Repo hygiene + cookie hardening + initial test suite#1
Merged
Conversation
- pyproject.toml makes the project pip-installable with a substack-link-checker console entry point - GitHub Actions CI workflow (ruff lint, multi-version Python smoke tests, build artifact) - SECURITY.md with vulnerability reporting and session-cookie guidance - CONTRIBUTING.md, CODE_OF_CONDUCT.md, CHANGELOG.md - Issue and PR templates under .github/ - Dependabot for pip and github-actions - .env.example documenting supported env vars - Fix incorrect clone URL in README, add CI badge
- pyproject.toml: 0.1.0 -> 1.0.0 to match the existing git tag and GitHub Release - CHANGELOG.md: replace fabricated 0.1.0 entry with a real 1.0.0 - 2026-01-01 section sourced from the v1.0.0 release notes; keep Unreleased section for the audit-branch additions - SECURITY.md: clarify the private-advisory link may 404 if the setting is not enabled, and reinforce no-exploit-details rule
Cookie handling (B2):
- main() now reads SUBSTACK_COOKIE env var; --cookie still wins if both
are set so users can override ad-hoc. This is the path README and
.env.example were already promising.
- --cookie help text now warns about shell-history / ps aux exposure
and points at the env var.
- README: env var is documented as the recommended path; --cookie is
shown as the fallback.
- SECURITY.md: explicit guidance on env-var-vs-CLI; documents that the
cookie is .substack.com-scoped on the requests session and that the
outbound aiohttp link-check session is cookie-less.
Tests (B1):
- New tests/ suite with 29 tests covering:
- should_skip_domain / is_broken_domain (exact, subdomain, lookalike,
case-insensitive, malformed URL)
- load_domains_from_file (comments, blanks, whitespace, missing file)
- generate_report (empty results skip file; CSV header + rows; comma
escaping in titles)
- load/save history round-trip + corrupt-JSON recovery +
filter_unchecked_posts
- cookie handling: scoped to substack.com, not leaked via _log,
history file, or repr; env-var fallback and CLI override
- pytest now runs without continue-on-error in CI.
- Also: ruff format auto-applied across the repo (cosmetic only), so
CI's `ruff format --check .` passes.
This was referenced May 18, 2026
5 tasks
jcddc83
pushed a commit
that referenced
this pull request
May 19, 2026
The CI test job has been running `python substack_link_checker.py --help` as a post-install smoke test since PR #1. B3 (PR #3) deleted that file when refactoring the codebase into the src-layout package, but didn't update this step. CI has been failing on every PR since B3 merged. Replace with two invocations against the installed console script: - `substack-link-checker --help` (top-level dispatcher) - `substack-link-checker check --help` (check subcommand) This is also why the actions/checkout Dependabot PR (#7) was reported as failing — same root cause, not the action bump itself.
jcddc83
added a commit
that referenced
this pull request
May 19, 2026
) * Prepare v1.1.0: bump version + fix stale troubleshooting invocations Version bump: - pyproject.toml: 1.0.0 -> 1.1.0 - src/substack_link_checker/__init__.py: __version__ -> 1.1.0 - CHANGELOG.md: rename [Unreleased] -> [1.1.0] - 2026-05-19, add a fresh empty [Unreleased] section above it Troubleshooting fix: - README.md Troubleshooting section's code blocks still used the pre-refactor `python substack_link_checker.py ...` / `python fetch_archive_urls.py ...` form because PR #4 was based on the audit branch before B3's CLI rewrite landed. Updated to the current `substack-link-checker check ...` and `substack-link-checker fetch-archive ...` invocations so a reader following the troubleshooting steps doesn't hit "command not found" on the main entry point. Once this lands, push tag v1.1.0 to trigger the release workflow (which builds the wheel/sdist and attaches them to the GitHub Release). * Fix CI smoke test (root-level substack_link_checker.py is gone) The CI test job has been running `python substack_link_checker.py --help` as a post-install smoke test since PR #1. B3 (PR #3) deleted that file when refactoring the codebase into the src-layout package, but didn't update this step. CI has been failing on every PR since B3 merged. Replace with two invocations against the installed console script: - `substack-link-checker --help` (top-level dispatcher) - `substack-link-checker check --help` (check subcommand) This is also why the actions/checkout Dependabot PR (#7) was reported as failing — same root cause, not the action bump itself. --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Post-v1.0.0 audit pass. Three logical chunks, each in its own commit:
f9076bb) —pyproject.toml(pip-installable,substack-link-checkerconsole entry point), GitHub Actions CI (ruff lint + Py 3.8/3.10/3.12 smoke test + build),SECURITY.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,CHANGELOG.md, issue/PR templates, Dependabot,.env.example, README fixes (wrong clone URL, CI badge, pip-install path).cc60b3c) — pyproject0.1.0→1.0.0to match the existingv1.0.0git tag and Release; CHANGELOG rewritten to reference the real v1.0.0 release notes; SECURITY.md softens the private-advisory link in case that GitHub setting isn't enabled.2ff2899):SUBSTACK_COOKIEenv var now supported (was promised in.env.examplebut unimplemented).--cookiestill wins if both are set, so you can override ad-hoc.--cookiehelp text + README + SECURITY.md updated to recommend the env var (CLI args leak into shell history andps aux).tests/covering domain filtering, CSV report writing, history persistence, and cookie-handling guarantees (the cookie tests pin SECURITY.md's no-leak promises as executable contracts).pyteststep no longer runs withcontinue-on-error: true.ruff formatauto-applied across the repo so the format check passes.What's NOT in this PR
main, setting the About → Website URL.src/(B3), CodeQL + pre-commit (B7), type hints + mypy (B8), README screenshot + 403/expired-cookie troubleshooting (B9), optional HTML report mode (B10).Test plan
pip install -e .thensubstack-link-checker --helpworks locallySUBSTACK_COOKIE=abc python substack_link_checker.py --base-url ... --year 2024 --limit 1uses the env var (verified by unit test, worth a manual smoke against a real Substack)v1.1.0tag/release (once B6 release automation lands, this becomes one-step)Generated by Claude Code