![\"\"](\"https://normco.re/posts/lorem-ipsum/images/amol-srivastava-uOYc6OlgpUI-unsplash.jpg\")
This site is built with Lume and deployed to Alibaba Cloud OSS, with Alibaba\nCloud CDN in front of it. The deployment pipeline stays intentionally small: one\nGitHub workflow, Deno available on the runner, and one custom action that\nrestores a local build cache, runs the build, syncs OSS, and cleans up:\nfrenchvandal/aliyun-oss-cdn-sync-action.
I now want five properties at the same time: short-lived credentials, warmed\nbuilds on fresh runners, predictable uploads, cache headers that match the files\nbeing shipped, and automatic cache coherence. This setup gives me all five\nwithout adding repository-specific deploy scripts.
\nIn steady-state production, this repository’s workflow now does three things:
\n.tool-versions and enables the\nrunner-side tool cache._cache, executes\ndeno task build, uploads _site, refreshes CDN, and cleans up.At the moment, that build also fingerprints the shared and route-scoped critical\nCSS assets, strips source maps, and prunes optional Pagefind files that are not\nreferenced by the final HTML before _site is synced.
name: Deploy static content to OSS\n\non:\n push:\n branches: ["master"]\n workflow_dispatch:\n\npermissions:\n contents: read\n id-token: write\n\nconcurrency:\n group: "oss-deploy"\n cancel-in-progress: true\n\njobs:\n deploy:\n environment:\n name: development\n runs-on: macos-26\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n with:\n fetch-depth: 0\n\n - name: Setup Deno environment\n uses: denoland/setup-deno@v2\n with:\n deno-version-file: .tool-versions\n cache: true\n\n - name: Deploy to Alibaba Cloud OSS\n uses: frenchvandal/aliyun-oss-cdn-sync-action@master\n with:\n role-oidc-arn: ${{ secrets.ALIBABA_CLOUD_ROLE_ARN }}\n oidc-provider-arn: ${{ secrets.ALIBABA_CLOUD_OIDC_PROVIDER_ARN }}\n role-session-name: ${{ github.run_id }}\n role-session-expiration: 3600\n cache-enabled: true\n cache-key: >-\n lume-cache-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('deno.lock') }}-${{ hashFiles('_cache/**/*') || 'empty' }}\n cache-restore-keys: |\n lume-cache-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('deno.lock') }}-\n lume-cache-${{ runner.os }}-${{ runner.arch }}-\n input-dir: _site\n bucket: ${{ secrets.OSS_BUCKET }}\n region: ${{ secrets.OSS_REGION }}\n audience: ${{ github.repository_id }}\n cdn-enabled: true\n cdn-base-url: ${{ secrets.OSS_CDN_BASE_URL }}\n cdn-actions: refresh\n build-command: deno task build\nIn this repository, I currently keep cdn-actions: refresh. The action still\nsupports refresh,preload, but this site’s workflow no longer enables preload\non every deployment.
The action uses GitHub OIDC to assume an Alibaba Cloud RAM role at runtime. No\nlong-lived access key is stored in the repository. The workflow only needs\nid-token: write plus the RAM role ARN and the OIDC provider ARN.
Authentication is now OIDC-only. The action does not fall back to static access\nkeys from inputs or environment variables if role assumption fails.
\nThe current setup also passes audience: ${{ github.repository_id }}. GitHub\ncan mint an ID token for a custom audience, and Alibaba Cloud RAM can validate\nthat aud value against the Client IDs configured on the OIDC identity provider\nand in the role trust policy. That gives me a tighter trust boundary than\nrelying on default audience handling alone.
The action is split into three phases:
\n_cache directory, runs\nbuild-command, uploads local files to OSS, applies cache headers, and runs\nCDN actions if enabled._cache when cache-key is\nconfigured.The cleanup phase runs with post-if: always(), so it still executes even when\nearlier steps fail. Cleanup, CDN calls, and cache restore or save are\nintentionally best-effort: warnings are logged, but transient CDN or cache\nservice issues do not block the deployment.
A few implementation details matter for reliability:
\nbuild-command runs inside the action before any OSS upload or CDN call.cache-enabled is true and cache-key is configured, _cache restore\nhappens before the build and a fresh snapshot can be saved during post.cache-enabled controls only restore, so I can skip warm-cache restore\ntemporarily without giving up the post-step cache save.max-concurrency.api-rps-limit.failed-count and the GitHub job\nsummary instead of being buried in the logs.Cache-Control headers automatically: HTML and\nsw.js are revalidated aggressively, hashed assets are uploaded as immutable,\nand common static assets get shorter revalidation windows instead of a\none-size-fits-all policy.cdn-actions only accepts refresh or refresh,preload; if CDN is enabled\nand the value is empty or invalid, the action falls back to refresh.That last point is easy to miss: upload alone is not enough for a static site\nthat changes over time. You also need deletion and cache invalidation for\nobjects that should no longer exist.
