From b5853215b0a042e8b9d490c74a5fb081fd7630a7 Mon Sep 17 00:00:00 2001 From: "John R. D'Orazio" Date: Wed, 22 Apr 2026 21:09:06 +0000 Subject: [PATCH 1/4] Update CI workflow and add Dependabot config - Pin actions/checkout, actions/cache, and peaceiris/actions-gh-pages to full commit SHAs (with version comments) to harden the supply chain and make updates reviewable - Bump actions to current major versions (checkout v6, cache v5, actions-gh-pages v4), resolving the "Set up job" failure caused by actions/cache@v1 running on a retired Node runtime - Bump the Ruby container from 3.2.2 to 3.4.9 (latest 3.x) - Add .github/dependabot.yml with weekly updates for github-actions and bundler ecosystems so pinned SHAs and gem versions stay current Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 21 +++++++++++++++++++++ .github/workflows/github-pages.yml | 10 +++++----- 2 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..0bba0b3 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,21 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + commit-message: + prefix: ci + labels: + - dependencies + - github-actions + + - package-ecosystem: bundler + directory: / + schedule: + interval: weekly + commit-message: + prefix: deps + labels: + - dependencies + - ruby diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml index dc5cea8..49a7445 100644 --- a/.github/workflows/github-pages.yml +++ b/.github/workflows/github-pages.yml @@ -13,10 +13,10 @@ on: jobs: github-pages: runs-on: ubuntu-latest - container: ruby:3.2.2-bookworm + container: ruby:3.4.9-bookworm steps: - - uses: actions/checkout@v2 - - uses: actions/cache@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: vendor/bundle key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }} @@ -24,13 +24,13 @@ jobs: - name: Install Ruby dependencies. run: | gem install bundler - bundle install --path vendor/bundle + bundle install --path vendor/bundle - name: Build static site with Jekyll. run: bundle exec jekyll build - name: Deploy static site to gh-pages branch. - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./_site From f9df23b719380888597e4be7b0c82e83dc973d8a Mon Sep 17 00:00:00 2001 From: "John R. D'Orazio" Date: Wed, 22 Apr 2026 21:29:34 +0000 Subject: [PATCH 2/4] Align .ruby-version and Gemfile.lock with Ruby 3.4.9 bump The workflow container was bumped from 3.2.2 to 3.4.9, but the rest of the repo still pointed at 3.2.2. Three follow-ups: - Update .ruby-version from 3.2.2 to 3.4.9 so local tooling (rbenv, asdf, chruby) matches the CI container. - Regenerate Gemfile.lock under Ruby 3.4.9. The old lockfile was BUNDLED WITH 2.2.22, which is incompatible with Ruby 3.4's DidYouMean API; the new one is BUNDLED WITH 2.6.9. Gem versions were resolved fresh. - Expand the actions/cache key to include .ruby-version so that future Ruby bumps invalidate the gem cache, avoiding silent ABI mismatches between cached native extensions and a new Ruby runtime. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/github-pages.yml | 2 +- .ruby-version | 2 +- Gemfile.lock | 130 ++++++++++++++++++++++------- 3 files changed, 102 insertions(+), 32 deletions(-) diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml index 49a7445..9822ed6 100644 --- a/.github/workflows/github-pages.yml +++ b/.github/workflows/github-pages.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: vendor/bundle - key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }} + key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock', '.ruby-version') }} - name: Install Ruby dependencies. run: | diff --git a/.ruby-version b/.ruby-version index be94e6f..7bcbb38 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.2.2 +3.4.9 diff --git a/Gemfile.lock b/Gemfile.lock index 5348919..6b87d2f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,31 +1,64 @@ GEM remote: https://rubygems.org/ specs: - addressable (2.8.5) - public_suffix (>= 2.0.2, < 6.0) + addressable (2.9.0) + public_suffix (>= 2.0.2, < 8.0) + base64 (0.3.0) + bigdecimal (4.1.2) colorator (1.1.0) - concurrent-ruby (1.2.2) + concurrent-ruby (1.3.6) + csv (3.3.5) em-websocket (0.5.3) eventmachine (>= 0.12.9) http_parser.rb (~> 