ci: add per-PR docs preview deployment to Aleph Cloud

[odesenfans]

Adds a pull_request-triggered workflow (.github/workflows/pr-preview.yml) that builds the docs and deploys a per-PR preview to Aleph Cloud via aleph-im/web3-hosting-action@v2, implementing the auto-deployment flow documented in #77. Release deployment is left unchanged.

Design choices

• Delegated signing: signs with a low-privilege CI key (ALEPH_CI_PRIVATE_KEY secret) while the owner wallet (ALEPH_OWNER_ADDRESS variable) holds the credits and owns the sites. A leaked CI key cannot spend funds; its authorization is scoped to store,aggregate on the websites,domains aggregates only.
• No closed trigger: the action sweeps and removes previews of closed PRs at the start of every run, so cleanup happens through ongoing PR activity. Listening for closed would make it reap then immediately redeploy the just-closed preview.
• Fork-PR guard: fork PRs cannot read repository secrets, so they are skipped cleanly instead of failing on every external contribution.
• Build steps mirror the existing release workflow (Node 18, npm install, npm run docs:build, output at docs/.vitepress/dist).

Required configuration (already set up)

• Secret ALEPH_CI_PRIVATE_KEY: dedicated CI signer key.
• Variable ALEPH_OWNER_ADDRESS: owner wallet address (must hold credits).
• One-time delegation from the owner wallet authorizing the CI signer (see comment block at the top of the workflow file).

Notes

• Broken links do not fail the build in CI (matches existing release behavior); a link-check gate would be a separate change.
• This PR is itself the first live test of the preview deploy.

[foxpatch-aleph]

A clean, well-designed PR that adds per-PR preview deployments to Aleph Cloud. The delegated signing model is a strong security pattern — a leaked CI key cannot spend funds. The cleanup strategy (sweeping at each run rather than listening for closed) correctly avoids a race condition. Build steps mirror the existing release workflow. The fork-PR guard handles external contributions gracefully. Minor nit: consider upgrading checkout and setup-node actions to v4 to avoid Node 16 deprecation warnings on ubuntu-latest runners.

.github/workflows/pr-preview.yml (line 42): Consider bumping to actions/checkout@v4 — v3 runs on Node 16, which is deprecated on ubuntu-latest (24.04+).

.github/workflows/pr-preview.yml (line 45): Consider bumping to actions/setup-node@v4 for the same Node 16 deprecation reason.

[github-actions]

Deployed on:

• https://bafybeie7eioqfkm57amh2xp6biyiz3p7k6qkhn77h2iipiyh7o7xootvfe.ipfs.aleph.sh

Preview for this pull request, updated on every commit and removed once the PR is closed.

[foxpatch-aleph]

Well-structured PR that adds a per-PR preview deployment workflow using aleph-im/web3-hosting-action@v2. The delegated signing model (low-privilege CI key, owner wallet holds credits) follows least-privilege principles. Fork PRs are handled gracefully. The cleanup strategy (sweep at each run, no closed trigger) is deliberate and well-documented. Build steps mirror the existing release workflow with an upgrade to checkout/setup-node@v4. One minor note: the first-PR-after-last-to-close will clean up the previous orphan before deploying, which is a reasonable tradeoff clearly explained in the comments.

.github/workflows/pr-preview.yml (line 6): Cleanup relies on subsequent PR activity. The last PR to close leaves an orphan until another PR event. This is a reasonable tradeoff and well-documented, but worth being aware of.