Merge branch 'main' into dependabot/npm_and_yarn/prettier-3.6.2

Author: gammazero

.github/actions/latest-kubo-tag/entrypoint.sh

@@ -14,4 +14,4 @@ cd kubo
 git describe --tags "${LATEST_IPFS_TAG}"
 
 echo "The latest Kubo tag is ${LATEST_IPFS_TAG}"
-echo "::set-output name=latest_tag::${LATEST_IPFS_TAG}"
+echo "latest_tag=${LATEST_IPFS_TAG}" >> $GITHUB_OUTPUT

.github/actions/update-with-latest-versions/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24
+FROM golang:1.25
 
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt update && apt install -y jq && rm -rf /var/lib/apt/lists/*

.github/actions/update-with-latest-versions/entrypoint.sh

@@ -85,4 +85,4 @@ git config --global user.name "${GITHUB_ACTOR}@users.noreply.github.com"
 git add -u
 git commit -m "Bumped documentation & installation docs."
 git push -fu origin ${BRANCH}
-echo "::set-output name=updated_branch::${BRANCH}"
+echo "updated_branch=${BRANCH}" >> $GITHUB_OUTPUT

.github/styles/pln-ignore.txt

@@ -15,6 +15,7 @@ atcute
 auditable
 audius
 auspinner
+Bacalhau
 bitswap
 bit[ss]wap
 blockchain
@@ -82,6 +83,7 @@ explainers
 fabien
 failovers
 filebase
+Filebase's
 filecoin
 filecorgi
 filesizes
@@ -230,6 +232,7 @@ runtime's
 sandboxed
 satoshi
 satoshi nakamoto
+SDKs
 serverless
 sharding
 snapshotted
@@ -240,6 +243,7 @@ someguy
 stackparse
 stdout
 storacha
+Storacha's
 storj
 subcommand
 substring

.github/workflows/action.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - id: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - id: link-check
       uses: gaurav-nelson/github-action-markdown-link-check@v1
       with:

.github/workflows/build.yml

@@ -1,46 +1,57 @@
-name: Build and Deploy to IPFS
+# Build workflow - runs for both PRs and main branch pushes
+# This workflow builds the website without access to secrets
+# For PRs: Runs on untrusted fork code safely (using pull_request event, not pull_request_target)
+# For main: Builds and uploads artifacts for deployment
+# Artifacts are passed to the deploy workflow which has access to secrets
+
+name: Build
 
 permissions:
   contents: read
-  pull-requests: write
-  statuses: write
+
 on:
   push:
     branches:
       - main
-  pull_request_target:
+  pull_request:
     branches:
       - main
 
+env:
+  BUILD_PATH: 'docs/.vuepress/dist'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  build-and-deploy:
+  build:
     runs-on: ubuntu-latest
-    outputs: # This exposes the CID output of the action to the rest of the workflow
-      cid: ${{ steps.deploy.outputs.cid }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
+          # - For PRs: PR head commit
+          # - For pushes: the pushed commit
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '20'
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --prefer-offline --no-audit --progress=false
 
       - name: Build project
         run: npm run docs:build
 
-      - uses: ipfs/ipfs-deploy-action@v1
-        name: Deploy to IPFS
-        id: deploy
+      # Upload artifact for deploy workflow
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
         with:
-          path-to-deploy: docs/.vuepress/dist
-          storacha-key: ${{ secrets.STORACHA_KEY }}
-          storacha-proof: ${{ secrets.STORACHA_PROOF }}
-          github-token: ${{ github.token }}
+          name: docs-build-${{ github.run_id }}
+          path: ${{ env.BUILD_PATH }}
+          retention-days: 90

.github/workflows/close-empty-issue.yml

@@ -11,7 +11,7 @@ jobs:
     name: Close empty issues and templates
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4 
+    - uses: actions/checkout@v5 
     - name: Run empty issues closer action
       uses: rickstaa/empty-issues-closer-action@v1
       env:

.github/workflows/deploy.yml

@@ -0,0 +1,85 @@
+# Deploy workflow - triggered by workflow_run after successful build
+# This workflow has access to secrets but never executes untrusted code
+# It only downloads and deploys pre-built artifacts from the build workflow
+# Security: Fork code cannot access secrets as it only runs in build workflow
+# Deploys to IPFS for all branches and GitHub Pages for main branch only
+
+name: Deploy
+
+# Explicitly declare permissions
+permissions:
+  contents: read
+  pull-requests: write
+  statuses: write
+
+on:
+  workflow_run:
+    workflows: ["Build"]
+    types: [completed]
+
+env:
+  BUILD_PATH: 'docs-build'
+
+jobs:
+  deploy-ipfs:
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    outputs:
+      cid: ${{ steps.deploy.outputs.cid }}
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: docs-build-${{ github.event.workflow_run.id }}
+          path: ${{ env.BUILD_PATH }}
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: Debug PR context and SHA
+        run: |
+          echo "Event:                  ${{ github.event_name }}"
+          echo "SHA:                    ${{ github.sha }}"
+          echo "Head SHA:               ${{ github.event.pull_request.head.sha }}"
+          echo "workflow_run.head_sha:  ${{ github.event.workflow_run.head_sha }}"
+
+      - name: Deploy to IPFS
+        uses: ipfs/ipfs-deploy-action@v1
+        id: deploy
+        with:
+          path-to-deploy: ${{ env.BUILD_PATH }}
+          cluster-url: "/dnsaddr/ipfs-websites.collab.ipfscluster.io"
+          cluster-user: ${{ secrets.CLUSTER_USER }}
+          cluster-password: ${{ secrets.CLUSTER_PASSWORD }}
+          cluster-pin-expire-in: ${{ github.event.workflow_run.head_branch != 'main' && '2160h' || '' }}
+          #storacha-key: ${{ secrets.STORACHA_KEY }}
+          #storacha-proof: ${{ secrets.STORACHA_PROOF }}
+          github-token: ${{ github.token }}
+
+  deploy-gh-pages:
+    if: |
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_branch == 'main'
+    runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docs-build-${{ github.event.workflow_run.id }}
+          path: docs-build
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: docs-build
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/reveiwdog-languagetool.yml

@@ -8,7 +8,7 @@ jobs:
     name: languagetool
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check Spelling
         uses: reviewdog/action-languagetool@v1
         with:

.github/workflows/update-on-new-ipfs-tag.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout ipfs-docs
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Find latest kubo tag
         id: latest_ipfs
         uses: ./.github/actions/latest-kubo-tag