directory to avoid conflicts with any tooling that currently reads `docs/` directly
  • @Ricky-G reopened Create a GitHub Pages site for project docs and onboarding #347 after the previous PR didn't go through. This is a fresh implementation following @imran-siddique's guidance that "a dedicated GitHub Pages site would still be valuable"

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2026

Welcome to the Agent Governance Toolkit! Thanks for your first pull request.
Please ensure tests pass, code follows style (ruff check), and you have signed the CLA.
See our Contributing Guide.

@github-actions github-actions Bot added documentation Improvements or additions to documentation ci/cd CI/CD and workflows security Security-related issues size/XL Extra large PR (500+ lines) labels Apr 16, 2026
github-actions[bot]
github-actions Bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Pull Request Review: feat: GitHub Pages docs site with MkDocs Material (closes #347)

Overview

This PR introduces a GitHub Pages documentation site using MkDocs Material, organizing the repository's existing documentation into a structured, searchable, and navigable format. While this PR does not introduce new content, it significantly improves the accessibility and usability of the existing documentation.

🔴 CRITICAL

No critical security issues were identified in this PR. The changes are primarily related to documentation and CI/CD workflows for deployment.

🟡 WARNING

  1. Potential Breaking Change: Directory Structure
    • The introduction of the site/docs/ directory for MkDocs source files may conflict with existing tooling or scripts that rely on the docs/ directory. Ensure that any internal or external dependencies on the docs/ directory are updated accordingly.
    • Action: Verify that no existing workflows, scripts, or integrations depend on the docs/ directory structure.

💡 SUGGESTIONS

  1. Anchor-Link Warnings

    • The PR mentions warnings about anchor-link mismatches in tutorial content. While these issues are pre-existing, they could negatively impact the user experience on the new documentation site.
    • Action: Consider addressing these anchor-link mismatches in a follow-up PR to ensure a seamless navigation experience.

  2. Security Documentation Visibility

    • The "Security" section includes critical files like THREAT_MODEL.md and OWASP-COMPLIANCE.md. These are highly relevant to the security posture of the project.
    • Action: Highlight the "Security" section prominently on the homepage or navigation bar to ensure users can easily locate it.

  3. Testing Coverage

    • While the PR includes basic testing for the MkDocs build process, it does not mention testing the deployed site for functionality (e.g., search, navigation, responsiveness).
    • Action: Perform end-to-end testing of the deployed site to verify that all features (search, navigation, mobile responsiveness, etc.) work as intended.

  4. Documentation Versioning

    • As the project evolves, documentation updates may need to be versioned to align with specific releases of the library.
    • Action: Consider implementing versioning for the documentation site (e.g., using MkDocs Material's versioning plugin) to allow users to access docs relevant to specific library versions.

  5. Security of GitHub Pages Deployment

    • The deployment workflow uses actions/deploy-pages. While this is a standard approach, ensure that the GitHub Pages deployment is configured securely (e.g., restrict write access to the gh-pages branch).
    • Action: Audit the gh-pages branch permissions to ensure only authorized workflows and users can modify it.

  6. Documentation Contribution Guidelines

    • The PR mentions an "Edit-on-GitHub" link for every page. While this is a great feature, it would be helpful to include clear contribution guidelines for documentation updates.
    • Action: Add a section to CONTRIBUTING.md outlining best practices for contributing to the documentation.

Additional Notes

  • The PR meets all acceptance criteria outlined in #347.
  • The use of MkDocs Material is a solid choice for creating a professional and user-friendly documentation site.
  • The deployment workflow appears efficient, with a build time of ~4.5 seconds.

Summary of Feedback

  • 🟡 WARNING: Verify directory structure changes to avoid breaking existing workflows.
  • 💡 SUGGESTION: Address anchor-link warnings, enhance security documentation visibility, test deployed site functionality, consider documentation versioning, audit GitHub Pages deployment security, and add contribution guidelines.

