Merge pull request #151 from offbyone/o1-push-vkqozzkppqys

Author: offbyone

.github/workflows/main.yml

@@ -4,61 +4,136 @@ name: "Blog"
 on:
   push:
     branches:
-      - master
       - main
+      - ci-testing*
+
+  pull_request:
+    branches:
+      - main
+      - ci-testing*
 
 jobs:
-  deploy:
-    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+  build:
     permissions:
-      id-token: write
       contents: read
-
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
-      - uses: extractions/setup-just@v1
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-region: us-west-2
-          role-to-assume: arn:aws:iam::984616268605:role/ideas-deployer
-          role-session-name: deploy-ideas
-          mask-aws-account-id: false
+          persist-credentials: false
 
-      - name: Set up uv
-        run: |
-          curl -LsSf https://astral.sh/uv/0.4.22/install.sh | sh
-      - name: Set up Python
-        run: |
-          uv python install --python-preference=system
-
-      - name: install python libs
-        run: uv sync
-
-      - name: Set up Node
-        uses: actions/setup-node@v3
+      - name: Install just
+        uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3
+      - name: Install uv
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
+      - name: Install node
+        uses: actions/setup-node@v4.4.0
         with:
-          node-version: "18"
-
+          node-version-file: .tool-versions
+          cache: npm
       - name: Install dependencies
-        run: |
-          npm install
-          echo "$GITHUB_WORKSPACE/node_modules/.bin" >> "$GITHUB_PATH"
+        run: just setup-gha
 
       - name: Assert that our dependencies are reachable
         run: |
           uv run python --version
           uv run pelican --version
           sass --version
-          just --version
 
       - name: Build the page
         run: |
           just generate
 
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: site-build
+          path: output/
+          retention-days: 1
+
+  verify:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        check:
+          - check-links
+          - check-html
+          - check-code
+          - check-content
+          - check-feeds
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install just
+        uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3
+      - name: Install uv
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
+      - name: Install node
+        uses: actions/setup-node@v4.4.0
+        with:
+          node-version-file: .tool-versions
+          cache: npm
+      - name: Install dependencies
+        run: just setup-gha
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: site-build
+          path: output/
+
+      - name: Run verification checks
+        run: just ${{ matrix.check }}
+
+  deploy:
+    # I am not blocking this on verify because I want the ability to publish
+    # quick trash.
+    needs: build
+    # only run this when the action is push and the destination branch is main
+    if: github.action == 'push' && github.ref_name == 'main'
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          sparse-checkout: |
+            justfile
+          sparse-checkout-cone-mode: false
+
+      - name: Install just
+        uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3
+      - name: Install uv
+        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
+      - name: Install node
+        uses: actions/setup-node@v4.4.0
+        with:
+          node-version-file: .tool-versions
+          cache: npm
+      - name: Install dependencies
+        run: just setup-gha
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::984616268605:role/ideas-deployer
+          role-session-name: deploy-ideas
+          mask-aws-account-id: false
+
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: site-build
+          path: output/
+
       - name: Publish the content
         run: |
           just upload
@@ -69,7 +144,7 @@ jobs:
 
       - name: Tell me about it
         if: ${{ always() }}
-        uses: desiderati/github-action-pushover@v1
+        uses: desiderati/github-action-pushover@22efda5223198aba3e271f9cbec9b1b3a16033b0 # v1
         with:
           job-status: ${{ job.status }}
           pushover-api-token: ${{ secrets.PUSHOVER_API_TOKEN }}

.github/workflows/pr.yml

@@ -11,32 +11,19 @@ on:
       - main
 
 jobs:
-  verify:
+  zizmor:
+    name: Zizmor
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read # only needed for private repos
+      actions: read # only needed for private repos
     steps:
-      - uses: actions/checkout@v4
-      - uses: extractions/setup-just@v1
-      - name: Set up uv
-        run: |
-          curl -LsSf https://astral.sh/uv/0.4.22/install.sh | sh
-      - name: Set up Python
-        run: |
-          uv python install --python-preference=system
-
-      - name: install python libs
-        run: uv sync
-
-      - name: Set up Node
-        uses: actions/setup-node@v3
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          node-version: "18"
+          persist-credentials: false
 
-      - name: Install dependencies
-        run: |
-          npm install
-          echo "$GITHUB_WORKSPACE/node_modules/.bin" >> "$GITHUB_PATH"
-
-      - name: Build the page
-        run: |
-          just generate
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        with:
+          advanced-security: false

.gitignore

@@ -17,3 +17,4 @@ themes/offby1/static/webfonts/
 
 **/.claude/settings.local.json
 plan.just
+!.tool-versions

.pinact.yaml

@@ -0,0 +1,14 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json
+# pinact - https://github.com/suzuki-shunsuke/pinact
+version: 3
+# files:
+#   - pattern: action.yaml
+#   - pattern: */action.yaml
+
+ignore_actions:
+  # - name: slsa-framework/slsa-github-generator/\.github/workflows/generator_generic_slsa3\.yml
+  #   ref: v\d+\.\d+\.\d+
+  - name: actions/.*
+    ref: v.*
+# - name: suzuki-shunsuke/.*
+#   ref: release-.*

.tool-versions

@@ -0,0 +1,3 @@
+python    3.11
+terraform 1.7.0
+nodejs    22

content/old/general-thoughts/privacy-what-privacy.rst

@@ -15,7 +15,7 @@ provoked (and prodded... and
 ...) <http://rfjason.livejournal.com/410835.html>`__ by a blogger by the
 name of Jason Fortuny.
 
-Fortuny, looking at `Craigslist <www.craigslist.org>`__, observed this,
+Fortuny, looking at `Craigslist <https://www.craigslist.org>`__, observed this,
 and made a decision that is -- at best -- unethical, and at worst
 actively sociopathic. He posted an explicit ad to a casual encounters
 section of a Craigslist site (a section devoted to hooking up for

content/old/humour/geek-poetry.md

@@ -0,0 +1,43 @@
+Title: Geek Poetry
+Date: 2003-10-08 07:33
+Author: offby1
+Category: Humour
+Tags: humour
+Slug: geek-poetry
+Status: draft
+
+If you can read these without help, may the gods of geekdom have mercy
+on your soul. If you can't, read the extended entry for help :)
+
+```
+1)
+
+!\*''#
+^"\`$$-
+!\*=@$\_
+%\* ~#4
+&[]../
+\|{,,SYSTEM HALTED
+
+2)
+
+^< @
+;\`+$?^?
+,#"~\|)^G
+```
+
+1)
+> Waka waka bang splat tick tick hash,
+> Caret quote back-tick dollar dollar dash,
+> Bang splat equal at dollar under-score,
+> Percent splat waka waka tilde number four,
+> Ampersand bracket bracket dot dot slash,
+> Vertical-bar curly-bracket comma comma CRASH.
+
+2)
+> hat less at less point at star
+> backbrace double base pound space bar
+> dash at cash and slash base rate
+> wow open tab at bar is great
+> semi backquote plus cash huh DEL
+> comma pound double tilde bar close BEL