fix: post-v0.2.0 review P1s + CI hygiene (v0.2.1)

Security:
- render-link: drop `| safeHTML` on .Text (self-XSS surface w/ Goldmark unsafe:true)
- projects.html: safeURL + noreferrer + target=_blank on repo/demo
- comments: require repo+repoId+categoryId in gate (prevent broken Giscus iframe)
- htmltest-action: pin to commit SHA 31be84a (supply-chain)

Fixed:
- seo.html: nil-safe \$authorURL chain (no nil.url template error)
- nav.html: relURL on Menu.URL (sub-path deploy correctness)
- pages.yml: drop dead if-find Pagefind guard

.github/workflows/pages.yml

@@ -45,12 +45,7 @@ jobs:
         run: hugo --gc --minify --baseURL "https://tiennm99.github.io/tsuki/"
 
       - name: Build Pagefind index
-        run: |
-          if find exampleSite/public -name "*.html" -type f | head -1 | grep -q .; then
-            npx pagefind --site exampleSite/public
-          else
-            echo "No HTML files found yet (layouts not implemented). Skipping Pagefind."
-          fi
+        run: npx pagefind --site exampleSite/public
 
       - name: Assert CSS bundle budget (≤ 4200 B gz)
         run: |
@@ -70,8 +65,8 @@ jobs:
         run: ./scripts/smoke-tests.sh exampleSite/public
 
       - name: htmltest (broken internal links + HTML5 validation)
-        # TODO before v0.2.0 tag: pin @master to a commit SHA (supply-chain hygiene).
-        uses: wjdp/htmltest-action@master
+        # Pinned to master SHA (2026-05-10) for supply-chain hygiene. Refresh periodically.
+        uses: wjdp/htmltest-action@31be84a95c860a331e0cf9a99f71e3eb39d2f86b
         with:
           config: .htmltest.yml
 

CHANGELOG.md

@@ -4,6 +4,27 @@ All notable changes to tsuki will be documented here. Format follows [Keep a Cha
 
 ## [Unreleased]
 
+## [0.2.1] — 2026-05-10
+
+Patch release. Closes 5 P1 correctness/security findings from the post-v0.2.0 review plus 2 CI hygiene items. No new features.
+
+### Security
+
+- **Render-link no longer trusts inline HTML in link text** — `layouts/_markup/render-link.html` dropped `| safeHTML` on `.Text`. With Goldmark `unsafe: true`, the prior pipeline allowed `[<img onerror=...>](url)` inner-text to execute. Side effect: italic/emphasis-in-link (`[*x*](url)`) now renders as plain text rather than `<em>`. Restore by overriding the render hook if needed. Self-XSS in single-author themes; consistency fix vs `render-image.html`.
+- **Project links sanitize URL + add `noreferrer`** — `layouts/_partials/home/projects.html` pipes `repo`/`demo` URLs through `safeURL` and emits `rel="noopener noreferrer" target="_blank"`. Closes inconsistency with the `render-link` policy and prevents referer leakage to project destinations.
+- **Comments gate tightened** — `layouts/_partials/comments.html` now requires `repo`, `repoId`, AND `categoryId` in addition to `enable`. Prevents broken Giscus iframes when partially configured.
+- **htmltest GitHub Action pinned to commit SHA** — `.github/workflows/pages.yml` no longer tracks `wjdp/htmltest-action@master`; pinned to `31be84a` for supply-chain hygiene.
+
+### Fixed
+
+- **`seo.html` `$authorURL` chain hardened** — refactored fragile `site.Params.profile.url | default ...` chain into nil-safe `with` blocks. Site builds no longer risk `nil.url` template error when consumers follow the documented `data/profile.yaml`-only configuration.
+- **Header navigation respects sub-path deploys** — `layouts/_partials/nav.html` pipes `Menu.URL` through `relURL`. Sites deploying under a sub-path (e.g., GitHub Pages `/repo/`) with `url:`-form menu entries now route correctly.
+- **CI Pagefind step simplified** — `.github/workflows/pages.yml` dropped the dead `if find ... | head -1 | grep -q .` guard. Layouts exist; the else branch never triggered.
+
+## [0.2.0] — 2026-05-09
+
+SEO baseline, accessibility polish, author UX, discovery, distribution prep, CI hardening. See [v0.2.0 tag](https://github.com/tiennm99/tsuki/releases/tag/v0.2.0) for highlights.
+
 ### Changed
 