This PR is well-implemented and provides significant value to the project by improving documentation accessibility and usability. With minor adjustments and follow-up actions, the documentation site can become a robust resource for users and contributors.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2026
edited
Loading

🤖 AI Agent: security-scanner — Security Review of PR: feat: GitHub Pages docs site with MkDocs Material

Security Review of PR: feat: GitHub Pages docs site with MkDocs Material

This PR primarily introduces a documentation site using MkDocs Material and a GitHub Actions workflow to deploy the site to GitHub Pages. While the changes are largely related to documentation and CI/CD, we must still evaluate the PR for potential security risks, as this repository is a critical security-focused project.

Findings

1. Credential Exposure in GitHub Actions Workflow

  • Severity: 🔵 LOW
  • Issue: The GitHub Actions workflow (.github/workflows/docs.yml) includes the id-token: write permission under permissions. While this is required for deploying to GitHub Pages, it could potentially be abused if the workflow is compromised.
  • Attack Vector: If an attacker gains access to the repository or modifies the workflow, they could misuse the id-token permission to escalate privileges or access restricted resources.
  • Recommendation:
    • Restrict write permissions to the pages scope only, as this is the only required permission for GitHub Pages deployment.
    • Add branch protection rules to ensure that only authorized users can modify the workflow file.
    • Consider using OpenID Connect (OIDC) with a specific audience restriction to limit the scope of the token.

2. Potential for Supply Chain Risks

  • Severity: 🟠 HIGH
  • Issue: The workflow installs dependencies (mkdocs-material and mkdocs-minify-plugin) directly from PyPI without pinning specific versions. This introduces a risk of dependency hijacking or malicious updates.
  • Attack Vector: If a malicious actor compromises the PyPI repository or publishes a malicious package with the same name, it could execute arbitrary code during the build process.
  • Recommendation:
    • Pin specific versions of the dependencies in the pip install command (e.g., mkdocs-material==X.Y.Z).
    • Use a dependency scanner to verify the integrity of the dependencies (e.g., pip-audit or safety).
    • Consider using a private PyPI mirror or a dependency lock file to ensure only trusted versions are installed.

3. Potential for Race Conditions in Deployment

  • Severity: 🟡 MEDIUM
  • Issue: The concurrency setting in the workflow is configured with cancel-in-progress: false. This means that if multiple commits are pushed to the main branch in quick succession, multiple workflows could run concurrently, potentially causing race conditions or inconsistent deployments.
  • Attack Vector: If two workflows run concurrently, one could overwrite the other's deployment artifacts, leading to an inconsistent or incomplete documentation site.
  • Recommendation:
    • Set cancel-in-progress: true in the concurrency block to ensure that only the latest workflow runs and cancels any in-progress workflows for the same branch.

4. Lack of Integrity Checks for Deployed Artifacts

  • Severity: 🟡 MEDIUM
  • Issue: The workflow does not include any integrity checks for the generated documentation artifacts before deploying them to GitHub Pages.
  • Attack Vector: If the build process is compromised (e.g., via a malicious dependency or unauthorized access), the deployed documentation could be tampered with, potentially misleading users or introducing malicious content.
  • Recommendation:
    • Generate a checksum (e.g., SHA-256) for the _site directory after building the documentation and verify it before deployment.
    • Store the checksum in a secure location (e.g., a private repository or a secure artifact store) for comparison.

5. Potential for Sensitive Information in Documentation

  • Severity: 🔵 LOW
  • Issue: The documentation site includes a large number of files copied from the repository. While no sensitive information was identified in the provided diff, there is a risk that sensitive information (e.g., secrets, credentials, or internal details) could be inadvertently included in the documentation.
  • Attack Vector: If sensitive information is accidentally included in the documentation, it could be exposed publicly on GitHub Pages.
  • Recommendation:
    • Perform a thorough review of all documentation files to ensure no sensitive information is included.
    • Implement a pre-commit hook or CI check to scan for sensitive information in documentation files before they are committed or deployed.

Summary of Findings

Finding Severity Recommendation
Credential exposure in GitHub Actions workflow 🔵 LOW Restrict id-token permissions and enforce branch protection rules.
Supply chain risks from unpinned dependencies 🟠 HIGH Pin dependency versions and use a dependency scanner or private PyPI mirror.
Potential for race conditions in deployment 🟡 MEDIUM Set cancel-in-progress: true in the concurrency block of the workflow.
Lack of integrity checks for deployed artifacts 🟡 MEDIUM Add checksum generation and verification for the _site directory before deploy.
Potential for sensitive information exposure 🔵 LOW Review documentation files for sensitive information and implement pre-commit checks.

