From 2f7f991bc630dc4419e3ccb53d1c733f90ba086c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Lohrer?= <info.empeiria@gmail.com>
Date: Sat, 18 Apr 2026 06:52:08 +0200
Subject: [PATCH] =?UTF-8?q?publish(task=2022):=20github-actions-workflow?=
 =?UTF-8?q?=20f=C3=BCr=20auto-publish?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

.github/workflows/publish.yml triggert bei:
  - push auf main mit änderungen in content/posts/**
  - manuellem workflow_dispatch (optional mit force_all=true)

ablauf:
  1. deno 2.x setup
  2. pre-flight check (bunker, kind:10002, kind:10063)
  3. publish (diff-modus per default, force-all bei manuellem trigger)
  4. log-artefakt (publish-*.json, 30 tage retention)

benötigt 4 repo-secrets im github-ui:
  - BUNKER_URL
  - AUTHOR_PUBKEY_HEX
  - BOOTSTRAP_RELAY
  - CLIENT_SECRET_HEX (stabile client-identität für amber-permissions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 57 +++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..839155e
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,57 @@
+name: Publish Nostr Events
+
+on:
+  push:
+    branches: [main]
+    paths: ['content/posts/**']
+  workflow_dispatch:
+    inputs:
+      force_all:
+        description: 'Publish all posts (--force-all)'
+        type: boolean
+        default: false
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: denoland/setup-deno@v2
+        with:
+          deno-version: v2.x
+
+      - name: Pre-Flight Check
+        working-directory: ./publish
+        env:
+          BUNKER_URL: ${{ secrets.BUNKER_URL }}
+          AUTHOR_PUBKEY_HEX: ${{ secrets.AUTHOR_PUBKEY_HEX }}
+          BOOTSTRAP_RELAY: ${{ secrets.BOOTSTRAP_RELAY }}
+          CLIENT_SECRET_HEX: ${{ secrets.CLIENT_SECRET_HEX }}
+        run: |
+          deno run --allow-env --allow-read --allow-net src/cli.ts check
+
+      - name: Publish
+        working-directory: ./publish
+        env:
+          BUNKER_URL: ${{ secrets.BUNKER_URL }}
+          AUTHOR_PUBKEY_HEX: ${{ secrets.AUTHOR_PUBKEY_HEX }}
+          BOOTSTRAP_RELAY: ${{ secrets.BOOTSTRAP_RELAY }}
+          CLIENT_SECRET_HEX: ${{ secrets.CLIENT_SECRET_HEX }}
+          GITHUB_EVENT_BEFORE: ${{ github.event.before }}
+        run: |
+          if [ "${{ github.event.inputs.force_all }}" = "true" ]; then
+            deno run --allow-env --allow-read --allow-write=./logs --allow-net --allow-run=git src/cli.ts publish --force-all
+          else
+            deno run --allow-env --allow-read --allow-write=./logs --allow-net --allow-run=git src/cli.ts publish
+          fi
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: publish-log
+          path: ./publish/logs/publish-*.json
+          retention-days: 30