From e338a06c06fa92e3b6c051fd894a70ebe5f7ece9 Mon Sep 17 00:00:00 2001
From: Vijit Singh <vijit.n.singh@gmail.com>
Date: Thu, 18 Jun 2026 02:14:57 -0500
Subject: [PATCH] ci: single-source the Hugo version via .hugoversion +
 auto-bump (closes #15)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

HUGO_VERSION was hardcoded independently in ci.yml and deploy.yml, so the two
could silently drift — CI validating with a different Hugo than production
deploys.

- .hugoversion: the single source of truth (just the version string).
- ci.yml + deploy.yml: read it in-step (`HUGO_VERSION="$(cat .hugoversion)"`)
  instead of a literal env, so drift is impossible by construction. deploy.yml's
  build job is reordered to checkout before installing Hugo (the file must exist
  first). Reading locally in the run block (not via $GITHUB_ENV) keeps it clear
  of the github-env injection class.
- hugo-bump.yml: weekly scheduled job (+ workflow_dispatch) that checks for a
  newer Hugo release and opens a PR editing .hugoversion (Dependabot can't track
  a wget'd .deb). Manual bump is just editing the file.
- README: document .hugoversion as the single source.

Verified locally: prettier/markdownlint clean, zizmor clean (incl. the new
workflow), version read resolves to 0.162.1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml        |  2 +-
 .github/workflows/deploy.yml    | 13 ++++---
 .github/workflows/hugo-bump.yml | 62 +++++++++++++++++++++++++++++++++
 .hugoversion                    |  1 +
 README.md                       |  6 ++++
 5 files changed, 76 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/hugo-bump.yml
 create mode 100644 .hugoversion

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7e96840..d84f8e8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,6 @@ jobs:
   build-and-check:
     runs-on: ubuntu-latest
     env:
-      HUGO_VERSION: "0.162.1"
       HTMLTEST_VERSION: "0.17.0"
     steps:
       - name: Checkout
@@ -32,6 +31,7 @@ jobs:
 
       - name: Install Hugo (extended)
         run: |
+          HUGO_VERSION="$(cat .hugoversion)"   # single source of truth (see also deploy.yml)
           wget -O "${{ runner.temp }}/hugo.deb" \
             "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb"
           sudo dpkg -i "${{ runner.temp }}/hugo.deb"
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 8e736b8..468ff12 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -26,14 +26,7 @@ defaults:
 jobs:
   build:
     runs-on: ubuntu-latest
-    env:
-      HUGO_VERSION: 0.162.1
     steps:
-      - name: Install Hugo CLI
-        run: |
-          wget -O ${{ runner.temp }}/hugo.deb \
-            https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
-          && sudo dpkg -i ${{ runner.temp }}/hugo.deb
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
@@ -45,6 +38,12 @@ jobs:
         uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
         with:
           enablement: true
+      - name: Install Hugo (extended)
+        run: |
+          HUGO_VERSION="$(cat .hugoversion)"   # single source of truth (see also ci.yml)
+          wget -O "${{ runner.temp }}/hugo.deb" \
+            "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb"
+          sudo dpkg -i "${{ runner.temp }}/hugo.deb"
       - name: Refresh release versions (best-effort)
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/hugo-bump.yml b/.github/workflows/hugo-bump.yml
new file mode 100644
index 0000000..9f05f3e
--- /dev/null
+++ b/.github/workflows/hugo-bump.yml
@@ -0,0 +1,62 @@
+name: Bump Hugo
+
+# Dependabot can't track the wget-installed Hugo .deb, so this scheduled job checks for a newer
+# Hugo release and opens a PR updating .hugoversion — the single source of truth read by both
+# ci.yml and deploy.yml. Manual bump: just edit .hugoversion.
+#
+# Note: PRs opened with the built-in GITHUB_TOKEN don't themselves trigger CI (a GitHub
+# limitation), so re-run / push to the bump PR to exercise the strict build before merging.
+
+on:
+  schedule:
+    - cron: "0 8 * * 1" # Mondays 08:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # commit the bump on a branch
+      pull-requests: write # open the PR
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false # zizmor: artipacked
+      - name: Check for a newer Hugo release
+        id: check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          current="$(cat .hugoversion)"
+          latest="$(gh api repos/gohugoio/hugo/releases/latest --jq '.tag_name' | sed 's/^v//')"
+          echo "current=$current" >> "$GITHUB_OUTPUT"
+          echo "latest=$latest" >> "$GITHUB_OUTPUT"
+          if [ "$current" != "$latest" ]; then
+            printf '%s\n' "$latest" > .hugoversion
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Open bump PR
+        if: steps.check.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          base: main
+          branch: chore/bump-hugo
+          delete-branch: true
+          labels: infra
+          commit-message: "ci: bump Hugo ${{ steps.check.outputs.current }} -> ${{ steps.check.outputs.latest }}"
+          title: "ci: bump Hugo to ${{ steps.check.outputs.latest }}"
+          body: |
+            Automated bump of the single-sourced Hugo version in `.hugoversion`:
+            `${{ steps.check.outputs.current }}` → `${{ steps.check.outputs.latest }}`.
+
+            Both `ci.yml` and `deploy.yml` read this file, so the strict build in CI
+            validates the new version. Re-run CI on this PR (GITHUB_TOKEN-opened PRs
+            don't auto-trigger it) before merging.
diff --git a/.hugoversion b/.hugoversion
new file mode 100644
index 0000000..1abeedd
--- /dev/null
+++ b/.hugoversion
@@ -0,0 +1 @@
+0.162.1
diff --git a/README.md b/README.md
index a7db555..3551b3c 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,12 @@ You need [Hugo **extended**](https://gohugo.io/installation/) (≥ 0.162). On ma
 hugo server          # live reload at http://localhost:1313
 ```
 
+CI and the deploy build pin an exact Hugo version in **[`.hugoversion`](.hugoversion)** — a single
+source of truth read by both [`ci.yml`](.github/workflows/ci.yml) and
+[`deploy.yml`](.github/workflows/deploy.yml), so they can't drift. Bump it by editing that one file
+(a weekly [`hugo-bump.yml`](.github/workflows/hugo-bump.yml) job also opens a PR when a newer Hugo
+ships).
+
 ## Build
 
 ```bash