Final Recommendation

This PR introduces valuable documentation improvements and a GitHub Pages deployment workflow. However, the identified issues should be addressed before merging to ensure the security of the repository and its downstream users. Specifically:

  1. Pin dependency versions and implement supply chain security measures.
  2. Address potential race conditions in the deployment process.
  3. Add integrity checks for the deployed artifacts.
  4. Review documentation files for sensitive information.

Once these issues are resolved, the PR can be safely merged.

@tomjwxf tomjwxf force-pushed the feat/github-pages-docs branch from bde8908 to bb39d6d Compare April 16, 2026 20:19
github-actions[bot]
github-actions Bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Summary

This pull request introduces a GitHub Pages documentation site using MkDocs Material, significantly improving the organization, accessibility, and usability of the existing documentation. The implementation appears well-structured and adheres to best practices for documentation sites. However, given the security-sensitive nature of the repository, there are a few areas that warrant closer scrutiny.

🔴 CRITICAL

  1. Environment Variables in Build Process:
    • The SITE_URL environment variable is passed during the mkdocs build step. Ensure that this variable is sanitized and does not introduce any security vulnerabilities, such as exposing sensitive information or enabling injection attacks. If this variable is user-controlled, validate its input rigorously.

🟡 WARNING

  1. Backward Compatibility:
    • The reorganization of documentation files into the site/docs/ directory may break existing workflows or scripts that rely on the previous docs/ directory structure. Ensure that any internal or external dependencies on the docs/ directory are updated accordingly.

💡 SUGGESTIONS

  1. Anchor-Link Mismatches:

    • The PR mentions warnings about anchor-link mismatches in the tutorial content. While these are not introduced by this PR, resolving them would improve the user experience and reduce confusion.

  2. Automated Link Validation:

    • Consider adding a step in the CI pipeline to validate internal and external links in the documentation. This would proactively catch broken links before deployment.

  3. Security Documentation Visibility:

    • The "Security" section is critical for this repository. Consider adding a prominent link to this section on the homepage or navigation bar to ensure users can easily access security-related information.

  4. Search Optimization:

    • While the built-in search functionality is a great addition, ensure that sensitive content (e.g., internal notes or drafts) is excluded from indexing. Verify that the search index only includes publicly intended documentation.

  5. Dark Mode Accessibility:

    • Test the dark mode toggle for accessibility compliance (e.g., WCAG standards). Ensure that text contrast ratios are sufficient for readability.

  6. Testing Coverage:

    • While the PR mentions manual testing of the documentation build process, consider adding automated tests for the MkDocs build step in the CI pipeline. This ensures that future changes to the documentation do not introduce build errors.

  7. Security Headers:

    • Verify that the GitHub Pages deployment includes appropriate security headers (e.g., Content Security Policy, X-Content-Type-Options, etc.) to prevent common web vulnerabilities.

Additional Notes

  • The use of MkDocs Material is a solid choice for creating a professional and user-friendly documentation site. Its features like search, responsive design, and code block copy buttons will enhance the developer experience.
  • The GitHub Actions workflow is well-structured and includes concurrency control, which is a good practice for preventing overlapping deployments.
  • The decision to separate the MkDocs source files into site/docs/ is a thoughtful approach to avoid conflicts with existing tooling.

Action Items

  1. Address the critical issue regarding the SITE_URL environment variable.
  2. Evaluate potential backward compatibility issues due to the reorganization of documentation files.
  3. Consider implementing the suggested improvements for link validation, accessibility, and security.

This PR is a significant improvement to the repository's documentation and aligns well with the project's goals. With the recommended changes, it can be safely merged.

