front-matter
checkout
| front-matter | checkout | |
|---|---|---|
| 4 | 81 | |
| 686 | 6,693 | |
| 0.0% | 1.9% | |
| 0.0 | 5.2 | |
| almost 2 years ago | about 1 month ago | |
| JavaScript | TypeScript | |
| MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
front-matter
-
Creating an SSG (Static Site Generation) Application with Strapi Webhooks and NextJs
To set our metadata dynamically, we also imported the front-matter dependency.
-
Label automation at your fingertips
front-matter parser
- Why I built my own static site generator
-
Making a Markdown Editor for Your Vue Blog with Front Matter Support
What we want is for our editor to take the combination of front-matter data and markup, then be able to extract the two before storing that data separately somewhere. We'll be using the front-matter module to extract the data we need from the text editor content.
checkout
-
Bypassing GitHub Actions policies in the dumbest way possible
what with actions/checkout@v4, hows that documented?
https://github.com/actions/checkout/issues/567#issuecomment-...
GH has a `permissions:` entry and this mechanism already for internal repo action sharing. And thousands of our dollars per month.
- GitHub's checkout action is halting contributions
-
How to Harden GitHub Actions: The Unofficial Guide
Here is an example in the wild: https://github.com/actions/checkout/actions/workflows/publis...
-
Using Checkout Action in GitHub Actions Workflow
The snippet above creates a step called "Checkout repository", which uses the actions/checkout action. The @ character allows you to pin the version of the action - in this case, version v4. You can see previous and future versions in the checkout releases on GitHub.
-
Popular GitHub Action tj-actions/changed-files is compromised
I think a big part of the problem is the way one typically "installs" a GH action: by copy-pasting something from README of the action.
Let's have a look at a random official GH provided action:
https://github.com/actions/checkout
It lists the following snippet:
`uses: actions/checkout@v4`
Everyone will just copy paste this snippet and call it a day.
In case of npm/yarn deps, one would often do the same, and copy paste `yarn install foobar`, but then when installing, npm/yarn would create a lockfile and pin the version. Whereas there's no "installer" CLI for GH actions that would pin the version for you, you just copy-paste and git push.
To make things better, ideally, the owners of actions would update the workflows which release a new version of the GH action, to make it update README snippet with the sha256 of the most recent release.
-
Tj-actions/changed-files GitHub Action Compromised – used by over 23K repos
It seems pretty awful that the de-facto way to use GitHub Actions is using git tags which are not immutable. For example to checkout code [1]:
- uses: actions/checkout@v4
Github does advise people to harden their actions by referring to git commit hashes [2] but Github currently only supports SHA-1 as hashing algorithm. Creating collisions with this hashing algo will be more and more affordable and I'm afraid that we will see attacks using the hash collisions during my lifetime.
I wish that they will add support for SHA-256 soon and wrote product feedback regarding it here: https://github.com/orgs/community/discussions/154056
If this resonates with you please go and give it a thumbs up :)
[1]: https://github.com/actions/checkout?tab=readme-ov-file#usage
[2]: https://docs.github.com/en/actions/security-for-github-actio...
-
Asynchronous Server: Building and Rigorously Testing a WebSocket and HTTP Server
GitHub Actions uses .yaml or .yml files to define workflows, similar to docker-compose.yml. In this case, we're using the latest Ubuntu distribution as the environment. We use version 4 of the actions/checkout action to check out our repository. We also install system dependencies required by some of the Python packages, such as poppler-utils for pdf2image and tesseract-ocr and libtesseract-dev for pytesseract. Since our project doesn't have database interaction, we don't need a services section. The remaining steps are self-explanatory. We then execute our bash script to check the codebase against our defined standards. We also supply environment variables and run the tests (which we'll write later). This CI/CD pipeline runs on every pull request or push to the utility branch.
-
How to Set Up Automated Tests with a QA Coding Agent for Flutter
GitAuto used v2, while v4 is the latest available according to the official GitHub Actions Checkout documentation. Another area for potential improvement.
-
Tell HN: GitHub doesn't cleanup spam in their own repos
I was checking out the actions/checkout repository, which is something most GitHub actions are bound to use, and navigated to the issues:
https://github.com/actions/checkout/issues
On the first page aline I found cryptocurrency scams, no effort issues, and outright spam, from days to months old. It is an official GitHub repository for one of their most popular actions in a major feature, with hundreds of watchers and thousands of forks and stars. Yet it looks completely abandoned. No wonder the state of spam on GitHub.
-
Lock Mechanism on GitHub Actions
Manage branches via GitHub API without git command. You don't have to checkout repositories by actions/checkout
What are some alternatives?
gray-matter - Smarter YAML front matter parser, used by metalsmith, Gatsby, Netlify, Assemble, mapbox-gl, phenomic, vuejs vitepress, TinaCMS, Shopify Polaris, Ant Design, Astro, hashicorp, garden, slidev, saber, sourcegraph, and many others. Simple to use, and battle tested. Parses YAML by default but can also parse JSON Front Matter, Coffee Front Matter, TOML Front Matter, and has support for custom parsers. Please follow gray-matter's author: https://github.com/jonschlinkert
cache - Cache dependencies and build outputs in GitHub Actions
docsify - 🃏 A magical documentation site generator.
ssh-action - GitHub Actions for executing remote ssh commands.
marked - A markdown parser and compiler. Built for speed.
jacoco-badge-generator - Coverage badges, and pull request coverage checks, from JaCoCo reports in GitHub Actions