Add a static blog site (#1605)

Author: anthonyiscoding

.github/workflows/ci.yml

@@ -7,6 +7,7 @@ on:
       - 'docs/**'
       - 'skills/**'
       - 'website/**'
+      - 'blog/**'
       - '**/*.md'
       - '**/*.mdx'
       - '.cursor/**'
@@ -16,6 +17,7 @@ on:
       - 'docs/**'
       - 'skills/**'
       - 'website/**'
+      - 'blog/**'
       - '**/*.md'
       - '**/*.mdx'
       - '.cursor/**'

.github/workflows/deploy-website.yml

@@ -5,6 +5,7 @@ on:
     branches: [main]
     paths:
       - 'website/**'
+      - 'blog/**'
       - 'infra/terraform/website/**'
       - '.github/workflows/deploy-website.yml'
   workflow_dispatch:
@@ -50,13 +51,20 @@ jobs:
       - name: Generate llms.txt and AGENTS.md
         run: pnpm --filter iii-website build
 
+      - name: Build blog (Astro → blog/dist/)
+        run: pnpm --filter iii-blog build
+
       - name: Configure AWS credentials (GitHub OIDC)
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
 
-      - name: Sync static assets (long cache, immutable)
+      # Blog and website share the bucket; the blog lives under the /blog/
+      # prefix and is wiped + repopulated by its own sync below. The website
+      # sync therefore must exclude blog/* so its --delete doesn't wipe blog
+      # output between the two steps.
+      - name: Sync website static assets (long cache, immutable)
         run: |
           aws s3 sync website/ "s3://${{ vars.S3_BUCKET }}/" \
             --delete \
@@ -70,17 +78,39 @@ jobs:
             --exclude "pnpm-lock.yaml" \
             --exclude ".gitignore" \
             --exclude "README.md" \
-            --exclude "vercel.json"
+            --exclude "vercel.json" \
+            --exclude "blog/*"
 
-      - name: Sync HTML and AI snapshot (no cache, must revalidate)
+      - name: Sync website HTML and AI snapshot (no cache, must revalidate)
         run: |
           aws s3 sync website/ "s3://${{ vars.S3_BUCKET }}/" \
             --delete \
             --cache-control "public,max-age=0,must-revalidate" \
             --exclude "*" \
             --include "*.html" \
             --include "llms.txt" \
-            --include "AGENTS.md"
+            --include "AGENTS.md" \
+            --exclude "blog/*"
+
+      # Blog assets under _astro/ are content-hashed by Astro, so they're
+      # safe to mark immutable. HTML and rss.xml must revalidate so new posts
+      # surface immediately after the CloudFront invalidation.
+      - name: Sync blog static assets (long cache, immutable)
+        run: |
+          aws s3 sync blog/dist/ "s3://${{ vars.S3_BUCKET }}/blog/" \
+            --delete \
+            --cache-control "public,max-age=31536000,immutable" \
+            --exclude "*.html" \
+            --exclude "*.xml"
+
+      - name: Sync blog HTML and RSS (no cache, must revalidate)
+        run: |
+          aws s3 sync blog/dist/ "s3://${{ vars.S3_BUCKET }}/blog/" \
+            --delete \
+            --cache-control "public,max-age=0,must-revalidate" \
+            --exclude "*" \
+            --include "*.html" \
+            --include "*.xml"
 
       - name: Create CloudFront invalidation
         id: invalidation

.github/workflows/license-check.yml

@@ -7,6 +7,7 @@ on:
       - 'docs/**'
       - 'skills/**'
       - 'website/**'
+      - 'blog/**'
       - '**/*.md'
       - '**/*.mdx'
       - '.cursor/**'
@@ -16,6 +17,7 @@ on:
       - 'docs/**'
       - 'skills/**'
       - 'website/**'
+      - 'blog/**'
       - '**/*.md'
       - '**/*.mdx'
       - '.cursor/**'