@tomjwxf tomjwxf mentioned this pull request Apr 16, 2026
Closed
github-actions[bot]
github-actions Bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Summary

This pull request introduces a GitHub Pages documentation site using MkDocs Material, organizing the existing documentation into a structured, searchable, and navigable format. While the PR primarily focuses on documentation and CI/CD workflow for deployment, it indirectly impacts the usability and accessibility of the repository. Below is the detailed review based on the focus areas:

🔴 CRITICAL

  1. Security of GitHub Actions Workflow:
    • The permissions block in .github/workflows/docs.yml includes id-token: write. This permission allows the workflow to request an OpenID Connect (OIDC) token, which can be used to authenticate with external services. Ensure that the OIDC token is scoped appropriately and is not exposed to untrusted actions or steps. Misuse of this token could lead to unauthorized access to external systems.
    • Action: Verify that the OIDC token is scoped to the specific use case (e.g., GitHub Pages deployment) and cannot be used for other purposes.

🟡 WARNING

  1. Backward Compatibility:
    • The PR introduces a new directory structure (site/docs/) for organizing documentation. If any existing tooling or scripts rely on the previous docs/ directory structure, this change could break them.
    • Action: Ensure that any internal or external tooling consuming the docs/ directory is updated to accommodate the new structure.

💡 SUGGESTIONS

  1. Anchor-Link Warnings:

    • The testing logs mention anchor-link mismatches in existing tutorial content. While these are not introduced by this PR, fixing them would improve the quality of the documentation.
    • Action: Address the anchor-link mismatches in the tutorial content to eliminate warnings and improve navigation.

  2. Documentation for Workflow:

    • The .github/workflows/docs.yml file lacks inline comments explaining the purpose of each step. Adding comments would make it easier for future contributors to understand and maintain the workflow.
    • Action: Add comments to the workflow file to explain the purpose of each step.

  3. Testing Coverage:

    • While the PR includes manual testing steps for building the documentation, it does not specify automated tests for verifying the integrity of the documentation site (e.g., broken links, missing pages).
    • Action: Consider integrating a tool like linkchecker or html-proofer into the CI/CD pipeline to automatically validate the generated documentation.

  4. Security Documentation:

    • The Security section of the documentation includes important files like THREAT_MODEL.md and OWASP-COMPLIANCE.md. However, there is no mention of how these documents are maintained or updated.
    • Action: Add a note in the documentation about the process for updating security-related documentation, ensuring it remains accurate and up-to-date.

  5. Mobile Responsiveness:

    • While the PR mentions mobile responsiveness as a feature of MkDocs Material, it does not include any testing results for mobile devices.
    • Action: Test the documentation site on various mobile devices and screen sizes to ensure the responsiveness works as expected.

  6. Search Configuration:

    • The built-in search functionality is a valuable feature. However, the PR does not specify if the search index is optimized for specific keywords or phrases relevant to the repository.
    • Action: Review the search configuration and ensure that it prioritizes key terms related to the repository's focus areas (e.g., "policy engine," "SPIFFE," "sandboxing").

Additional Observations

  • Build Time: The documentation build time (~4.5 seconds) is efficient and should not impact the CI/CD pipeline significantly.
  • Content Organization: The proposed structure is logical and aligns well with the repository's focus areas. The inclusion of sections like "Security" and "Architecture Decisions" is particularly valuable for users.

Conclusion

The PR is well-structured and addresses the need for a comprehensive documentation site. However, the identified critical security issue regarding the OIDC token permissions must be addressed before merging. Additionally, the potential breaking change related to the directory structure should be communicated to stakeholders. Implementing the suggested improvements will further enhance the quality and security of the documentation site.

@tomjwxf tomjwxf force-pushed the feat/github-pages-docs branch from 8b35fd7 to 1e2d38d Compare April 16, 2026 20:28
@ZeroXLauren
feat: GitHub Pages docs site with MkDocs Material (microsoft#347)
0171da4 
Adds a production-grade documentation site using MkDocs Material.

What's committed (small footprint):
- mkdocs.yml (site config, theme, navigation for 66 pages)
- site/docs/index.md (landing page with ecosystem integrations)
- site/docs/*/index.md (5 section index pages with tables)
- scripts/build-docs.sh (copies existing docs at build time)
- .github/workflows/docs.yml (auto-deploy on merge)
- site/docs/.gitignore (excludes copied content from git)

What's NOT committed (zero duplication):
- Tutorial content (copied from docs/tutorials/ at build time)
- Package READMEs (copied from packages/*/README.md at build time)
- Deployment/security/ADR docs (copied from docs/ at build time)

This means content is maintained in ONE place (the existing docs/
and packages/ directories). The build script copies it into the
MkDocs structure before mkdocs build runs. No dual maintenance.

