[U] Upgrade dependencies, harden workflows

Author: Misaka13514

.github/workflows/cloudflare-clean.yml

@@ -8,25 +8,24 @@ on:
 jobs:
   clean:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        project: [one-among-us, our-data]
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
         with:
-          node-version: 20
+          node-version: 24
           cache: 'yarn'
-      - run: yarn install
 
-      - name: Clean Cloudflare Deployments (one-among-us)
-        run: yarn cloudflare_clean
-        env:
-          CF_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CF_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          CF_PAGES_PROJECT_NAME: one-among-us
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
 
-      - name: Clean Cloudflare Deployments (our-data)
+      - name: Clean Cloudflare Deployments (${{ matrix.project }})
         run: yarn cloudflare_clean
         env:
           CF_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           CF_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          CF_PAGES_PROJECT_NAME: our-data
+          CF_PAGES_PROJECT_NAME: ${{ matrix.project }}

.github/workflows/generator.yml

@@ -15,32 +15,25 @@ permissions:
   contents: write
   pages: write
   id-token: write
+  actions: write
 
 jobs:
   build:
     runs-on: ubuntu-latest
-    permissions: write-all
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
-        with:
-          node-version: 18
+      - uses: actions/checkout@v6
 
-      - name: Cache node_modules
-        uses: actions/cache@v3
-        id: cache
+      - uses: actions/setup-node@v6
         with:
-          path: node_modules
-          key: ${{ runner.os }}-node-${{ hashFiles('yarn.lock') }}
-          restore-keys: ${{ runner.os }}-node-
+          node-version: 24
+          cache: 'yarn'
 
       - name: Install Dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: yarn install --production --frozen-lockfile
+        run: yarn install --frozen-lockfile
 
       - name: Build
-        run: yarn build
+        run: yarn run build
 
       - name: Deploy to GitHub branch
         uses: JamesIves/github-pages-deploy-action@v4
@@ -49,26 +42,36 @@ jobs:
           folder: dist
 
       - name: Deploy to Cloudflare Pages
-        uses: cloudflare/pages-action@v1
+        uses: cloudflare/wrangler-action@v3
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          projectName: our-data
-          directory: dist
+          command: pages deploy dist --project-name=our-data
 
       - name: Check for document changes, ignoring comments
-        uses: dorny/paths-filter@v2
+        uses: dorny/paths-filter@v4
         id: changes
         with:
           filters: |
             src:
               - 'people/**/*[^.json]'
 
+      - name: Generate token for cross-repo dispatch
+        id: generate-token
+        if: steps.changes.outputs.src == 'true'
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: 'one-among-us'
+          repositories: 'web'
+          permission-actions: write
+
       - name: Trigger web repackage
-        uses: actions/github-script@v6
+        uses: actions/github-script@v9
         if: steps.changes.outputs.src == 'true'
         with:
-          github-token: ${{ secrets.GH_PERSONAL_TOKEN }}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: 'one-among-us',

.github/workflows/pr-build.yml

@@ -0,0 +1,42 @@
+name: PR Build
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main, develop]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'yarn'
+
+      - name: Build Preview
+        run: |
+          yarn install --frozen-lockfile
+          yarn build-preview
+          rm -rf dist/web.tgz
+
+      - name: Save PR number
+        run: echo ${{ github.event.pull_request.number }} > dist/pr_number.txt
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: preview-dist
+          path: dist/
+          retention-days: 1

.github/workflows/preview.yml .github/workflows/pr-deploy.yml.github/workflows/preview.yml renamed to .github/workflows/pr-deploy.yml

@@ -1,70 +1,61 @@
-name: PR Preview
+name: PR Deploy Preview
 
 on:
-  pull_request_target:
-    types: [opened, synchronize, reopened]
-    branches: [main, develop]
-  workflow_dispatch:
-    inputs:
-      pr_number:
-        description: 'Pull Request number to deploy preview for'
-        required: true
+  workflow_run:
+    workflows: ["PR Build"]
+    types:
+      - completed
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}
+  cancel-in-progress: true
+
+permissions:
+  pull-requests: write
+  actions: read
 
 jobs:
-  build:
+  deploy:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: write
-      deployments: write
-      pull-requests: write
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
 
     steps:
-      # First, check out the workflow file (from the base) so secrets are available.
-      - name: Checkout base branch
-        uses: actions/checkout@v4
+      - name: Download Artifact
+        uses: actions/download-artifact@v8
+        with:
+          name: preview-dist
+          path: dist/
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
 
