Batch gem bumps, html-proofer 5.x migration, dependabot CI fix#569
Merged
Conversation
Supersedes the open dependabot PRs, which all fail CI because dependabot-triggered runs don't receive repository secrets, leaving /tmp/secret.key empty and crashing jekyll-activity-pub (OpenSSL::PKey::RSAError). - Bump nokogiri 1.19.4, jekyll-activity-pub 0.3.6, webrick 1.9.2, sutty-liquid 0.13.0, html-proofer 5.2.1, addressable 2.9.0, httparty 0.24.2, rexml 3.4.4 (plus transitive updates incl. distributed-press-api-client 0.5.4) - Migrate `make check` to html-proofer 5.x flags (--check-html removed, --disable_external renamed, --internal-domains replaced by --swap-urls) - deploy.yml: fall back to a throwaway RSA key when the ActivityPub key secret is unavailable, so dependabot PR builds can pass; publish steps still run only on push events, which have real secrets Verified locally: JEKYLL_ENV=staging make build and make check both pass with the updated lockfile. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
✅ Deploy Preview for hyphacoop ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
The all-relative post-processing step rewrites href="/" to href="" on pages at the site root; html-proofer 5.x flags empty hrefs as missing references (3.x did not). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
site.data.theme.pixel_densities doesn't exist, so the srcset loop always rendered srcset="". html-proofer 5.x checks <source> elements (3.x didn't) and fails fediverse comment embeds, which only appear in CI builds where the real ActivityPub key can fetch replies. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Review feedback: the empty-secret fallback must not let a push build deploy with a dummy key — fail hard instead. Also stop running jekyll notify and the data commit-back on PRs targeting master; those are side effects that should only happen after merge. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Every open dependabot PR (#566, #567, #568, #558, #497, #495, and the master-targeted #553, #513, #482) fails the
buildcheck with the same error:The dependency bumps are fine — the problem is that GitHub does not expose repository secrets to dependabot-triggered workflow runs, so
secrets.ENCODED_DP_AP_KEY_STAGINGis empty and/tmp/secret.keyends up as an empty file, crashing the jekyll-activity-pub plugin during the build. (The log showsRun echo | base64 --decode > /tmp/secret.key— no secret.)This PR supersedes all of them in one verified batch, and fixes CI so future dependabot PRs pass.
What
bundle update): nokogiri 1.18.7→1.19.4, jekyll-activity-pub 0.3.3→0.3.6, webrick 1.9.1→1.9.2, sutty-liquid 0.12.3→0.13.0, html-proofer 3.19.4→5.2.1, addressable 2.8.7→2.9.0, httparty 0.22.0→0.24.2, rexml 3.4.0→3.4.4, plus transitive updates (notably distributed-press-api-client 0.5.1→0.5.4).make checkto html-proofer 5.x flags —--check-htmlwas removed in 4.0,--disable_external→--disable-external,--internal-domainsreplaced with--swap-urls, and--no-enforce-httpskeeps 3.x behaviour (no https enforcement).pushevents, which always have the real secrets, so the throwaway key never leaves the runner.Verification
Ran locally with a generated key:
JEKYLL_ENV=staging make buildandmake checkboth pass with the updated lockfile.Follow-up after merging
Close as superseded: #566, #567, #568, #558, #497, #495 (stale — would re-add ruby-brs / drop logger), and the master-targeted #553, #513, #482 (dependabot now only targets staging; these bumps are included here and reach master via the normal staging→master flow).
🤖 Generated with Claude Code