Gourav Khunger
Gourav Khunger

Gourav Khunger

Genics Log #2: Sponsorship from Vercel, Theme updates, Organic Growth and more

Genics Log #2: Sponsorship from Vercel, Theme updates, Organic Growth and more

Gourav Khunger
·Jun 20, 2022·

6 min read

Subscribe to my newsletter and never miss my upcoming articles

Play this article

Welcome to the second issue in the Genics log series! I know this is super late in the month, but I wanted to share some updates on the blog from the past months.

Listen to this article at Genics Blog

Before diving into the latest news at Genics, I would like to introduce myself. I am Gourav Khunger, the founder of Genics Blog. I am a teenager from India who is passionate about software development and open source.

In the last article in this series, we talked about how we went open source and how we managed to grow from 200 visitors/month to 500+ visitors/month, along with sponsorship from BeyondWords.

This log is more inclined towards the core theme infrastructure and how we managed to grow our community to 600+ readers now.

Let's get started!

Staging ENVs with Vercel

This was a crucial step in forming a better infrastructure for building the theme and its plugins.

Previous setup

From the beginning itself, I planned to create a separate repository for the theme just because it would allow us to use a separate GitHub Pages for staging.genicsblog.com.

This was the GitHub Actions file that deployed the theme to staging url. We made sure to block indexing using the robots.txt file's Disallow: / directive.

But here comes the tricky part - the staging was not relevant until we were able to deploy PRs to preview them. Staging environment for approved and merged PRs didn't matter as much as environment for previewing the pending PRs.

A huge problem was that we couldn't use repository secret variables in GitHub Actions if it ran using pull_request event but those variables are needed to deploy to gh-pages.

For that, we had to use pull_request_target event trigger which allows PR actions to use the repository secrets to access the staging environment.

But the catch here is, this comes with security vulnerabilities as the PRs are run in the context of the repository base and not the PR base.

This could mean that user can manipulate the workflow file to misuse the repository secrets!

Vulnerability in main repository

The above mentioned issue was actually present in the main repository. I had setup a workflow for PRs using pull_request_target because I wanted to automerge "correct" changes to drafts by authors.

YES, this was a big mistake but fortunately, no one exploited this vulnerability using which one could clean up the whole repository in minutes (making a delete commit and managing to automerge it using repo secrets).

I did have security measures in place:

An automerge happened only if the PR changes article files that are owned by the specific author. The python script referenced takes in the list of files changed in the PR and goes through them to verify if the PR author is the actual author of the article files.

Now, you could argue that a person could change the script in the PR and this check would easily be bypassed. That is the reason that the workflow uses wget to download the script from the main branch and then run it. It deletes the scripts in the PR and downloads the correct one before running.

But again, I was still skeptical of the pull_request_target event trigger. The docs don't clearly mention it, but I am not sure - If the action runs in context of the PR base, then is it possible that the author change the action script and bypasses the script download and other verification checks?

This is the reason we now moved to Vercel to off-load all these security issues and still be able to deploy staging ENVs!

Sponsorship from Vercel

Vercel{:rel="dofollow"} was generous enough to sponsor our GitHub organization to be able to deploy organization repositories for free!

Vercel is a platform for frontend frameworks and static sites, built to integrate with your headless content, commerce, or database.

This sponsorship now enables us to remove our vulnerable GitHub actions and migrate to Vercel deployments. It was as easy as setting up the installation and build scripts. Vercel automatically deploys all PRs to staging environments!

Now we can easily preview pull requests and test them visually before moving them to production!

Theme updates

We have worked on massive improvements to the theme and its plugins!

Paginating author pages (#7)

This was by far the biggest need for the theme. Author pages like this could get super big without pagination and that affects load times a lot.

This was a big problem for the Jekyll community as well - there was no plugin to handle multiple authors with ease.

This lead me to spend time messing with jekyll-paginate-v2 and understanding how its pagination works. With some days of effort, I came up with jekyll-auto-authors which completely simplifies the process of paginating author pages!

Here's an in-depth tutorial on using the plugin to paginate author pages.

Shortcut commands (#10)

There are new shortcut commands you can use to perform these actions on the site:

  • Opening up search bar: command + K or Ctrl + K. To close it please use the Esc key.
  • Toggling the site theme: command + shift + L or Ctrl + Shift + L.

Copy button for code blocks (#1)

Copy buttons on code blocks have been given an overhaul and provide a much nicer user experience.

Spam comments

In light of recent spam abuse of our commenting system, we have removed the comment system for now. We might use giscus in future but there's no plans for it right now.

Please use our Discord server for discussions on articles on the site.

Other updates

Here are some minor but relevant updates we've made to the theme:

Stats

Open Source

Here are the stats that changed from the last time:

  • genicsblog.com (Main repo with posts and data files): 25 stars, 20 forks.
  • theme-files (Basically template files): 7 stars, 9 fork.

Google Analytics

Here are the recent 30-day stats from our Google Analytics:

Genics blog's past 30 days Google Analytics Stats

Join our Discord server to view these public stats every day :)

Organic Stats

Almost 40-50% of our monthly traffic is through organic channels!

Genics blog's past 3 month Google Search Console Stats

Final Words

It's been an absolute rollercoaster ride for us to get to this point! It was from 100 readers a month in December when I decided to open source the blog and start working on a newer and better version of it. And here we are, scaled to 600+ readers within 3 months!

In the near future, I plan to continue working on the improvements and scale to at least 5k readers per month. Up to that point, we will focus mainly on putting out quality content that people find insightful while focusing on gaining traffic through organic channels mainly.

After the 5k checkpoint, there will be great things to come ;)

Looking forward to your feedback and suggestions!

Did you find this article valuable?

Support Gourav Khunger by becoming a sponsor. Any amount is appreciated!

See recent sponsors Learn more about Hashnode Sponsors
 
Share this