Conversation
* Add GitHub Actions workflow to build PDF with decktape
On every push to main that touches security-in-age-of-ai/, build a PDF
from the Reveal.js deck using decktape and commit it back to the same
directory. PDF is also uploaded as a workflow artifact.
* SHA-pin all actions in build-pdf workflow
Pin to full 40-char commit SHAs with tag comment, matching the deck's
own guidance on hijack-resistant action references.
* Pin decktape install to commit SHA, not version tag
Install decktape from astefanutti/decktape at commit 6735cec (v3.12.0)
so a retagged release on GitHub or npm can't substitute different code.
* Use pnpm for global tool install and dlx invocations
Enable pnpm via Corepack and switch decktape install + http-server /
wait-on invocations from npm/npx to pnpm / pnpm dlx.
* Split workflow into build (PR + push) and publish (push to main only)
- build: read-only permissions, runs on every PR and push to verify the
deck still renders to PDF; uploads PDF as a workflow artifact.
- publish: gated by 'push to main', needs: build. Downloads the verified
artifact and commits it back. Never sees source or runs build code.
Mirrors the same two-job split the deck recommends for release pipelines.
* Fix pnpm global bin dir for CI
Set PNPM_HOME and add it to PATH so 'pnpm add -g' has a valid global
bin directory. Without this, pnpm errors with ERR_PNPM_NO_GLOBAL_BIN_DIR.
* Pass --no-sandbox to Chrome for headless run on GitHub runners
GitHub-hosted Ubuntu runners can't use Chrome's SUID sandbox, so
puppeteer fails with 'No usable sandbox'. Disabling it is safe inside
the ephemeral runner.
* Publish PDF to Zenodo instead of committing it back
- New scripts/zenodo_publish.py uploads the PDF to the uw-ssec
community on zenodo.org (or sandbox.zenodo.org when ZENODO_SANDBOX
is set). First run creates a new deposition; later runs open a new
version of the existing record and replace the file. Existing
records are discovered by searching the authenticated user's
depositions for a unique 'uw-ssec-deck:<slug>' keyword tag.
- Per-deck metadata lives in <deck>/zenodo.json so adding another
deck is just adding a JSON file plus a publish step.
- Workflow publish job no longer commits; runs the script with
ZENODO_TOKEN from secrets, defaults to sandbox so production
records aren't created until ZENODO_SANDBOX repo var is set to
'false'.
- Skips publish when the existing record's version already matches
github.sha.
* Use CalVer (YYYY.MM.DD) for Zenodo version field
Replaces the git-SHA version with a calendar version computed at
publish time in UTC. When more than one publish happens on the same
day, the version becomes YYYY.MM.DD.N with N incremented from the
previous record's version.
* Route publish target by branch: staging→sandbox, main→production
- Workflow now also triggers on push to 'staging'.
- The publish job runs on either main or staging, but selects the
Zenodo host and token based on which branch fired:
staging → sandbox.zenodo.org via ZENODO_SANDBOX_TOKEN
main → zenodo.org via ZENODO_TOKEN
- Drops the vars.ZENODO_SANDBOX override; branch decides.
* Move Zenodo community into per-deck zenodo.json
Lets each deck pick its own community without editing the script.
Defaults to 'uw-ssec' when unset.
* Add ORCID iDs for Don and Cordero in zenodo metadata
Keeps CI-only scripts colocated with the workflows that use them.
* Add README for contributors and AGENTS.md for AI agents README.md: replaces the one-line stub with a contributor guide covering repo layout, the staging/main branch model, how to add a new deck, local preview/PDF commands, required secrets, and the versioning model. AGENTS.md: operating notes for AI agents working in the repo. Captures slide and workflow conventions (SHA-pinned actions, CalVer, the uw-ssec-deck:<slug> keyword key), where to put new files, and which changes need explicit user confirmation. * Restructure AGENTS.md in Karpathy CLAUDE.md style - Lead with Core Principles + Project Rules + Never Do, the format Karpathy advocates (https://www.sotaaz.com/post/karpathy-claude-md-en). - Convert advice into concrete declarative rules with bad/good examples. - Promote 'no AI attribution in commits' into the explicit Never-Do list, alongside other repo-specific prohibitions. - Keep the new-deck checklist and local commands, trimmed. - Under 200 lines so it stays cheap to load each session.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes the changes verified on `staging` (sandbox.zenodo.org) to `main` (zenodo.org production).
What's in this promotion
Required before merge
Test plan