Skip to content

Promote staging → main: PDF build + Zenodo publish pipeline#17

Merged
lsetiawan merged 3 commits into
mainfrom
staging
May 15, 2026
Merged

Promote staging → main: PDF build + Zenodo publish pipeline#17
lsetiawan merged 3 commits into
mainfrom
staging

Conversation

@lsetiawan

Copy link
Copy Markdown
Member

Promotes the changes verified on `staging` (sandbox.zenodo.org) to `main` (zenodo.org production).

What's in this promotion

  • Add GitHub Actions workflow to build PDFs with decktape #14 — GitHub Actions workflow to build PDFs with decktape, two-job split (build runs on PRs as a render check; publish runs only on push to main/staging), pnpm via Corepack, all actions SHA-pinned. Publishes to Zenodo under the `uw-ssec` community via `.github/scripts/zenodo_publish.py`. CalVer versioning (`YYYY.MM.DD`), keyword-tag-based record lookup (`uw-ssec-deck:`).
  • Move scripts/ under .github/ #15 — Move `scripts/` under `.github/` to colocate CI tooling with the workflow.
  • Add contributor README and AGENTS.md #16 — Contributor-facing `README.md` and agent-facing `AGENTS.md` (Karpathy-style: Core Principles, Project Rules, Never Do, with concrete ❌/✅ examples).

Required before merge

  • Confirm `secrets.ZENODO_TOKEN` is set on the repository (production token, `deposit:write` + `deposit:actions` scopes).
  • After merge, this push to `main` will trigger the publish job and create a real Zenodo record with a permanent DOI for the Security in the Age of AI deck.

Test plan

  • Sandbox flow already verified on `staging`.
  • On merge, watch the workflow run for `build-pdf.yml` and confirm the production Zenodo record under the `uw-ssec` community.

lsetiawan added 3 commits May 15, 2026 12:47
* Add GitHub Actions workflow to build PDF with decktape

On every push to main that touches security-in-age-of-ai/, build a PDF
from the Reveal.js deck using decktape and commit it back to the same
directory. PDF is also uploaded as a workflow artifact.

* SHA-pin all actions in build-pdf workflow

Pin to full 40-char commit SHAs with tag comment, matching the deck's
own guidance on hijack-resistant action references.

* Pin decktape install to commit SHA, not version tag

Install decktape from astefanutti/decktape at commit 6735cec (v3.12.0)
so a retagged release on GitHub or npm can't substitute different code.

* Use pnpm for global tool install and dlx invocations

Enable pnpm via Corepack and switch decktape install + http-server /
wait-on invocations from npm/npx to pnpm / pnpm dlx.

* Split workflow into build (PR + push) and publish (push to main only)

- build: read-only permissions, runs on every PR and push to verify the
  deck still renders to PDF; uploads PDF as a workflow artifact.
- publish: gated by 'push to main', needs: build. Downloads the verified
  artifact and commits it back. Never sees source or runs build code.

Mirrors the same two-job split the deck recommends for release pipelines.

* Fix pnpm global bin dir for CI

Set PNPM_HOME and add it to PATH so 'pnpm add -g' has a valid global
bin directory. Without this, pnpm errors with ERR_PNPM_NO_GLOBAL_BIN_DIR.

* Pass --no-sandbox to Chrome for headless run on GitHub runners

GitHub-hosted Ubuntu runners can't use Chrome's SUID sandbox, so
puppeteer fails with 'No usable sandbox'. Disabling it is safe inside
the ephemeral runner.

* Publish PDF to Zenodo instead of committing it back

- New scripts/zenodo_publish.py uploads the PDF to the uw-ssec
  community on zenodo.org (or sandbox.zenodo.org when ZENODO_SANDBOX
  is set). First run creates a new deposition; later runs open a new
  version of the existing record and replace the file. Existing
  records are discovered by searching the authenticated user's
  depositions for a unique 'uw-ssec-deck:<slug>' keyword tag.
- Per-deck metadata lives in <deck>/zenodo.json so adding another
  deck is just adding a JSON file plus a publish step.
- Workflow publish job no longer commits; runs the script with
  ZENODO_TOKEN from secrets, defaults to sandbox so production
  records aren't created until ZENODO_SANDBOX repo var is set to
  'false'.
- Skips publish when the existing record's version already matches
  github.sha.

* Use CalVer (YYYY.MM.DD) for Zenodo version field

Replaces the git-SHA version with a calendar version computed at
publish time in UTC. When more than one publish happens on the same
day, the version becomes YYYY.MM.DD.N with N incremented from the
previous record's version.

* Route publish target by branch: staging→sandbox, main→production

- Workflow now also triggers on push to 'staging'.
- The publish job runs on either main or staging, but selects the
  Zenodo host and token based on which branch fired:
    staging  → sandbox.zenodo.org via ZENODO_SANDBOX_TOKEN
    main     → zenodo.org via ZENODO_TOKEN
- Drops the vars.ZENODO_SANDBOX override; branch decides.

* Move Zenodo community into per-deck zenodo.json

Lets each deck pick its own community without editing the script.
Defaults to 'uw-ssec' when unset.

* Add ORCID iDs for Don and Cordero in zenodo metadata
Keeps CI-only scripts colocated with the workflows that use them.
* Add README for contributors and AGENTS.md for AI agents

README.md: replaces the one-line stub with a contributor guide covering
repo layout, the staging/main branch model, how to add a new deck,
local preview/PDF commands, required secrets, and the versioning model.

AGENTS.md: operating notes for AI agents working in the repo. Captures
slide and workflow conventions (SHA-pinned actions, CalVer, the
uw-ssec-deck:<slug> keyword key), where to put new files, and which
changes need explicit user confirmation.

* Restructure AGENTS.md in Karpathy CLAUDE.md style

- Lead with Core Principles + Project Rules + Never Do, the format
  Karpathy advocates (https://www.sotaaz.com/post/karpathy-claude-md-en).
- Convert advice into concrete declarative rules with bad/good examples.
- Promote 'no AI attribution in commits' into the explicit Never-Do
  list, alongside other repo-specific prohibitions.
- Keep the new-deck checklist and local commands, trimmed.
- Under 200 lines so it stays cheap to load each session.
@lsetiawan
lsetiawan merged commit 7334578 into main May 15, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant