Merge branch 'main' into dependabot/npm_and_yarn/elliptic-6.6.1

Author: gammazero

.github/actions/latest-kubo-tag/entrypoint.sh

@@ -14,4 +14,4 @@ cd kubo
 git describe --tags "${LATEST_IPFS_TAG}"
 
 echo "The latest Kubo tag is ${LATEST_IPFS_TAG}"
-echo "::set-output name=latest_tag::${LATEST_IPFS_TAG}"
+echo "latest_tag=${LATEST_IPFS_TAG}" >> $GITHUB_OUTPUT

.github/actions/update-with-latest-versions/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24
+FROM golang:1.25
 
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt update && apt install -y jq && rm -rf /var/lib/apt/lists/*

.github/actions/update-with-latest-versions/entrypoint.sh

@@ -85,4 +85,4 @@ git config --global user.name "${GITHUB_ACTOR}@users.noreply.github.com"
 git add -u
 git commit -m "Bumped documentation & installation docs."
 git push -fu origin ${BRANCH}
-echo "::set-output name=updated_branch::${BRANCH}"
+echo "updated_branch=${BRANCH}" >> $GITHUB_OUTPUT

.github/styles/pln-ignore.txt

@@ -1,4 +1,3 @@
-atcute
 aave
 accessor
 acls
@@ -11,18 +10,21 @@ arbol
 arbol's
 arbol('s)
 arg
+astro
+atcute
 auditable
 audius
-astro
 auspinner
-bit[ss]wap
+Bacalhau
 bitswap
+bit[ss]wap
 blockchain
 blockchains
 blockstore
 bool
 bool(ean)
 boolean
+Bootstrappers
 boxo
 browserify
 caddy
@@ -45,6 +47,7 @@ composable
 config
 counterparty
 coworking
+cpu
 cpus
 crowdsourcing
 crypto(currencies)
@@ -53,16 +56,21 @@ dapps
 data('s)
 datastore
 deduplicate
+Denylist
 dep
 deps
 deserialization
+deserialized
 devs
 dheeraj
 dht
 dhts
 dialable
+dialback
+discoverability
 dns('s)
 dnsaddr
+dnscontrol
 dnslink
 dotgraph
 dups
@@ -75,18 +83,21 @@ explainers
 fabien
 failovers
 filebase
+Filebase's
 filecoin
 filecorgi
 filesizes
 filestore
-flatf[ss]
 flatfs
+flatf[ss]
 fleek
 fqdns
 gasless
 geospatial
+gif
 git(hub)
 gnutella
+goroutine
 goroutines
 graphsync
 guis
@@ -128,21 +139,21 @@ lastalive
 lastbootstrap
 lastpeer
 leveldb
-libp2p
 libipld
+libp2p
 linux
 lookups
 loopback
 mainnet
 markdown(lint)
 markdownlint
 merkle
+merkleization
 merkleize
-merklizing
-merkleizing
-merkleizes
 merkleized
-merkleization
+merkleizes
+merkleizing
+merklizing
 metadata('s)
 metamask
 minimalistic
@@ -151,12 +162,13 @@ mojitos
 multiaddr
 multiaddr(ess)
 multiaddress
+multiaddresses
 multiaddrs
 multibase
 multicast
 multicodec
-multicodecs
 multicodec(s)
+multicodecs
 multiformats
 multihash
 multihashes
@@ -177,6 +189,7 @@ nfts
 nginx
 nodejs
 npm
+octodns
 packfile
 passthrough
 peergos
@@ -196,41 +209,48 @@ protobuf
 protocol labs
 protoschool
 proxied
-pub[ss]ub
 pubsub
+pub[ss]ub
 qm
 rabin
 rasterio
+reachability
 readmes
 referenceable
 repo
 repos
+reprovide
 reprovider
 reproviding
 requesters
 retrievability
 roadmaps
+routable
+rsa
 runtime
 runtime's
-rsa
 sandboxed
 satoshi
 satoshi nakamoto
+SDKs
 serverless
 sharding
 snapshotted
 sneakernet
 sneakernets
+Someguy
+someguy
 stackparse
 stdout
-storj
 storacha
-Someguy
+Storacha's
+storj
 subcommand
 substring
 sys
 systemd
 sztandera
+takedown
 testground
 testnet
 toolkits
@@ -268,4 +288,5 @@ whyrusleeping
 wifi
 ws
 wss
+Yamux
 youtube