0) eventmachine (1.2.7) - ffi (1.16.2) + ffi (1.17.4-aarch64-linux-gnu) + ffi (1.17.4-aarch64-linux-musl) + ffi (1.17.4-arm-linux-gnu) + ffi (1.17.4-arm-linux-musl) + ffi (1.17.4-arm64-darwin) + ffi (1.17.4-x86_64-darwin) + ffi (1.17.4-x86_64-linux-gnu) + ffi (1.17.4-x86_64-linux-musl) forwardable-extended (2.6.0) - google-protobuf (3.24.3) - http_parser.rb (0.8.0) - i18n (1.14.1) + google-protobuf (4.34.1) + bigdecimal + rake (~> 13.3) + google-protobuf (4.34.1-aarch64-linux-gnu) + bigdecimal + rake (~> 13.3) + google-protobuf (4.34.1-aarch64-linux-musl) + bigdecimal + rake (~> 13.3) + google-protobuf (4.34.1-arm64-darwin) + bigdecimal + rake (~> 13.3) + google-protobuf (4.34.1-x86_64-darwin) + bigdecimal + rake (~> 13.3) + google-protobuf (4.34.1-x86_64-linux-gnu) + bigdecimal + rake (~> 13.3) + google-protobuf (4.34.1-x86_64-linux-musl) + bigdecimal + rake (~> 13.3) + http_parser.rb (0.8.1) + i18n (1.14.8) concurrent-ruby (~> 1.0) - jekyll (4.3.2) + jekyll (4.4.1) addressable (~> 2.4) + base64 (~> 0.2) colorator (~> 1.0) + csv (~> 3.0) em-websocket (~> 0.5) i18n (~> 1.0) jekyll-sass-converter (>= 2.0, < 4.0) jekyll-watch (~> 2.0) + json (~> 2.6) kramdown (~> 2.3, >= 2.3.1) kramdown-parser-gfm (~> 1.0) liquid (~> 4.0) - mercenary (>= 0.3.6, < 0.5) + mercenary (~> 0.3, >= 0.3.6) pathutil (~> 0.9) rouge (>= 3.0, < 5.0) safe_yaml (~> 1.0) @@ -34,47 +67,84 @@ GEM jekyll-paginate (1.1.0) jekyll-redirect-from (0.16.0) jekyll (>= 3.3, < 5.0) - jekyll-sass-converter (3.0.0) - sass-embedded (~> 1.54) + jekyll-sass-converter (3.1.0) + sass-embedded (~> 1.75) jekyll-watch (2.2.1) listen (~> 3.0) jekyll_html_truncatewords (0.1.2) liquid nokogiri - kramdown (2.4.0) - rexml + json (2.19.4) + kramdown (2.5.2) + rexml (>= 3.4.4) kramdown-parser-gfm (1.1.0) kramdown (~> 2.0) liquid (4.0.4) - listen (3.8.0) + listen (3.10.0) + logger rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) + logger (1.7.0) mercenary (0.4.0) - mini_portile2 (2.8.4) - nokogiri (1.15.4) - mini_portile2 (~> 2.8.2) + nokogiri (1.19.2-aarch64-linux-gnu) + racc (~> 1.4) + nokogiri (1.19.2-aarch64-linux-musl) + racc (~> 1.4) + nokogiri (1.19.2-arm-linux-gnu) + racc (~> 1.4) + nokogiri (1.19.2-arm-linux-musl) + racc (~> 1.4) + nokogiri (1.19.2-arm64-darwin) + racc (~> 1.4) + nokogiri (1.19.2-x86_64-darwin) + racc (~> 1.4) + nokogiri (1.19.2-x86_64-linux-gnu) + racc (~> 1.4) + nokogiri (1.19.2-x86_64-linux-musl) racc (~> 1.4) pathutil (0.16.2) forwardable-extended (~> 2.6) - public_suffix (5.0.3) - racc (1.7.1) - rake (13.0.6) + public_suffix (7.0.5) + racc (1.8.1) + rake (13.4.2) rb-fsevent (0.11.2) - rb-inotify (0.10.1) + rb-inotify (0.11.1) ffi (~> 1.0) - rexml (3.2.6) - rouge (4.1.3) + rexml (3.4.4) + rouge (4.7.0) safe_yaml (1.0.5) - sass-embedded (1.68.0) - google-protobuf (~> 3.23) - rake (>= 13.0.0) + sass-embedded (1.99.0-aarch64-linux-gnu) + google-protobuf (~> 4.31) + sass-embedded (1.99.0-aarch64-linux-musl) + google-protobuf (~> 4.31) + sass-embedded (1.99.0-arm-linux-gnueabihf) + google-protobuf (~> 4.31) + sass-embedded (1.99.0-arm-linux-musleabihf) + google-protobuf (~> 4.31) + sass-embedded (1.99.0-arm64-darwin) + google-protobuf (~> 4.31) + sass-embedded (1.99.0-x86_64-darwin) + google-protobuf (~> 4.31) + sass-embedded (1.99.0-x86_64-linux-gnu) + google-protobuf (~> 4.31) + sass-embedded (1.99.0-x86_64-linux-musl) + google-protobuf (~> 4.31) terminal-table (3.0.2) unicode-display_width (>= 1.1.1, < 3) - unicode-display_width (2.5.0) - webrick (1.8.1) + unicode-display_width (2.6.0) + webrick (1.9.2) PLATFORMS - ruby + aarch64-linux-gnu + aarch64-linux-musl + arm-linux-gnu + arm-linux-gnueabihf + arm-linux-musl + arm-linux-musleabihf + arm64-darwin + x86_64-darwin + x86_64-linux-gnu + x86_64-linux-musl DEPENDENCIES jekyll (~> 4.1) @@ -84,4 +154,4 @@ DEPENDENCIES webrick (~> 1.7) BUNDLED WITH - 2.2.22 + 2.6.9 From 68db6550dd3ccd0cd49064fde49daae9eb73fd42 Mon Sep 17 00:00:00 2001 From: "John R. D'Orazio" Date: Wed, 22 Apr 2026 22:25:07 +0000 Subject: [PATCH 3/4] Add PR build test and markdown lint workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds two pull_request workflows so PRs get validated before merge: - pr-build-test.yml runs