From 5c105c7f611e0b6abd86d70024e1febf01848899 Mon Sep 17 00:00:00 2001 From: DJBsec <77978186+DJBsec@users.noreply.github.com> Date: Sat, 9 May 2026 23:38:35 -0500 Subject: [PATCH 1/2] Make lychee link check non-blocking, broaden retries and ignores MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The link checker was failing on every push because of third-party redirect cascades and intermittent rate limits — neither of which should block a deploy. Workflow: - `fail: false` on lychee-action and `continue-on-error: true` on the job so link health is reported, not enforced. - Broaden `--accept` to `100..=103,200..=299,403,429` so any 2xx and the common anti-bot/rate-limit codes pass. - `--max-retries 3 --retry-wait-time 5 --timeout 20 --max-redirects 10` to absorb transient flakes and aggregator chains. `.lycheeignore`: - Added twitter/x/facebook/youtube/medium (frequent 403/429 even when pages are live) and go.theregister.com (302-prefix aggregator — final URLs are checked separately elsewhere). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/broken-links.yml | 31 +++++++++++++++++++++++++++--- .lycheeignore | 8 ++++++++ 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml index 31126928f..4510266d5 100644 --- a/.github/workflows/broken-links.yml +++ b/.github/workflows/broken-links.yml @@ -41,12 +41,37 @@ on: jobs: link-checker: runs-on: ubuntu-latest + # Third-party link rot is not our deploy blocker — report results but + # do not fail the workflow when external sites flake or rate-limit. + continue-on-error: true steps: - uses: actions/checkout@v6.0.2 - name: Link Checker 🔗 uses: lycheeverse/lychee-action@v2.8.0 with: - fail: true - # removed md files that include liquid tags - args: --user-agent 'curl/7.54' --verbose --no-progress --root-dir . --base-url https://djbsec.github.io --accept 200,429,403 --max-retries 0 --exclude-path README.md --exclude-path FAQ.md --exclude-path INSTALL.md --exclude-path CUSTOMIZE.md --exclude-path _pages/404.md --exclude-path _pages/blog.md --exclude-path examples/ --exclude-path lighthouse_results/ '_pages/**/*.md' '_posts/**/*.md' + fail: false + # `fail: false` returns exit 0 regardless of broken links; the + # action's summary still reports them. `continue-on-error` on + # the job is a belt-and-suspenders for future tightening. + args: >- + --user-agent 'curl/7.54' + --verbose + --no-progress + --root-dir . + --base-url https://djbsec.github.io + --accept 100..=103,200..=299,403,429 + --max-retries 3 + --retry-wait-time 5 + --timeout 20 + --max-redirects 10 + --exclude-path README.md + --exclude-path FAQ.md + --exclude-path INSTALL.md + --exclude-path CUSTOMIZE.md + --exclude-path _pages/404.md + --exclude-path _pages/blog.md + --exclude-path examples/ + --exclude-path lighthouse_results/ + '_pages/**/*.md' + '_posts/**/*.md' diff --git a/.lycheeignore b/.lycheeignore index d4bceb655..a7a96436f 100644 --- a/.lycheeignore +++ b/.lycheeignore @@ -5,3 +5,11 @@ a\.co vulnhub\.com cyberseclabs\.co\.uk .*%7B%7B.* +# Frequent rate-limit / anti-bot 403 / 429 even on healthy URLs +twitter\.com +x\.com +facebook\.com +youtube\.com +medium\.com +# Aggregator redirect prefixes — final URLs are checked elsewhere +go\.theregister\.com From f6f723d40b321a31f101066675ef5a01c06a677b Mon Sep 17 00:00:00 2001 From: DJBsec <77978186+DJBsec@users.noreply.github.com> Date: Sat, 9 May 2026 23:44:02 -0500 Subject: [PATCH 2/2] Make site link audit non-blocking too MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mirror the broken-links.yml change on broken-links-site.yml — the post-deploy crawl that checks built _site/ for broken /foo/ refs. - `continue-on-error: true` on the job - `fail: false` on lychee-action - Swap inline ${{ github.workspace }} interpolation for an env var (defense against actions-injection patterns flagged by the workflow security guide). Real internal-link rot still surfaces in the run summary; it just no longer fails the workflow. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/broken-links-site.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/broken-links-site.yml b/.github/workflows/broken-links-site.yml index 590860472..5691cbde5 100644 --- a/.github/workflows/broken-links-site.yml +++ b/.github/workflows/broken-links-site.yml @@ -11,6 +11,9 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' }} # available images: https://github.com/actions/runner-images#available-images runs-on: ubuntu-latest + # Internal-link audit — informational. Real broken /foo/ refs still + # appear in the run summary but a flaky build step won't fail deploy. + continue-on-error: true steps: - name: Checkout 🛎️ uses: actions/checkout@v6.0.2 @@ -41,7 +44,9 @@ jobs: purgecss -c purgecss.config.js - name: Link Checker 🔗 uses: lycheeverse/lychee-action@v2.8.0 + env: + WORKSPACE: ${{ github.workspace }} with: - fail: true + fail: false # only check local links - args: --offline --root-dir ${{ github.workspace }}/_site --remap '_site(/?.*)/assets/(.*) _site/assets/$2' --verbose --no-progress '_site/**/*.html' + args: --offline --root-dir $WORKSPACE/_site --remap '_site(/?.*)/assets/(.*) _site/assets/$2' --verbose --no-progress '_site/**/*.html'