From f3c9c69090ebdb5a9008114189025762146232fb Mon Sep 17 00:00:00 2001
From: systemreliability <51009183+systemreliability@users.noreply.github.com>
Date: Sat, 2 May 2026 22:48:37 +0200
Subject: [PATCH 1/4] harden deploy workflow permissions

---
 .github/workflows/deploy.yml | 66 ++++++++++++++++++++++++------------
 1 file changed, 45 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 5fb7e8ae..7638a9ba 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -62,44 +62,68 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
-  deploy:
-    # available images: https://github.com/actions/runner-images#available-images
+  build:
+    if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout 🛎️
-        uses: actions/checkout@v4
-      - name: Setup Ruby 💎
-        uses: ruby/setup-ruby@v1
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f
         with:
           ruby-version: "3.3.5"
           bundler-cache: true
-      - name: Setup Python 🐍
-        uses: actions/setup-python@v5
+      - name: Setup Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
         with:
           python-version: "3.13"
-          cache: "pip" # caching pip dependencies
-      - name: Update _config.yml ⚙️
-        uses: fjogeleit/yaml-update-action@main
+          cache: "pip"
+      - name: Install and Build
+        run: |
+          sudo apt-get update && sudo apt-get install -y imagemagick
+          pip3 install --upgrade nbconvert
+          export JEKYLL_ENV=production
+          bundle exec jekyll build
+      - name: Purge unused CSS
+        run: |
+          npm install -g purgecss
+          purgecss -c purgecss.config.js
+
+  deploy:
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f
         with:
-          commitChange: false
-          valueFile: "_config.yml"
-          propertyPath: "giscus.repo"
-          value: ${{ github.repository }}
-      - name: Install and Build 🔧
+          ruby-version: "3.3.5"
+          bundler-cache: true
+      - name: Setup Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
+        with:
+          python-version: "3.13"
+          cache: "pip"
+      - name: Set giscus repo
+        run: |
+          ruby -ryaml -e 'path = "_config.yml"; config = YAML.load_file(path); config["giscus"] ||= {}; config["giscus"]["repo"] = ENV.fetch("GITHUB_REPOSITORY"); File.write(path, config.to_yaml)'
+      - name: Install and Build
         run: |
           sudo apt-get update && sudo apt-get install -y imagemagick
           pip3 install --upgrade nbconvert
           export JEKYLL_ENV=production
           bundle exec jekyll build
-      - name: Purge unused CSS 🧹
+      - name: Purge unused CSS
         run: |
           npm install -g purgecss
           purgecss -c purgecss.config.js
-      - name: Deploy 🚀
-        if: github.event_name != 'pull_request'
-        uses: JamesIves/github-pages-deploy-action@v4
+      - name: Deploy
+        uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f
         with:
           folder: _site

From 8edad552e2cb8769e6dc858e5d05db8576021b75 Mon Sep 17 00:00:00 2001
From: systemreliability <51009183+systemreliability@users.noreply.github.com>
Date: Sat, 2 May 2026 22:49:07 +0200
Subject: [PATCH 2/4] escape distill front matter json

---
 _layouts/distill.liquid | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/_layouts/distill.liquid b/_layouts/distill.liquid
index 163ca3dd..5c8c9621 100644
--- a/_layouts/distill.liquid
+++ b/_layouts/distill.liquid
@@ -17,18 +17,18 @@
   <d-front-matter>
     <script async type="text/json">
       {
-            "title": "{{ page.title }}",
-            "description": "{{ page.description }}",
-            "published": "{{ page.date | date: '%B %d, %Y' }}",
+            "title": {{ page.title | jsonify }},
+            "description": {{ page.description | jsonify }},
+            "published": {{ page.date | date: '%B %d, %Y' | jsonify }},
             "authors": [
               {% for author in page.authors %}
               {
-                "author": "{{ author.name }}",
-                "authorURL": "{{ author.url }}",
+                "author": {{ author.name | jsonify }},
+                "authorURL": {{ author.url | jsonify }},
                 "affiliations": [
                   {
-                    "name": "{{ author.affiliations.name }}",
-                    "url": "{{ author.affiliations.url }}"
+                    "name": {{ author.affiliations.name | jsonify }},
+                    "url": {{ author.affiliations.url | jsonify }}
                   }
                 ]
               }{% if forloop.last == false %},{% endif %}

From c31247364af767260d12c8ec50dbaa0804879637 Mon Sep 17 00:00:00 2001
From: systemreliability <51009183+systemreliability@users.noreply.github.com>
Date: Sat, 2 May 2026 22:49:45 +0200
Subject: [PATCH 3/4] remove global plumx popup script

---
 _includes/head.liquid | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/_includes/head.liquid b/_includes/head.liquid
index b11cfeb3..b8690957 100644
--- a/_includes/head.liquid
+++ b/_includes/head.liquid
@@ -187,6 +187,3 @@
 {% if page.tikzjax %}
   <link defer rel="stylesheet" type="text/css" href="https://tikzjax.com/v1/fonts.css">
 {% endif %}
-
-<!-- PlumX Metrics Artifact Widget -->
-<script src="//cdn.plu.mx/widget-popup.js" async></script>

From 6d7d01127c58ecfdbc7049cdfcf5d4d0879daa71 Mon Sep 17 00:00:00 2001
From: systemreliability <51009183+systemreliability@users.noreply.github.com>
Date: Sat, 2 May 2026 22:49:55 +0200
Subject: [PATCH 4/4] load plumx popup over https

---
 _pages/publications.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_pages/publications.md b/_pages/publications.md
index 1a412469..edef74c0 100644
--- a/_pages/publications.md
+++ b/_pages/publications.md
@@ -7,7 +7,7 @@ nav: true
 nav_order: 2
 ---
 
-<script type="text/javascript" src="//cdn.plu.mx/widget-popup.js"></script>
+<script async src="https://cdn.plu.mx/widget-popup.js"></script>
 
 <!-- _pages/publications.md -->