\nAt the policy level, the role needs OSS permissions on the target bucket scope\nfor listing, uploading, and deleting objects. On the CDN side, this workflow\nneeds refresh permissions plus the read APIs used for quota checks and task\nlookups. If preload is enabled, add the corresponding preload permission too.\nThe trust policy must allow the GitHub OIDC provider to assume the deploy role.
\nI keep this as a dedicated deploy role rather than mixing it with broader\noperational permissions.
\nThe action is published and reusable:\ngithub.com/frenchvandal/aliyun-oss-cdn-sync-action.
\nThis repository currently tracks @master because I maintain the site and the\naction together. In a separate repository, I would usually pin @v1 or, better\nyet, a full commit SHA. I also now let the action own the build and _cache\nlifecycle, which keeps consumer workflows shorter and more declarative.
For me, the key result is that deploys stay boring: restore cache, build, sync,\nrefresh, cleanup, done.
\n", "date_published": "2026-03-10T00:00:00Z" }, { "id": "https://normco.re/posts/lorem-ipsum/", "url": "https://normco.re/posts/lorem-ipsum/", "title": "Lorem Ipsum and the Art of Placeholder Text", "content_html": "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor\nincididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis\nnostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
\nMost people know the phrase but few know its origin. It is a scrambled excerpt\nfrom Cicero’s de Finibus Bonorum et Malorum, a philosophical treatise written\nin 45 BC. The text has been used as filler copy since the 1500s, when an unknown\nprinter took a galley of type and scrambled it to make a type specimen book.
\n
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu\nfugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in\nculpa qui officia deserunt mollit anim id est laborum.
\nWhen you design a layout with real words, you design for those specific words.\nPlaceholder text forces you to design for the structure, not the content. This\nis a valuable constraint—it reveals whether your design can accommodate the\nunexpected: a headline that runs to three lines, a paragraph with no natural\nbreak, a word too long for its container.
\nUt enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit\nlaboriosam? There is a tension in design between fidelity to real content and\nthe freedom that abstraction permits.
\nHigh-fidelity prototypes with real copy require real copy to exist first.\nLow-fidelity wireframes communicate structure without the distraction of\nmeaning. Both approaches have their place. The key is knowing which tool serves\nthe moment.
\n// A small utility to generate repeating text blocks.\nfunction lorem(words: number): string {\n const base = "lorem ipsum dolor sit amet consectetur adipiscing elit";\n const tokens = base.split(" ");\n const result: string[] = [];\n for (let i = 0; i < words; i++) {\n result.push(tokens[i % tokens.length] ?? "");\n }\n return result.join(" ");\n}\nNemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed\nquia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.
\n![\"\"](\"https://normco.re/posts/lorem-ipsum/images/scott-rodgerson-z0MDyylvY1k-unsplash.jpg\")
Lorem ipsum is more than filler. It is a mirror held up to the design—one that\nreflects structure stripped of meaning, form without content. That is precisely\nwhy it endures.
\n", "date_published": "2026-02-18T00:00:00Z" }, { "id": "https://normco.re/posts/vestibulum-ante/", "url": "https://normco.re/posts/vestibulum-ante/", "title": "Vestibulum Ante: On Thresholds and New Beginnings", "content_html": "Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia\ncurae. The Latin word vestibulum—a forecourt, an entrance hall, the space\nbefore the door—carries more weight than its English descendant “vestibule”\nsuggests.
\nA threshold is not an end, nor a beginning. It is the liminal space between the\ntwo: the breath held before the first word, the pause after a key turns in a\nlock. It is where one thing stops and another has not yet started.
\n![\"\"](\"https://normco.re/posts/vestibulum-ante/images/bruno-martins-4cwf-iW6I1Q-unsplash.jpg\")
Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac\nturpis egestas. We live in a culture that devalues transition. We want results,\noutcomes, the finished thing. The messy middle—the drafts, the doubt, the slow\naccumulation of understanding—goes undocumented and uncelebrated.
\nBut the in-between is where most of life happens. Commutes. Waiting rooms. The\ngap between sending a message and reading the reply. The years between knowing\nwhat you want and knowing how to get there.
\nFusce suscipit varius mi. Cum sociis natoque penatibus et magnis dis parturient\nmontes, nascetur ridiculus mus. Phasellus viverra nulla ut metus varius laoreet.