.github/workflows/action.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - id: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - id: link-check
       uses: gaurav-nelson/github-action-markdown-link-check@v1
       with:

.github/workflows/build.yml

@@ -1,41 +1,57 @@
-name: Build and Deploy to IPFS
+# Build workflow - runs for both PRs and main branch pushes
+# This workflow builds the website without access to secrets
+# For PRs: Runs on untrusted fork code safely (using pull_request event, not pull_request_target)
+# For main: Builds and uploads artifacts for deployment
+# Artifacts are passed to the deploy workflow which has access to secrets
+
+name: Build
 
 permissions:
   contents: read
-  pull-requests: write
-  statuses: write
+
 on:
   push:
     branches:
       - main
   pull_request:
+    branches:
+      - main
+
+env:
+  BUILD_PATH: 'docs/.vuepress/dist'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  build-and-deploy:
+  build:
     runs-on: ubuntu-latest
-    outputs: # This exposes the CID output of the action to the rest of the workflow
-      cid: ${{ steps.deploy.outputs.cid }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
+        with:
+          # - For PRs: PR head commit
+          # - For pushes: the pushed commit
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '20'
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --prefer-offline --no-audit --progress=false
 
       - name: Build project
         run: npm run docs:build
 
-      - uses: ipfs/ipfs-deploy-action@v1
-        name: Deploy to IPFS
-        id: deploy
+      # Upload artifact for deploy workflow
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
         with:
-          path-to-deploy: docs/.vuepress/dist
-          storacha-key: ${{ secrets.STORACHA_KEY }}
-          storacha-proof: ${{ secrets.STORACHA_PROOF }}
-          github-token: ${{ github.token }}
+          name: docs-build-${{ github.run_id }}
+          path: ${{ env.BUILD_PATH }}
+          retention-days: 90

.github/workflows/close-empty-issue.yml

@@ -11,7 +11,7 @@ jobs:
     name: Close empty issues and templates
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4 
+    - uses: actions/checkout@v5 
     - name: Run empty issues closer action
       uses: rickstaa/empty-issues-closer-action@v1
       env:

.github/workflows/deploy.yml

@@ -0,0 +1,85 @@
+# Deploy workflow - triggered by workflow_run after successful build
+# This workflow has access to secrets but never executes untrusted code
+# It only downloads and deploys pre-built artifacts from the build workflow
+# Security: Fork code cannot access secrets as it only runs in build workflow
+# Deploys to IPFS for all branches and GitHub Pages for main branch only
+
+name: Deploy
+
+# Explicitly declare permissions
+permissions:
+  contents: read
+  pull-requests: write
+  statuses: write
+
+on:
+  workflow_run:
+    workflows: ["Build"]
+    types: [completed]
+
+env:
+  BUILD_PATH: 'docs-build'
+
+jobs:
+  deploy-ipfs:
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    outputs:
+      cid: ${{ steps.deploy.outputs.cid }}
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: docs-build-${{ github.event.workflow_run.id }}
+          path: ${{ env.BUILD_PATH }}
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: Debug PR context and SHA
+        run: |
+          echo "Event:                  ${{ github.event_name }}"
+          echo "SHA:                    ${{ github.sha }}"
+          echo "Head SHA:               ${{ github.event.pull_request.head.sha }}"
+          echo "workflow_run.head_sha:  ${{ github.event.workflow_run.head_sha }}"
+
+      - name: Deploy to IPFS
+        uses: ipfs/ipfs-deploy-action@v1
+        id: deploy
+        with:
+          path-to-deploy: ${{ env.BUILD_PATH }}
+          cluster-url: "/dnsaddr/ipfs-websites.collab.ipfscluster.io"
+          cluster-user: ${{ secrets.CLUSTER_USER }}
+          cluster-password: ${{ secrets.CLUSTER_PASSWORD }}
+          cluster-pin-expire-in: ${{ github.event.workflow_run.head_branch != 'main' && '2160h' || '' }}
+          #storacha-key: ${{ secrets.STORACHA_KEY }}
+          #storacha-proof: ${{ secrets.STORACHA_PROOF }}
+          github-token: ${{ github.token }}
+
+  deploy-gh-pages:
+    if: |
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_branch == 'main'
+    runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docs-build-${{ github.event.workflow_run.id }}
+          path: docs-build
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: docs-build
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4