Site structure: 7 sections, 66 pages
- Getting Started (quickstart, architecture, glossary)
- Packages (11 packages)
- Tutorials (27 guides, categorized)
- Deployment (4 Azure + container guides)
- Security (threat model, OWASP, scanning, tenant isolation)
- Architecture Decisions (4 ADRs)
- Reference (benchmarks, comparison, NIST, changelog, contributing)

MkDocs Material features: dark/light toggle, instant nav, search,
code copy, sticky tabs, mobile-responsive, edit-on-GitHub links.

Build: 4.5 seconds. Zero errors.

Closes microsoft#347.

Signed-off-by: tommylauren <tfarley@utexas.edu>
@tomjwxf tomjwxf force-pushed the feat/github-pages-docs branch from 1e2d38d to 0171da4 Compare April 16, 2026 20:29
@github-actions github-actions Bot added size/L Large PR (< 500 lines) and removed size/XL Extra large PR (500+ lines) labels Apr 16, 2026
github-actions[bot]
github-actions Bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Pull Request Review for feat: GitHub Pages docs site with MkDocs Material

🔴 CRITICAL

  1. Sensitive Information Exposure in Documentation:

    • Ensure that no sensitive information (e.g., credentials, private keys, or internal URLs) is accidentally exposed in the documentation files or the GitHub Pages deployment. This is particularly critical for security-related documentation like security-scanning.md and tenant-isolation.md. Double-check these files for any sensitive data leakage.

  2. GitHub Actions Permissions:

    • The permissions block in the workflow grants id-token: write. This permission is sensitive and should only be used if absolutely necessary. If this is not required for the deployment process, remove it to reduce the attack surface.

🟡 WARNING

  1. Backward Compatibility:

    • The reorganization of documentation into the site/docs/ directory may break existing tooling or scripts that rely on the previous docs/ structure. Ensure that any downstream consumers or integrations relying on the old structure are updated accordingly.

  2. Anchor-Link Mismatches:

    • The PR mentions warnings about anchor-link mismatches in existing tutorial content. While these are not introduced by this PR, they could lead to broken links in the published documentation. Address these issues to ensure a seamless user experience.

💡 SUGGESTIONS

  1. Testing Coverage:

    • While the PR mentions that the documentation builds successfully, consider adding automated tests to verify the integrity of the generated documentation. For example:
      • Check for broken links.
      • Validate the structure of the generated site.
      • Ensure that all expected pages are included.

  2. Security Documentation Enhancements:

    • The Security section includes critical files like THREAT_MODEL.md and OWASP-COMPLIANCE.md. Consider adding a disclaimer or warning about the importance of following security best practices when deploying the toolkit.

  3. Search Optimization:

    • MkDocs Material's built-in search is a great feature. To enhance usability, ensure that the search index includes all relevant keywords and metadata from the documentation. This can help users find specific security-related topics more easily.

  4. Accessibility:

    • While MkDocs Material provides mobile responsiveness and accessibility features, consider running an accessibility audit (e.g., using tools like Lighthouse or axe) to ensure compliance with accessibility standards.

  5. Documentation Versioning:

    • If the toolkit evolves rapidly, consider implementing versioning for the documentation. MkDocs Material supports versioning, which can be useful for users working with different versions of the toolkit.

  6. Custom Domain:

    • If not already planned, consider setting up a custom domain for the GitHub Pages site to improve branding and accessibility.

Summary

This PR significantly improves the organization and accessibility of the documentation for the microsoft/agent-governance-toolkit repository. The use of MkDocs Material is a solid choice for creating a professional and user-friendly documentation site. However, there are critical areas to address, such as ensuring no sensitive information is exposed and reviewing permissions in the GitHub Actions workflow. Additionally, potential breaking changes in the documentation structure should be communicated to downstream consumers.