\nI moved to Chengdu on a Tuesday in early autumn. The city was warm in a way that\nsurprised me—not the heat of summer, but the warmth of a place that had already\ndecided it liked you. The streets smelled of chilli oil and osmanthus, and\neverything felt slightly, pleasantly unfamiliar.
\nThat is what a threshold feels like, I think. Not hostile. Not welcoming. Simply\nopen—waiting to see what you will make of it.
\nQuisque sit amet est et sapien ullamcorper pharetra. Vestibulum erat wisi,\ncondimentum sed, commodo vitae, ornare sit amet, wisi. Aenean fermentum, elit\neget tincidunt condimentum, eros ipsum rutrum orci, sagittis tempus lacus enim\nac dui.
\nEvery document has a vestibulum—the title page, the introduction, the first\nparagraph. It is the space that prepares the reader for what follows. Write it\nwith care.
\n", "date_published": "2025-09-04T00:00:00Z" }, { "id": "https://normco.re/posts/proin-facilisis/", "url": "https://normco.re/posts/proin-facilisis/", "title": "Proin Facilisis: Making Things Easier", "content_html": "Proin facilisis—Latin for “promoting ease.” It appears in old botanical texts\nto describe a plant that aids digestion, smooths a passage, clears an\nobstruction. As a philosophy for building software, it translates remarkably\nwell.
\nGood software reduces friction. It anticipates the user’s next step. It provides\nthe right affordance at the right moment. It gets out of the way.
\n![\"\"](\"https://normco.re/posts/proin-facilisis/images/brett-jordan-92-mTYj5oGs-unsplash.jpg\")
Proin in tellus sit amet nibh dignissim sagittis. The first step in reducing\nfriction is to map it. Where does the user slow down? Where does attention\nspike? Where do errors cluster?
\nIn a typical web application, the highest-friction moments are predictable:\nonboarding, form submission, error recovery, and loading states. These are the\nvestibules of the product—the thresholds users must cross to reach the value\ninside.
\n// Friction shows up in code too.\n// Compare these two approaches to handling a missing value:\n\n// High friction—the caller must always check:\nfunction getUser(id: string): User | undefined {/* … */}\n\n// Lower friction—the error is explicit and handled at the boundary:\nfunction getUser(id: string): User {\n const user = db.find(id);\n if (user === undefined) {\n throw new Error(`User not found: ${id}`);\n }\n return user;\n}\nVivamus pretium aliquet erat. There is a paradox at the heart of “making things\neasy”: it is very hard to do. Eliminating friction requires deep understanding\nof the user, the context, and the failure modes. It demands more work from the\nbuilder so that less work falls on the user.
\nThis is why ease is a form of generosity. Every unnecessary step you remove from\nyour user’s path is time returned to them—time they can spend on the thing that\nactually matters.
\nDonec aliquet metus ut erat semper, et tincidunt nulla luctus. Some principles I\nreturn to:
\nNulla facilisi. Phasellus blandit leo ut odio. Nam sed nulla non diam tincidunt\ntempus. The name of this principle—nulla facilisi, “no easy thing”—is a\nreminder that ease, properly understood, is never accidental.
\n", "date_published": "2025-04-12T00:00:00Z" }, { "id": "https://normco.re/posts/instructions/", "url": "https://normco.re/posts/instructions/", "title": "How to install this theme?", "content_html": "Simple blog is a clean and minimal blog theme for Lume, with support for\ntags and authors. It allows you to build your own blog in seconds, and\nprovides Atom and JSON feeds for your subscribers.
\nThe fastest and easiest way to configure this theme is the\nLume init command, which you can also copy\neasily from the Simple Blog theme page.\nRunning:
\ndeno run -A https://lume.land/init.ts --theme=simple-blog\nwill create a new project with Simple Blog configured. Edit the _data.yml file\nin your blog root folder with your data to customize the site title,\ndescription, and metadata.
Posts must be saved in the posts folder. For example,\nposts/my-first-post.md.
To add the theme to an existing Lume project, import it in your _config.ts\nfile as a remote module. Update it by changing the version number in the import\nURL:
import lume from "lume/mod.ts";\nimport blog from "https://deno.land/x/lume_theme_simple_blog@v0.15.6/mod.ts";\n\nconst site = lume();\n\nsite.use(blog());\n\nexport default site;\nCopy the\n_data.yml\nfile to your blog root folder and edit it with your data.
You can use lumeCMS to customize the blog and add\ncontent easily.
\n", "date_published": "2022-06-12T00:00:00Z" } ], "language": "en" }