docs(github-actions): add opt-in understand-quickly publish snippet

[amacsmith]

Why

looptech-ai/understand-quickly is a public, machine-readable registry of code-knowledge and code-context artifacts. It indexes Repomix output through its bundle@1 format — a tiny JSON pointer plus a raw URL to the packed body — so AI agents (Claude, Codex, Cursor via MCP) can resolve a repo URL to its Repomix-packed context. The registry stores no bodies; the XML/markdown stays in the user's repo.

This PR documents the opt-in workflow for Repomix users who want their packed output to land in the registry. No CLI changes, no runtime changes — only the GitHub Actions guide gets a new subsection.

What changes

• website/client/src/en/guide/github-actions.md: appends a "Publishing to the understand-quickly registry" subsection (~30 lines of YAML + ~5 lines of prose) showing how to chain the existing yamadashy/repomix/.github/actions/repomix action with the new looptech-ai/uq-publish-action@v0.1.0 Marketplace Action. The snippet builds a small bundle@1 sidecar (file size, generated_at, content_url) and hands it off to publish.

Opt-in / no-op

Submission is gated entirely on the user setting UNDERSTAND_QUICKLY_TOKEN (a fine-grained PAT scoped to looptech-ai/understand-quickly only with Repository dispatches: write). Without the secret, the publish action only stamps metadata locally and exits cleanly. Without the workflow file, nothing changes.

Why no CLI change

The flow is entirely orchestrated in Actions: Repomix already emits the packed body, the Marketplace Action builds the bundle@1 sidecar and posts the dispatch. Keeping the integration on the CI side means no new flag in the CLI surface, no test churn, and no behavior change for anyone not opting in.

Test plan

• Diff is docs-only (39 LoC added to one existing English guide page).
• No tests touched, no package.json/biome changes, no lint impact.
• (Reviewer) Render of the page in the docs preview shows the new section under "Example: Full Workflow".

Notes

• This is opt-in for early adopters; nothing in Repomix's existing surface changes.
• License & data-grant semantics for users who opt in are described in DATA-LICENSE.md and protocol §12 — opt-in, gated on the secret, never invisible.
• Localized copies (de/es/fr/ja/ko/zh-cn/etc.) intentionally omitted; happy to follow up with translations if you'd prefer them in the same PR.

Links

• Registry: https://github.com/looptech-ai/understand-quickly
• Producer protocol: https://github.com/looptech-ai/understand-quickly/blob/main/docs/integrations/protocol.md
• bundle@1 schema: https://github.com/looptech-ai/understand-quickly/blob/main/schemas/bundle@1.json
• Marketplace Action: https://github.com/looptech-ai/uq-publish-action

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8438ba4e-df6b-4ff9-9b7a-13a14e34e2ab

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Added documentation to the GitHub Actions guide describing optional publishing of Repomix output to the understand-quickly registry. Includes a complete example workflow that generates repomix-output.xml, creates a bundle@1 sidecar JSON, and publishes via looptech-ai/uq-publish-action with secret-gated token authentication.

Changes

understand-quickly Registry Publishing Documentation

Layer / File(s)	Summary
Guide Documentation website/client/src/en/guide/github-actions.md	New section explaining optional publishing to understand-quickly registry, complete workflow example with Repomix action, bundle creation, and uq-publish-action integration, plus setup instructions for UNDERSTAND_QUICKLY_TOKEN secret.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• yamadashy/repomix#510: Extends the same GitHub Actions documentation by adding an opt-in publish workflow and instructions to the guide.

