Skip to content

Batch gem bumps, html-proofer 5.x migration, dependabot CI fix#569

Merged
tripledoublev merged 4 commits into
stagingfrom
chore/dependabot-batch-bump
Jul 9, 2026
Merged

Batch gem bumps, html-proofer 5.x migration, dependabot CI fix#569
tripledoublev merged 4 commits into
stagingfrom
chore/dependabot-batch-bump

Conversation

@tripledoublev

Copy link
Copy Markdown
Contributor

Why

Every open dependabot PR (#566, #567, #568, #558, #497, #495, and the master-targeted #553, #513, #482) fails the build check with the same error:

OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key

The dependency bumps are fine — the problem is that GitHub does not expose repository secrets to dependabot-triggered workflow runs, so secrets.ENCODED_DP_AP_KEY_STAGING is empty and /tmp/secret.key ends up as an empty file, crashing the jekyll-activity-pub plugin during the build. (The log shows Run echo | base64 --decode > /tmp/secret.key — no secret.)

This PR supersedes all of them in one verified batch, and fixes CI so future dependabot PRs pass.

What

  • Gem bumps (bundle update): nokogiri 1.18.7→1.19.4, jekyll-activity-pub 0.3.3→0.3.6, webrick 1.9.1→1.9.2, sutty-liquid 0.12.3→0.13.0, html-proofer 3.19.4→5.2.1, addressable 2.8.7→2.9.0, httparty 0.22.0→0.24.2, rexml 3.4.0→3.4.4, plus transitive updates (notably distributed-press-api-client 0.5.1→0.5.4).
  • Makefile: migrate make check to html-proofer 5.x flags — --check-html was removed in 4.0, --disable_external--disable-external, --internal-domains replaced with --swap-urls, and --no-enforce-https keeps 3.x behaviour (no https enforcement).
  • deploy.yml: when the ActivityPub key secret is empty (dependabot runs), generate a throwaway RSA key so the build can complete. Publishing to Distributed Press / ATProto still only happens on push events, which always have the real secrets, so the throwaway key never leaves the runner.

Verification

Ran locally with a generated key: JEKYLL_ENV=staging make build and make check both pass with the updated lockfile.

Follow-up after merging

Close as superseded: #566, #567, #568, #558, #497, #495 (stale — would re-add ruby-brs / drop logger), and the master-targeted #553, #513, #482 (dependabot now only targets staging; these bumps are included here and reach master via the normal staging→master flow).

🤖 Generated with Claude Code

Supersedes the open dependabot PRs, which all fail CI because
dependabot-triggered runs don't receive repository secrets, leaving
/tmp/secret.key empty and crashing jekyll-activity-pub
(OpenSSL::PKey::RSAError).

- Bump nokogiri 1.19.4, jekyll-activity-pub 0.3.6, webrick 1.9.2,
  sutty-liquid 0.13.0, html-proofer 5.2.1, addressable 2.9.0,
  httparty 0.24.2, rexml 3.4.4 (plus transitive updates incl.
  distributed-press-api-client 0.5.4)
- Migrate `make check` to html-proofer 5.x flags (--check-html removed,
  --disable_external renamed, --internal-domains replaced by
  --swap-urls)
- deploy.yml: fall back to a throwaway RSA key when the ActivityPub
  key secret is unavailable, so dependabot PR builds can pass; publish
  steps still run only on push events, which have real secrets

Verified locally: JEKYLL_ENV=staging make build and make check both
pass with the updated lockfile.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@netlify

netlify Bot commented Jul 9, 2026

Copy link
Copy Markdown

Deploy Preview for hyphacoop ready!

Name Link
🔨 Latest commit a4f1e1d
🔍 Latest deploy log https://app.netlify.com/projects/hyphacoop/deploys/6a4fcdd43456ce000867aa1d
😎 Deploy Preview https://deploy-preview-569--hyphacoop.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

tripledoublev and others added 3 commits July 9, 2026 12:10
The all-relative post-processing step rewrites href="/" to href="" on
pages at the site root; html-proofer 5.x flags empty hrefs as missing
references (3.x did not).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
site.data.theme.pixel_densities doesn't exist, so the srcset loop
always rendered srcset="". html-proofer 5.x checks <source> elements
(3.x didn't) and fails fediverse comment embeds, which only appear in
CI builds where the real ActivityPub key can fetch replies.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Review feedback: the empty-secret fallback must not let a push build
deploy with a dummy key — fail hard instead. Also stop running
jekyll notify and the data commit-back on PRs targeting master; those
are side effects that should only happen after merge.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@tripledoublev tripledoublev merged commit e98fff4 into staging Jul 9, 2026
5 checks passed
@tripledoublev tripledoublev deleted the chore/dependabot-batch-bump branch July 9, 2026 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant