Welcome to the second issue in the Genics log series! I know this is super late in the month, but I wanted to share some updates on the blog from the past months.
Before diving into the latest news at Genics, I would like to introduce myself. I am Gourav Khunger, the founder of Genics Blog. I am a teenager from India who is passionate about software development and open source.
This log is more inclined towards the core theme infrastructure and how we managed to grow our community to 600+ readers now.
Let’s get started!
Staging ENVs with Vercel
This was a crucial step in forming a better infrastructure for building the theme and its plugins.
From the beginning itself, I planned to create a separate repository for the theme just because it would allow us to use a separate GitHub Pages for staging.genicsblog.com.
This was the GitHub Actions file that deployed the theme to staging url. We made sure to block indexing using the
Disallow: / directive.
But here comes the tricky part - the staging was not relevant until we were able to deploy PRs to preview them. Staging environment for approved and merged PRs didn’t matter as much as environment for previewing the pending PRs.
A huge problem was that we couldn’t use repository secret variables in GitHub Actions if it ran using
pull_request event but those variables are needed to deploy to gh-pages.
For that, we had to use
pull_request_target event trigger which allows PR actions to use the repository secrets to access the staging environment.
But the catch here is, this comes with security vulnerabilities as the PRs are run in the context of the repository base and not the PR base.
This could mean that user can manipulate the workflow file to misuse the repository secrets!
Vulnerability in main repository
The above mentioned issue was actually present in the main repository. I had setup a workflow for PRs using
pull_request_target because I wanted to automerge “correct” changes to drafts by authors.
YES, this was a big mistake but fortunately, no one exploited this vulnerability using which one could clean up the whole repository in minutes (making a delete commit and managing to automerge it using repo secrets).
I did have security measures in place:
An automerge happened only if the PR changes article files that are owned by the specific author. The python script referenced takes in the list of files changed in the PR and goes through them to verify if the PR author is the actual author of the article files.
Now, you could argue that a person could change the script in the PR and this check would easily be bypassed. That is the reason that the workflow uses
wget to download the script from the main branch and then run it. It deletes the scripts in the PR and downloads the correct one before running.
But again, I was still skeptical of the
pull_request_target event trigger. The docs don’t clearly mention it, but I am not sure - If the action runs in context of the PR base, then is it possible that the author change the action script and bypasses the script download and other verification checks?
This is the reason we now moved to Vercel to off-load all these security issues and still be able to deploy staging ENVs!
Sponsorship from Vercel
Vercel is a platform for frontend frameworks and static sites, built to integrate with your headless content, commerce, or database.
This sponsorship now enables us to remove our vulnerable GitHub actions and migrate to Vercel deployments. It was as easy as setting up the installation and build scripts. Vercel automatically deploys all PRs to staging environments!
Now we can easily preview pull requests and test them visually before moving them to production!
We have worked on massive improvements to the theme and its plugins!
Paginating author pages (#7)
This was by far the biggest need for the theme. Author pages like this could get super big without pagination and that affects load times a lot.
This was a big problem for the Jekyll community as well - there was no plugin to handle multiple authors with ease.
This lead me to spend time messing with jekyll-paginate-v2 and understanding how its pagination works. With some days of effort, I came up with jekyll-auto-authors which completely simplifies the process of paginating author pages!
Here’s an in-depth tutorial on using the plugin to paginate author pages.
Shortcut commands (#10)
There are new shortcut commands you can use to perform these actions on the site:
- Opening up search bar:
K. To close it please use the
- Toggling the site theme:
Copy button for code blocks (#1)
Copy buttons on code blocks have been given an overhaul and provide a much nicer user experience.
Please use our Discord server for discussions on articles on the site.
Here are some minor but relevant updates we’ve made to the theme:
- More open-graph meta tags (#39): better for SEO.
- Migration to GA4 (#21).
- Selection color for code blocks (#28).
- Refactoring series pages (#2).
- For authors: tools like frontmatter generator (#93) and thumbnail generator.
- Licensing for the theme and articles (#136).
Here are the stats that changed from the last time:
genicsblog.com(Main repo with posts and data files): 25 stars, 20 forks.
theme-files(Basically template files): 7 stars, 9 fork.
Here are the recent 30-day stats from our Google Analytics:
Join our Discord server to view these public stats every day :)
Almost 40-50% of our monthly traffic is through organic channels!
It’s been an absolute rollercoaster ride for us to get to this point! It was from 100 readers a month in December when I decided to open source the blog and start working on a newer and better version of it. And here we are, scaled to 600+ readers within 3 months!
In the near future, I plan to continue working on the improvements and scale to at least 5k readers per month. Up to that point, we will focus mainly on putting out quality content that people find insightful while focusing on gaining traffic through organic channels mainly.
After the 5k checkpoint, there will be great things to come ;)
Looking forward to your feedback and suggestions!