 - **TOC gate consolidated** to `_partials/toc-enabled.html` — single source for the `params.toc.{enable,minWordCount}` + per-page `toc: false` predicate, called from `single.html` (TOC partial) and `_partials/footer.html` (toc-active.js loader). Was duplicated 6-line logic in two sites; now one partial. No behavior change.

layouts/_markup/render-link.html

@@ -7,5 +7,5 @@
 <a href="{{ .Destination | safeURL }}"
   {{- with .Title }} title="{{ . }}"{{ end -}}
   {{- if $external }} rel="noopener noreferrer"{{ end -}}
->{{ .Text | safeHTML }}</a>
+>{{ .Text }}</a>
 {{- /**/ -}}

layouts/_partials/comments.html

@@ -1,5 +1,5 @@
 {{- $g := site.Params.comments.giscus -}}
-{{- if and $g $g.enable -}}
+{{- if and $g $g.enable $g.repo $g.repoId $g.categoryId -}}
 {{- if ne .Params.comments false -}}
 <section class="comments" aria-labelledby="comments-heading">
   <h2 id="comments-heading" class="comments-heading">{{ i18n "comments" | default "Bình luận" }}</h2>

layouts/_partials/head/seo.html

@@ -61,7 +61,10 @@
 {{- /* JSON-LD Article — only on single posts (IsPage + Kind page). */ -}}
 {{- if and .IsPage (eq .Kind "page") -}}
 {{- $authorName := site.Params.author | default (and site.Data.profile site.Data.profile.name) | default site.Title -}}
-{{- $authorURL := site.Params.profile.url | default (and site.Data.profile site.Data.profile.url) | default site.Home.Permalink -}}
+{{- $authorURL := "" -}}
+{{- with site.Params.profile -}}{{- $authorURL = .url -}}{{- end -}}
+{{- if not $authorURL -}}{{- with site.Data.profile -}}{{- $authorURL = .url -}}{{- end -}}{{- end -}}
+{{- if not $authorURL -}}{{- $authorURL = site.Home.Permalink -}}{{- end -}}
 {{- $keywords := slice -}}
 {{- range .GetTerms "tags" -}}{{- $keywords = $keywords | append .LinkTitle -}}{{- end -}}
 {{- $publisher := dict "@type" "Organization" "name" site.Title -}}

layouts/_partials/home/projects.html

@@ -27,10 +27,10 @@
 
       <ul class="project-card-links">
         {{- with $project.repo }}
-        <li><a href="{{ . }}" rel="noopener">repo →</a></li>
+        <li><a href="{{ . | safeURL }}" rel="noopener noreferrer" target="_blank">repo →</a></li>
         {{- end }}
         {{- with $project.demo }}
-        <li><a href="{{ . }}" rel="noopener">demo →</a></li>
+        <li><a href="{{ . | safeURL }}" rel="noopener noreferrer" target="_blank">demo →</a></li>
         {{- end }}
       </ul>
     </li>

layouts/_partials/nav.html

@@ -3,7 +3,7 @@
   {{- range site.Menus.main }}
     {{- $current := or ($.IsMenuCurrent "main" .) ($.HasMenuCurrent "main" .) }}
     <li>
-      <a href="{{ .URL }}"{{ if $current }} aria-current="page"{{ end }}>{{ .Name }}</a>
+      <a href="{{ .URL | relURL }}"{{ if $current }} aria-current="page"{{ end }}>{{ .Name }}</a>
     </li>
   {{- end }}
   </ul>