Suggested reviewers

• yamadashy

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding documentation for an opt-in understand-quickly publish workflow snippet to the GitHub Actions guide.
Description check	✅ Passed	The description is comprehensive and well-structured, covering rationale, specific changes, opt-in behavior, test plan, and relevant links. However, it does not follow the repository's required template structure with the checklist section.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@website/client/src/en/guide/github-actions.md`:
- Line 158: Update the example `content_url` to use an immutable commit SHA
instead of the branch name: replace the use of `${{ github.ref_name }}` in the
`content_url` string with `${{ github.sha }}` so published registry entries
point to the exact commit; locate the
`content_url:'https://raw.githubusercontent.com/${{ github.repository }}/${{
github.ref_name }}/repomix-output.xml'` example and modify it accordingly.
- Line 147: Replace the floating action refs with pinned commit SHAs: locate the
workflow lines that read "uses: yamadashy/repomix/.github/actions/repomix@main"
(and the other "uses:" occurrence around line 160) and update both to use the
full commit SHA of the exact upstream commit you want to run (e.g.,
".github/actions/repomix@<FULL_COMMIT_SHA>"). Ensure both occurrences are
updated so the workflow uses immutable SHAs rather than "@main" or tag refs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 10cf1170-6c9a-47c2-be4f-6282bb082f02

📥 Commits

Reviewing files that changed from the base of the PR and between fd82811 and 82945bf.

📒 Files selected for processing (1)

• website/client/src/en/guide/github-actions.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read it
fd -t f "github-actions.md" website/

Repository: yamadashy/repomix

Length of output: 760

---

🏁 Script executed:

# Read the specific file with line numbers to verify lines 147 and 160
if [ -f "website/client/src/en/guide/github-actions.md" ]; then
  wc -l "website/client/src/en/guide/github-actions.md"
fi

Repository: yamadashy/repomix

Length of output: 111

---

🏁 Script executed:

# Get content around lines 147 and 160
if [ -f "website/client/src/en/guide/github-actions.md" ]; then
  echo "=== Lines 140-155 ===" && sed -n '140,155p' "website/client/src/en/guide/github-actions.md"
  echo ""
  echo "=== Lines 155-165 ===" && sed -n '155,165p' "website/client/src/en/guide/github-actions.md"
fi

Repository: yamadashy/repomix

Length of output: 1226

---

Pin GitHub Actions by commit SHA in this publish example.

This workflow uses a secret token (secrets.UNDERSTAND_QUICKLY_TOKEN) with GitHub Actions, making it a supply-chain sensitive context. Floating refs (@main) and tag refs (@v0.1.0) instead of full commit SHAs increase the risk of malicious code injection. Documentation should model secure defaults using commit SHAs for both actions on lines 147 and 160.

Proposed doc hardening

-      - uses: yamadashy/repomix/.github/actions/repomix@main
+      - uses: yamadashy/repomix/.github/actions/repomix@<full_commit_sha>

-      - uses: looptech-ai/uq-publish-action@v0.1.0
+      - uses: looptech-ai/uq-publish-action@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@website/client/src/en/guide/github-actions.md` at line 147, Replace the
floating action refs with pinned commit SHAs: locate the workflow lines that
read "uses: yamadashy/repomix/.github/actions/repomix@main" (and the other
"uses:" occurrence around line 160) and update both to use the full commit SHA
of the exact upstream commit you want to run (e.g.,
".github/actions/repomix@<FULL_COMMIT_SHA>"). Ensure both occurrences are
updated so the workflow uses immutable SHAs rather than "@main" or tag refs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use an immutable content_url (commit SHA), not branch name.

github.ref_name points to a moving branch tip, so previously published registry entries may later resolve to different content. Use ${{ github.sha }} in the raw URL so each published bundle is permanently tied to the exact commit.

Proposed doc snippet update

-              content_url:'https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/repomix-output.xml'
+              content_url:'https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/repomix-output.xml'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	content_url:'https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/repomix-output.xml'
	content_url:'https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/repomix-output.xml'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@website/client/src/en/guide/github-actions.md` at line 158, Update the
example `content_url` to use an immutable commit SHA instead of the branch name:
replace the use of `${{ github.ref_name }}` in the `content_url` string with
`${{ github.sha }}` so published registry entries point to the exact commit;
locate the `content_url:'https://raw.githubusercontent.com/${{ github.repository
}}/${{ github.ref_name }}/repomix-output.xml'` example and modify it
accordingly.

