gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat(wiki): add full in-app wiki browser and llms index (#80)

Browse Source 
* feat(wiki): add full in-app wiki browser and llms index

* feat(wiki): auto-generate per-page llms exports

* vuln package

* fix(wiki): guard malformed route decoding

* fix(wiki): preserve markdown anchor fragments across page links

* refactor(markdown): share default render components

* fix(wiki): block unsafe markdown link schemes

* fix(wiki): block unsafe markdown image schemes

* docs(wiki): migrate root docs into wiki pages

* chore(wiki): de-track generated llms exports

* chore(wiki): ignore generated public wiki artifacts

* fix(wiki): align llms urls with per-page endpoint pattern

* fix(wiki): derive llms index from wiki index page

* refactor(markdown): share frontmatter and title helpers

* refactor(wiki): share route and llms path mapping

* ci(pages): add pr verify workflow and tighten deploy triggers
This commit is contained in:
davida-ps
2026-02-26 10:43:36 +02:00
committed by GitHub
parent 8132c23f41
commit fefecaa60a
26 changed files with 1274 additions and 230 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/deploy-pages.yml
+37 -4
View File
@@ -4,7 +4,6 @@ on:
workflow_run:
workflows: ["CI", "Skill Release"]
types: [completed]
# Note: No branch restriction - must trigger on both main branch CI runs AND tag-based Skill Releases
workflow_dispatch:
permissions:
@@ -19,8 +18,25 @@ concurrency:
jobs:
build:
runs-on: ubuntu-latest
# Only run if workflow_dispatch OR the triggering workflow succeeded
if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
# Production build only: manual dispatch or trusted workflow_run sources.
# PR validation runs in .github/workflows/pages-verify.yml.
if: |
github.event_name == 'workflow_dispatch' ||
(
github.event_name == 'workflow_run' &&
github.event.workflow_run.conclusion == 'success' &&
(
(
github.event.workflow_run.name == 'CI' &&
github.event.workflow_run.event == 'push' &&
github.event.workflow_run.head_branch == 'main'
) ||
(
github.event.workflow_run.name == 'Skill Release' &&
github.event.workflow_run.event != 'pull_request'
)
)
)
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -401,7 +417,24 @@ jobs:
path: ./dist
deploy:
# Deploy after build succeeds (CI or Skill Release must pass first, or manual dispatch)
# Deploy after a production build succeeds.
if: |
github.event_name == 'workflow_dispatch' ||
(
github.event_name == 'workflow_run' &&
github.event.workflow_run.conclusion == 'success' &&
(
(
github.event.workflow_run.name == 'CI' &&
github.event.workflow_run.event == 'push' &&
github.event.workflow_run.head_branch == 'main'
) ||
(
github.event.workflow_run.name == 'Skill Release' &&
github.event.workflow_run.event != 'pull_request'
)
)
)
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
.github/workflows/pages-verify.yml
+111
View File
@@ -0,0 +1,111 @@
name: Pages Verify
on:
pull_request:
branches: [main]
permissions:
contents: read
concurrency:
group: pages-verify-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
verify-pages-build:
name: Verify Pages Build (No Publish)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Verify signing key consistency (repo + docs)
run: ./scripts/ci/verify_signing_key_consistency.sh
- name: Prepare advisory artifacts for pre-deploy checks
run: |
set -euo pipefail
mkdir -p public/advisories
cp advisories/feed.json public/advisories/feed.json
- name: Generate advisory checksums manifest
run: |
set -euo pipefail
FEED_FILE="public/advisories/feed.json"
FEED_SHA=$(sha256sum "$FEED_FILE" | awk '{print $1}')
FEED_SIZE=$(stat -c%s "$FEED_FILE" 2>/dev/null || stat -f%z "$FEED_FILE")
jq -n \
--arg schema_version "1" \
--arg algorithm "sha256" \
--arg version "1.1.0" \
--arg generated "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
--arg repo "${{ github.repository }}" \
--arg sha "$FEED_SHA" \
--argjson size "$FEED_SIZE" \
'{
schema_version: $schema_version,
algorithm: $algorithm,
version: $version,
generated_at: $generated,
repository: $repo,
files: {
"advisories/feed.json": {
sha256: $sha,
size: $size,
path: "advisories/feed.json",
url: "https://clawsec.prompt.security/advisories/feed.json"
}
}
}' > public/checksums.json
- name: Generate ephemeral signing key for PR verification
id: test_key
run: |
set -euo pipefail
KEY_FILE=$(mktemp)
openssl genpkey -algorithm Ed25519 -out "$KEY_FILE"
{
echo "private_key<<EOF"
cat "$KEY_FILE"
echo "EOF"
} >> "$GITHUB_OUTPUT"
rm -f "$KEY_FILE"
- name: Sign advisory feed and verify
uses: ./.github/actions/sign-and-verify
with:
private_key: ${{ steps.test_key.outputs.private_key }}
input_file: public/advisories/feed.json
signature_file: public/advisories/feed.json.sig
public_key_output: public/signing-public.pem
- name: Sign checksums and verify
uses: ./.github/actions/sign-and-verify
with:
private_key: ${{ steps.test_key.outputs.private_key }}
input_file: public/checksums.json
signature_file: public/checksums.sig
- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build site
run: npm run build
env:
NODE_ENV: production
- name: Sanity-check generated artifacts
run: |
set -euo pipefail
test -f dist/index.html
test -f public/advisories/feed.json.sig
test -f public/checksums.sig
test -f public/signing-public.pem