-      # Determine PR info based on the event type.
-      - name: Set PR info
+      - name: Read PR Number
         id: pr-info
         run: |
-          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
-            echo "PR_NUMBER=${{ github.event.inputs.pr_number }}" >> $GITHUB_ENV
-          else
-            echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV
+          PR_NUMBER=$(cat dist/pr_number.txt | tr -d '\n\r')
+          if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
+            echo "Error: Invalid PR number format: $PR_NUMBER"
+            exit 1
           fi
-
-      # Now check out the PR’s head branch (whether from a PR event or supplied manually)
-      - name: Checkout PR branch
-        uses: actions/checkout@v4
-        with:
-          ref: "refs/pull/${{ env.PR_NUMBER }}/merge"
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'yarn'
-
-      - name: Build
-        run: |
-          yarn install --production --frozen-lockfile
-          yarn build-preview
-          rm -rf dist/web.tgz
+          echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
+          rm dist/pr_number.txt
 
       - name: Deploy to Cloudflare Pages
         uses: cloudflare/wrangler-action@v3
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          gitHubToken: ${{ secrets.GITHUB_TOKEN }}
           command: pages deploy dist --project-name=data-preview --branch=pr-${{ env.PR_NUMBER }}
 
       - name: Pull request comment
-        uses: actions/github-script@v6
+        uses: actions/github-script@v9
+        env:
+          PR_NUMBER: ${{ env.PR_NUMBER }}
         with:
           script: |
-            const prNumber = "${{ env.PR_NUMBER }}";
+            const prNumber = parseInt(process.env.PR_NUMBER, 10);
             const now = new Date().toISOString().substring(0, 19).replace('T', ' ');
             const reviewBody = `🐱 感谢贡献！\n\n部署了预览，在这里哦: https://pr-${prNumber}.data-preview.pages.dev\n\n🕒 最后更新: ${now} (UTC)`;
             

package.json

@@ -9,44 +9,40 @@
   "type": "module",
   "private": true,
   "scripts": {
-    "build": "node --loader ts-node/esm/transpile-only scripts/build.ts",
+    "build": "tsx scripts/build.ts",
     "build-preview": "yarn build && scripts/preview.sh",
     "serve": "http-server --cors='*' -c-1 dist",
     "preview": "yarn build-preview && yarn serve",
-    "watch": "node --loader ts-node/esm/transpile-only scripts/watch.ts",
+    "watch": "tsx scripts/watch.ts",
     "dev": "concurrently -n \"watch,serve\" -c \"cyan,green\" \"yarn watch\" \"yarn serve\"",
     "clean": "rm -rf dist/* .build-cache",
-    "translate": "node --loader ts-node/esm/transpile-only scripts/translate.ts",
+    "translate": "tsx scripts/translate.ts",
     "cloudflare_clean": "node scripts/cloudflare_clean.js"
   },
   "dependencies": {
     "@andreekeberg/imagedata": "^1.0.2",
-    "@mdx-js/mdx": "^2.1.5",
+    "@mdx-js/mdx": "^3.1.1",
     "@swc/core": "^1.3.17",
-    "@types/fs-extra": "^11.0.1",
-    "@types/node": "^20",
     "args-parser": "^1.3.0",
     "autocorrect-node": "^2.5.5",
     "blurhash": "^2.0.5",
-    "esbuild": "^0.18.10",
     "fs-extra": "^11.1.0",
     "google-translate-api-x": "^10.7.1",
     "js-yaml": "^4.1.0",
-    "katex": "^0.16.10",
     "lunar-typescript": "^1.8.6",
     "markdown-yaml-metadata-parser": "^3.0.0",
     "moment": "^2.29.4",
-    "rehype-katex": "6",
-    "remark-math": "5",
-    "ts-node": "^10.9.1",
-    "typescript": "^5.1.6"
+    "rehype-katex": "^7.0.1",
+    "remark-math": "^6.0.0"
   },
   "devDependencies": {
-    "@octokit/core": "^4.1.0",
+    "@types/fs-extra": "^11.0.1",
     "@types/js-yaml": "^4.0.5",
+    "@types/node": "^25.6.0",
     "concurrently": "^9.2.1",
     "exponential-backoff": "^3.1.0",
     "http-server": "^14.1.1",
-    "node-fetch": "^2.6.7"
+    "tsx": "^4.21.0",
+    "typescript": "^6.0.3"
   }
 }

scripts/cloudflare_clean.js

@@ -1,4 +1,3 @@
-import fetch from 'node-fetch'
 import { backOff } from 'exponential-backoff'
 
 const CF_API_TOKEN = process.env.CF_API_TOKEN

scripts/watch.ts

@@ -30,8 +30,8 @@ async function build() {
   const startTime = Date.now();
 
   buildProcess = spawn(
-    "node",
-    ["--loader", "ts-node/esm/transpile-only", "scripts/build.ts"],
+    "tsx",
+    ["scripts/build.ts"],
     {
       cwd: projectRoot,
       stdio: "inherit",