bundle exec jekyll build whenever a PR touches build-influencing files (.ruby-version, Gemfile, Gemfile.lock, _config.yml, _data/**, _includes/**, _layouts/**, _plugins/**, or the workflow itself). Reuses the ruby:3.4.9-bookworm container from the deploy workflow and shares the same vendor/bundle cache key so PR builds warm-start from master's cache. - pr-markdown-lint.yml runs markdownlint-cli2 on PRs touching *.md files, but only against files changed in the PR (diffed via github.event.pull_request.base.sha...HEAD). Lets rules land without requiring a mass-fix pass over existing posts. - .markdownlint-cli2.yaml starts from `default: true` — enables MD034 no-bare-urls (explicit repo-owner feedback) and MD040 fenced-code-language among other defaults. Disables MD013 (line-length, disruptive for prose) and MD033 (no-inline-html, Jekyll posts frequently embed raw HTML). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/pr-build-test.yml | 34 ++++++++++++++++++++++++ .github/workflows/pr-markdown-lint.yml | 36 ++++++++++++++++++++++++++ .markdownlint-cli2.yaml | 10 +++++++ 3 files changed, 80 insertions(+) create mode 100644 .github/workflows/pr-build-test.yml create mode 100644 .github/workflows/pr-markdown-lint.yml create mode 100644 .markdownlint-cli2.yaml diff --git a/.github/workflows/pr-build-test.yml b/.github/workflows/pr-build-test.yml new file mode 100644 index 0000000..7e9a046 --- /dev/null +++ b/.github/workflows/pr-build-test.yml @@ -0,0 +1,34 @@ +name: PR build test + +on: + pull_request: + paths: + - '.ruby-version' + - 'Gemfile' + - 'Gemfile.lock' + - '_config.yml' + - '_data/**' + - '_includes/**' + - '_layouts/**' + - '_plugins/**' + - '.github/workflows/pr-build-test.yml' + +jobs: + build: + runs-on: ubuntu-latest + container: ruby:3.4.9-bookworm + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: vendor/bundle + key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock', '.ruby-version') }} + + - name: Install Ruby dependencies. + run: | + gem install bundler + bundle install --path vendor/bundle + + - name: Build static site with Jekyll. + run: bundle exec jekyll build diff --git a/.github/workflows/pr-markdown-lint.yml b/.github/workflows/pr-markdown-lint.yml new file mode 100644 index 0000000..af8043b --- /dev/null +++ b/.github/workflows/pr-markdown-lint.yml @@ -0,0 +1,36 @@ +name: PR markdown lint + +on: + pull_request: + paths: + - '**/*.md' + - '.markdownlint-cli2.yaml' + - '.github/workflows/pr-markdown-lint.yml' + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: '22' + + - name: Install markdownlint-cli2 + run: npm install -g markdownlint-cli2@0.22.1 + + - name: Lint changed Markdown files + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + run: | + files=$(git diff --name-only --diff-filter=d "$BASE_SHA"...HEAD -- '*.md') + if [ -z "$files" ]; then + echo "No changed Markdown files to lint." + exit 0 + fi + echo "Linting:" + echo "$files" + echo "$files" | xargs -d '\n' -r markdownlint-cli2 diff --git a/.markdownlint-cli2.yaml b/.markdownlint-cli2.yaml new file mode 100644 index 0000000..795addd --- /dev/null +++ b/.markdownlint-cli2.yaml @@ -0,0 +1,10 @@ +# Rules: https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md +config: + default: true + MD013: false # line-length — too disruptive for prose content + MD033: false # no-inline-html — Jekyll posts frequently embed raw HTML + +ignores: + - 'vendor/**' + - '_site/**' + - 'node_modules/**' From 5d49247a07e2aa43d5d85e51227c8f82aa943bbf Mon Sep 17 00:00:00 2001 From: "John R. D'Orazio" Date: Wed, 22 Apr 2026 22:32:01 +0000 Subject: [PATCH 4/4] Bump Node.js from 22 to 24 in PR markdown lint workflow Node 24 is the current active LTS line. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/pr-markdown-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-markdown-lint.yml b/.github/workflows/pr-markdown-lint.yml index af8043b..75c4730 100644 --- a/.github/workflows/pr-markdown-lint.yml +++ b/.github/workflows/pr-markdown-lint.yml @@ -17,7 +17,7 @@ jobs: - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: '22' + node-version: '24' - name: Install markdownlint-cli2 run: npm install -g markdownlint-cli2@0.22.1