Once the critical issues are resolved, this PR will be a valuable addition to the project.

@github-actions github-actions Bot removed the security Security-related issues label Apr 16, 2026
github-actions[bot]
github-actions Bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Feedback on PR: feat: GitHub Pages docs site with MkDocs Material

🔴 CRITICAL: Security Concerns

  1. Sensitive Information in Documentation:

    • Ensure that none of the documentation files inadvertently expose sensitive information such as credentials, API keys, or internal architecture details that could be exploited by attackers. While this PR doesn't introduce new content, the organization and publication of existing files could inadvertently expose sensitive information.

    Action: Conduct a thorough review of all documentation files being published to ensure they don't contain sensitive or proprietary information.

🟡 WARNING: Potential Breaking Changes

  1. Directory Structure Changes:

    • The introduction of the site/docs/ directory and the scripts/build-docs.sh script changes how documentation is organized and accessed. If any tooling or processes rely on the original docs/ directory structure, they may break.

    Action: Verify that no existing workflows, scripts, or integrations depend on the original docs/ directory structure. Communicate this change to all stakeholders.

💡 Suggestions for Improvement

  1. Automated Security Scanning for Documentation:

    • Add a step in the CI pipeline to scan documentation for sensitive information before deployment. Tools like truffleHog or git-secrets can help identify accidental leaks.

    Action: Integrate a security scanning step into the docs.yml workflow.

  2. Documentation Versioning:

    • Consider implementing versioning for the documentation site to allow users to access docs for previous releases of the toolkit. This is particularly important for backward compatibility.

    Action: Use MkDocs Material's versioning plugin or a similar solution to manage documentation versions.

  3. Accessibility Improvements:

    • While MkDocs Material provides a good base for accessibility, ensure that the site adheres to WCAG 2.1 standards. This includes proper color contrast, keyboard navigation, and screen reader compatibility.

    Action: Test the documentation site with accessibility tools like Lighthouse or axe.

  4. Search Optimization:

    • Enhance the search functionality by adding synonyms and aliases for common terms. For example, "sandboxing" could also match "isolation" or "containerization."

    Action: Configure the search plugin to include synonyms for better usability.

  5. Testing for Broken Links:

    • The PR mentions anchor-link mismatches in tutorial content. While these are not introduced by this PR, they should be fixed to ensure a seamless user experience.

    Action: Run a link checker (e.g., linkchecker) on the built site and resolve any broken links.

  6. Security Documentation Enhancements:

    • The security section could benefit from additional details on OWASP Agentic Top 10 compliance and tenant isolation strategies.

    Action: Expand the security documentation to include practical examples and detailed compliance mappings.

  7. Performance Optimization:

    • The mkdocs-minify-plugin is used for HTML minification, but consider additional optimizations like image compression and lazy loading for large assets.

    Action: Audit the site for performance bottlenecks and optimize assets accordingly.

General Observations

  • The PR is well-structured and adheres to best practices for documentation organization and CI/CD workflows.
  • The use of MkDocs Material ensures a professional and user-friendly documentation site.
  • The GitHub Actions workflow is efficient and deploys the site in a streamlined manner.

Summary of Actions

  1. 🔴 Conduct a security review of all documentation files.
  2. 🟡 Verify that directory structure changes don't break existing workflows.
  3. 💡 Implement automated security scanning for documentation.
  4. 💡 Add versioning support for documentation.
  5. 💡 Improve accessibility and search functionality.
  6. 💡 Fix broken links in tutorial content.
  7. 💡 Expand security documentation and optimize site performance.

This PR is a significant improvement to the project's documentation and provides a solid foundation for future enhancements. Addressing the flagged issues will ensure a secure, accessible, and user-friendly experience.

github-actions[bot]
github-actions Bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Summary

This pull request introduces a GitHub Pages documentation site using MkDocs Material, significantly improving the organization, navigation, and accessibility of the repository's extensive documentation. The implementation appears robust and adheres to best practices for documentation publishing. However, there are a few areas that warrant attention to ensure security, backward compatibility, and maintainability.