blog/.gitignore

@@ -0,0 +1,6 @@
+dist/
+.astro/
+node_modules/
+.DS_Store
+.env
+.env.local

blog/README.md

@@ -0,0 +1,74 @@
+# iii blog
+
+The iii.dev/blog — static blog built with [Astro](https://astro.build).
+
+## Local development
+
+From the monorepo root:
+
+```bash
+pnpm install
+pnpm --filter iii-blog dev
+```
+
+The dev server runs at <http://localhost:4321/blog/>. Posts live in
+`src/content/blog/` as Markdown or MDX with the frontmatter schema defined in
+`src/content.config.ts`.
+
+## Build
+
+```bash
+pnpm --filter iii-blog build
+```
+
+Output is emitted to `blog/dist/` with all routes scoped under `/blog/` thanks
+to `base: '/blog'` in `astro.config.mjs`.
+
+## Tests
+
+```bash
+pnpm --filter iii-blog test
+```
+
+Tests live in `tests/` and run via `node:test` after `astro build`. They
+verify the build output (URL scoping, RSS feed, post emission) so regressions
+in the base path or content collection setup fail loudly.
+
+## Deployment
+
+The blog ships with the rest of `iii.dev` via
+[`.github/workflows/deploy-website.yml`](../.github/workflows/deploy-website.yml).
+On every push to `main` that touches `blog/**`, `website/**`, or
+`infra/terraform/website/**`, CI:
+
+1. Builds with `pnpm --filter iii-blog build` → `blog/dist/`.
+2. Syncs `blog/dist/` to `s3://<site-bucket>/blog/`. Hashed assets get a
+   long `immutable` cache; `*.html` and `*.xml` get `must-revalidate`.
+3. Invalidates the CloudFront distribution at `/*`.
+
+Routing under `/blog/*` is handled in
+[`infra/terraform/website/cloudfront_functions/redirects.js`](../infra/terraform/website/cloudfront_functions/redirects.js)
+— see the unit tests there for the exact behavior. In short:
+
+- `/blog` → 301 `/blog/`
+- `/blog/<slug>/` → S3 key `blog/<slug>/index.html`
+- `/blog/<slug>` → 301 `/blog/<slug>/`
+- `/blog/<file.ext>` → pass through
+
+## Adding a post
+
+Create a new file in `src/content/blog/<slug>.md` (or `.mdx`):
+
+```markdown
+---
+title: 'My new post'
+description: 'A short summary used for the index page and RSS feed.'
+pubDate: 2026-05-10
+tags: ['engine']
+---
+
+Post body in Markdown.
+```
+
+The slug is the filename minus the extension. The post is published
+automatically unless `draft: true` is set in frontmatter.

blog/astro.config.mjs

@@ -0,0 +1,14 @@
+import mdx from '@astrojs/mdx'
+import { defineConfig } from 'astro/config'
+
+// Served from CloudFront under /blog. Built artifacts are synced to
+// s3://<site-bucket>/blog/ — see infra/terraform/website/cloudfront.tf.
+export default defineConfig({
+  site: 'https://iii.dev',
+  base: '/blog',
+  trailingSlash: 'always',
+  build: {
+    format: 'directory',
+  },
+  integrations: [mdx()],
+})

blog/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "iii-blog",
+  "private": true,
+  "license": "Apache-2.0",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "iii.dev/blog — static blog built with Astro",
+  "scripts": {
+    "dev": "astro dev",
+    "build": "astro build",
+    "preview": "astro preview",
+    "type-check": "astro check",
+    "test": "astro build && tsx --test tests/*.test.ts"
+  },
+  "dependencies": {
+    "@astrojs/mdx": "^5.0.4",
+    "@astrojs/rss": "^4.0.18",
+    "astro": "^6.2.2"
+  },
+  "devDependencies": {
+    "@astrojs/check": "^0.9.4",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.2"
+  }
+}

blog/src/components/AnalyticsHead.astro

@@ -0,0 +1,57 @@
+---
+// Mirrors website/index.html lines 7-56. Kept verbatim so the localStorage
+// key 'iii_cookie_consent' and the iiiLoadCommonRoomSignals /
+// iiiNotifyCommonRoomEmail globals stay identical across iii.dev and /blog —
+// consent travels with the user, not the page. See blog/tests/build.test.ts
+// for the contract this mirrors.
+---
+
+<!-- Google Tag Manager -->
+<script is:inline>
+  (function (w, d, s, l, i) {
+    w[l] = w[l] || [];
+    w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' });
+    var f = d.getElementsByTagName(s)[0],
+      j = d.createElement(s),
+      dl = l != 'dataLayer' ? '&l=' + l : '';
+    j.async = true;
+    j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
+    f.parentNode.insertBefore(j, f);
+  })(window, document, 'script', 'dataLayer', 'GTM-N8DCTFB8');
+</script>
+<!-- End Google Tag Manager -->
+
+<!-- Common Room: loads only after analytics consent (see CookieBanner) -->
+<script is:inline>
+  (function () {
+    var STORAGE_KEY = 'iii_cookie_consent';
+    window.iiiLoadCommonRoomSignals = function () {
+      if (typeof window.signals !== 'undefined') return;
+      var script = document.createElement('script');
+      script.src = 'https://cdn.cr-relay.com/v1/site/da18833a-8f00-4ad0-9833-6608b59a713a/signals.js';
+      script.async = true;
+      window.signals = Object.assign(
+        [],
+        { _opts: { apiHost: 'https://api.cr-relay.com' } },
+        ['page', 'identify', 'form'].reduce(function (acc, method) {
+          acc[method] = function () {
+            signals.push([method, arguments]);
+            return signals;
+          };
+          return acc;
+        }, {})
+      );
+      document.head.appendChild(script);
+    };
+    window.iiiNotifyCommonRoomEmail = function (email) {
+      try {
+        if (!email || localStorage.getItem(STORAGE_KEY) !== 'accepted') return;
+        if (typeof window.signals === 'undefined' || !window.signals.form) return;
+        window.signals.form({ email: email });
+      } catch (_) {}
+    };
+    try {
+      if (localStorage.getItem(STORAGE_KEY) === 'accepted') window.iiiLoadCommonRoomSignals();
+    } catch (_) {}
+  })();
+</script>