[Copilot]

Pull request overview

Adds documentation describing an opt-in GitHub Actions workflow that chains Repomix output with publishing metadata to the external looptech-ai/understand-quickly registry (no CLI/runtime changes).

Changes:

• Adds a new “Publishing to the understand-quickly registry” subsection to the GitHub Actions guide.
• Provides an example workflow that generates Repomix output, builds a bundle@1 JSON sidecar, and invokes looptech-ai/uq-publish-action.
• Documents the required UNDERSTAND_QUICKLY_TOKEN secret and links to registry/protocol/licensing docs.

[gemini-code-assist]

Code Review

This pull request adds documentation and a GitHub Actions workflow example for publishing Repomix output to the understand-quickly registry. The feedback highlights that the generated output file needs to be committed to the repository for the provided content URL to be valid, requiring a permission update to contents: write. Additionally, it is recommended to use environment variables instead of direct interpolation in the shell script to follow security best practices.

[gemini-code-assist]

The workflow generates repomix-output.xml but does not commit it to the repository. Since the content_url (line 158) points to raw.githubusercontent.com, the file must be present in the repository for the URL to be valid. To support this, you should update the permissions to contents: write and add a step to commit and push the generated file.

Suggested change

	permissions: { contents: read }
	permissions: { contents: write }

[gemini-code-assist]

It is a security best practice to use environment variables instead of directly interpolating GitHub context variables (like ${{ github.repository }}) into shell scripts. This prevents potential script injection and handles special characters more safely. Additionally, using an environment variable for the output filename makes the script more maintainable if the filename changes in the future.

Suggested change

	- name: Build bundle@1 sidecar
	run: |
	node -e "
	const fs=require('fs');
	const b=fs.statSync('repomix-output.xml').size;
	fs.writeFileSync('repomix-output.bundle.json', JSON.stringify({
	format:'bundle@1',
	manifest:{tool:'repomix',tool_version:'latest',generated_at:new Date().toISOString(),
	file_count:0,byte_count:b,token_estimate:Math.round(b/4),format:'xml'},
	content_url:'https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/repomix-output.xml'
	},null,2));"
	- name: Build bundle@1 sidecar
	env:
	REPO: ${{ github.repository }}
	REF: ${{ github.ref_name }}
	OUTPUT_FILE: repomix-output.xml
	run: |
	node -e "
	const fs=require('fs');
	const b=fs.statSync(process.env.OUTPUT_FILE).size;
	fs.writeFileSync('repomix-output.bundle.json', JSON.stringify({
	format:'bundle@1',
	manifest:{tool:'repomix',tool_version:'latest',generated_at:new Date().toISOString(),
	file_count:0,byte_count:b,token_estimate:Math.round(b/4),format:'xml'},
	content_url:'https://raw.githubusercontent.com/' + process.env.REPO + '/' + process.env.REF + '/' + process.env.OUTPUT_FILE
	},null,2));"

[amacsmith]

Pushed b767ff7 addressing the CodeRabbit / Copilot / gemini-code-assist findings:

• content_url 404: workflow now commits the packed XML to a dedicated understand-quickly orphan branch and pins content_url to that commit SHA, so the URL actually resolves.
• Immutability: content_url uses github.sha-style pinning (the SHA of the publish commit) rather than github.ref_name.
• Script-injection safety: moved github.repository / SHA out of inline JS into env vars (per gemini-code-assist suggestion).
• Placeholder metadata: dropped tool_version:'latest' and file_count:0 rather than misrepresenting them.
• Public-repo caveat: noted explicitly in the surrounding prose.

Left action refs as floating in the example (@main / @v0.1.0) since this is documentation prose; added a comment hint to pin in real workflows. Happy to switch to SHAs if you'd prefer the example itself be pinning-by-default.

[yamadashy]

@amacsmith
Thanks for the proposal! We're going to pass on adding this to the Repomix docs for now — happy to revisit later if the registry sees broader adoption in the Repomix community. Closing for now.