🔴 CRITICAL

  1. Environment Variable Exposure in Build Process:

    • The SITE_URL environment variable is passed directly into the MkDocs build step (mkdocs build --config-file mkdocs.yml --site-dir _site). If this variable is ever dynamically set or manipulated, it could introduce risks such as incorrect URLs or potential injection vulnerabilities. Ensure this variable is sanitized and validated before use.

    Action: Add validation for SITE_URL in the build script or workflow to ensure it matches the expected format (e.g., https://microsoft.github.io/agent-governance-toolkit).

🟡 WARNING

  1. Backward Compatibility:

    • The docs_dir: site/docs configuration in mkdocs.yml separates MkDocs content from the existing docs/ directory. While this avoids conflicts, any tooling or scripts relying on the original docs/ directory may break.

    Action: Document this change in the repository's changelog and notify contributors to update any tooling that directly references the docs/ directory.

  2. GitHub Pages Deployment Workflow:

    • The workflow triggers on changes to site/**, mkdocs.yml, and docs/**. If contributors modify documentation in docs/ without running scripts/build-docs.sh, the deployed site may become inconsistent.

    Action: Add a pre-commit hook or CI step to automatically run scripts/build-docs.sh when docs/ changes are detected.

💡 SUGGESTIONS

  1. Security Documentation Visibility:

    • The "Security" section in the documentation is well-organized but could benefit from additional emphasis on critical topics like sandboxing, tenant isolation, and OWASP compliance.

    Action: Add a dedicated "Security Overview" page that links to all security-related topics and highlights their importance.

  2. Testing Coverage:

    • While the documentation build process was tested locally, there is no mention of automated testing for the documentation site itself (e.g., broken links, navigation issues).

    Action: Integrate a tool like linkchecker or html-proofer into the CI pipeline to validate the generated site for broken links and other issues.

  3. Documentation for Build Process:

    • The scripts/build-docs.sh script is critical for maintaining the documentation site but lacks inline comments explaining its functionality.

    Action: Add comments to the script to clarify its purpose and individual steps, making it easier for contributors to understand and modify.

  4. Search Optimization:

    • MkDocs Material's built-in search is powerful, but it may benefit from additional configuration to prioritize security-related pages or frequently accessed tutorials.

    Action: Configure the search plugin to boost results for pages tagged with "security" or "tutorials."

  5. Mobile Responsiveness Testing:

    • While MkDocs Material is mobile-responsive, there is no mention of testing the site on mobile devices.

    Action: Test the deployed site on various mobile devices and browsers to ensure usability and accessibility.

Final Assessment

This PR is well-implemented and provides significant value by improving documentation accessibility and organization. Addressing the critical and warning issues will ensure the deployment process is secure and backward-compatible. The suggestions provided can further enhance the usability and maintainability of the documentation site.

Recommended Actions:

  • Address the critical issue regarding SITE_URL validation.
  • Document the backward compatibility impact and add safeguards for the build process.
  • Implement automated testing for the documentation site.

Once these adjustments are made, the PR should be ready for approval.

@imran-siddique imran-siddique merged commit f826f11 into microsoft:main Apr 17, 2026
6 of 7 checks passed
@tomjwxf tomjwxf mentioned this pull request Apr 20, 2026
Closed
4 tasks
imran-siddique added a commit that referenced this pull request Apr 20, 2026
@imran-siddique
fix(ci): add mkdocs-minify-plugin to dep scan allowlist (#1247)
7e22b33 
The GitHub Pages MkDocs site (PR #1186) added mkdocs-minify-plugin
to site/requirements.txt. Add it to the registered packages list
so dependency-scan passes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
imran-siddique added a commit to imran-siddique/agent-governance-toolkit that referenced this pull request May 4, 2026
@imran-siddique
fix(ci): add mkdocs-minify-plugin to dep scan allowlist (microsoft#1247)
7adf864 
The GitHub Pages MkDocs site (PR microsoft#1186) added mkdocs-minify-plugin
to site/requirements.txt. Add it to the registered packages list
so dependency-scan passes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

ci/cd CI/CD and workflows documentation Improvements or additions to documentation size/L Large PR (< 500 lines)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Create a GitHub Pages site for project docs and onboarding

3 participants

@tomjwxf @imran-siddique @ZeroXLauren