Add the clone engine, CLI, tests, CI, and docs

kage renders every page in headless Chrome, snapshots the final
DOM, strips all JavaScript, and localises CSS, images, and fonts
so a site can be browsed offline as a plain folder of files.

The engine is split into small packages:

  urlx      deterministic URL to local-path mapping and scope rules
  sanitize  remove scripts, on* handlers, and javascript: URLs
  asset     rewrite HTML and CSS references, download assets
  browser   headless Chrome pool over the DevTools protocol
  robots    robots.txt matcher
  clone     the orchestrator: a polite resumable breadth-first crawl

The cli package wires a cobra and fang command surface with two
commands, clone and serve. Every pure package has table tests; the
browser and clone packages add Chrome-driven end-to-end tests that
skip when no browser is present or under -short.

CI runs gofmt, vet, build, race tests, golangci-lint, govulncheck,
and a tidy check on Linux and macOS. A goreleaser config fans one
tag out to archives, deb/rpm/apk, a Chromium-bundled GHCR image,
and the package managers. A tago docs site builds to Pages and
Cloudflare.
This commit is contained in:
Duc-Tam Nguyen
2026-06-14 18:22:25 +07:00
parent f7c5a9a1c6
commit e6afa91e09
48 changed files with 4697 additions and 0 deletions
+103
View File
@@ -0,0 +1,103 @@
name: ci
on:
push:
branches: [main]
pull_request:
permissions:
contents: read
# Cancel an in-flight run when a branch is pushed again.
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
# Build and test on Linux and macOS with the race detector on. gofmt and vet
# run here too so a formatting slip fails fast on both platforms. The full
# suite includes Chrome-driven end-to-end tests, so the runners install a
# browser first; tests that find none skip themselves, so the job still passes
# if a future runner image drops Chrome.
test:
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: install chromium (linux)
if: matrix.os == 'ubuntu-latest'
uses: browser-actions/setup-chrome@v1
id: chrome
- name: gofmt
run: |
unformatted=$(gofmt -s -l asset browser cli clone cmd robots sanitize urlx)
if [ -n "$unformatted" ]; then
echo "These files need gofmt -s -w:"
echo "$unformatted"
exit 1
fi
- name: go vet
run: go vet ./...
- name: build
run: go build ./...
- name: test
env:
KAGE_CHROME: ${{ steps.chrome.outputs.chrome-path }}
run: go test -race -count=1 -coverprofile=coverage.out ./...
- name: coverage summary
if: matrix.os == 'ubuntu-latest'
run: go tool cover -func=coverage.out | tail -1
# golangci-lint bundles staticcheck, govet, ineffassign, errcheck, unused and
# more, so it is the main quality gate.
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- uses: golangci/golangci-lint-action@v8
with:
version: latest
# Scan the module and its dependencies for known vulnerabilities.
govulncheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Confirm go.mod and go.sum are tidy: a PR that adds an import without running
# go mod tidy fails here instead of breaking a later release.
tidy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: go mod tidy is clean
run: |
go mod tidy
git diff --exit-code -- go.mod go.sum
+135
View File
@@ -0,0 +1,135 @@
name: Docs
on:
push:
branches: [main]
paths:
- "docs/**"
- ".github/workflows/docs.yml"
- "scripts/ensure_cloudflare_pages.py"
workflow_dispatch:
permissions:
contents: read
pages: write
id-token: write
deployments: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
concurrency:
group: docs-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
with:
submodules: true
# Sitemap lastmod comes from the latest content commit.
fetch-depth: 0
- name: Checkout tago
uses: actions/checkout@v6.0.2
with:
repository: tamnd/tago
path: .tago-src
fetch-depth: 1
- name: Setup Go
uses: actions/setup-go@v6.4.0
with:
go-version-file: .tago-src/go.mod
cache: false
- name: Cache tago binary
id: tago-bin-cache
uses: actions/cache@v5.0.5
with:
path: /usr/local/bin/tago
key: tago-bin-${{ runner.os }}-${{ hashFiles('.tago-src/go.sum', '.tago-src/**/*.go') }}
- name: Build tago
if: steps.tago-bin-cache.outputs.cache-hit != 'true'
run: |
cd .tago-src
go build -o /usr/local/bin/tago ./cmd/tago/
# Two builds, one per deploy target. The theme links every page and asset
# with absURL, so each output carries its own base path: the Pages build
# gets the /kage/ sub-path, the Cloudflare build gets the domain root.
- name: Build for GitHub Pages
working-directory: docs
run: tago build --base-url "https://tamnd.github.io/kage/" --output public-pages
# tago absURLs theme links but passes markdown content links through, so
# root-relative links in content need the sub-path prefixed for the Pages
# mirror. The Cloudflare build serves from the root and needs none.
- name: Rewrite content links for the Pages sub-path
run: |
find docs/public-pages -name '*.html' -print0 |
xargs -0 perl -pi -e 's|(href=")/(?!/)|${1}/kage/|g; s|(src=")/(?!/)|${1}/kage/|g'
- name: Upload Pages artifact
uses: actions/upload-pages-artifact@v5.0.0
with:
path: docs/public-pages
- name: Build for Cloudflare Pages
working-directory: docs
run: tago build --base-url "https://kage.tamnd.com/" --output public-cf
- name: Upload Cloudflare artifact
uses: actions/upload-artifact@v7.0.1
with:
name: public-cf
path: docs/public-cf
retention-days: 1
deploy-pages:
runs-on: ubuntu-latest
needs: build
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v5.0.0
deploy-cloudflare:
runs-on: ubuntu-latest
needs: build
concurrency:
group: cloudflare-pages-kage
cancel-in-progress: true
steps:
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 1
sparse-checkout: scripts/
- name: Download Cloudflare artifact
uses: actions/download-artifact@v8.0.1
with:
name: public-cf
path: public-cf
- name: Ensure Cloudflare Pages config
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
run: python3 scripts/ensure_cloudflare_pages.py --project kage --domain kage.tamnd.com --zone tamnd.com
- name: Deploy to Cloudflare Pages
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
run: |
npx -y wrangler@4 pages deploy public-cf \
--project-name=kage \
--branch=main \
--commit-dirty=true
+87
View File
@@ -0,0 +1,87 @@
name: release
# Pushing a version tag turns the GoReleaser config (.goreleaser.yaml) into a
# GitHub release with the archives, Linux packages (deb, rpm, apk), checksums,
# SBOMs and a cosign signature, and pushes the multi-arch container image to
# GHCR. Pull requests and pushes to main run `goreleaser check` only, so a
# config that would fail a real release is caught long before the tag.
on:
push:
branches: [main]
tags: ["v*"]
pull_request:
workflow_dispatch:
permissions:
contents: read
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: true
jobs:
# Fast gate on every PR and push: the config parses and is valid for the
# installed GoReleaser version. No artifacts are built here.
check:
if: github.ref_type != 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: "~> v2"
args: check
# The real release, only on a version tag.
release:
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
permissions:
contents: write # create the GitHub release
packages: write # push the image to ghcr.io
id-token: write # keyless cosign signing
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
# Build and ship the linux/arm64 image from the amd64 runner.
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Tools GoReleaser shells out to for signing and SBOMs.
- uses: sigstore/cosign-installer@v3
- uses: anchore/sbom-action/download-syft@v0
- uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: "~> v2"
args: release --clean
env:
# Creating the release and pushing the GHCR image use the built-in
# token. The package-manager publish steps each read their own secret;
# any that is unset leaves that manager skipped (the artifact is still
# produced), so the release never fails for a tap that is not set up.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
SCOOP_BUCKET_GITHUB_TOKEN: ${{ secrets.SCOOP_BUCKET_GITHUB_TOKEN }}