docs: add wiki development and contributing guide

JacobCoffee · JacobCoffee · commit 3f2bd7825d4f · 2026-02-17T19:21:18.000-06:00
diff --git a/contributing.md b/contributing.md
@@ -0,0 +1,219 @@
+# Contributing to the Wiki
+
+This is a 4,000+ page Sphinx site built from Markdown files. The original content came from MoinMoin (the wiki engine that powered wiki.python.org for two decades), converted to [MyST Markdown](https://myst-parser.readthedocs.io/) and rendered with the [Shibuya](https://shibuya.lepture.com/) theme.
+
+There are two ways to contribute: edit files directly through GitHub, or use the browser-based CMS. Both end up as pull requests against the `main` branch.
+
+## Editing on GitHub
+
+The most straightforward path. Every wiki page is a `.md` file under one of three directories:
+
+- `python/` -- the main Python wiki (3,274 pages)
+- `psf/` -- Python Software Foundation governance and programs (378 pages)
+- `jython/` -- Jython, the JVM implementation (433 pages)
+
+Find the file you want to change, edit it, and open a pull request. GitHub's web editor works fine for quick fixes. For anything more involved, clone the repo and work locally (see [Local Development](#local-development) below).
+
+Pages use MyST Markdown, which is standard Markdown plus a handful of Sphinx directives. You can use `{admonition}`, `{toctree}`, `{grid}`, code blocks, tables -- all the usual stuff. The [MyST docs](https://myst-parser.readthedocs.io/en/latest/syntax/roles-and-directives.html) cover the full syntax.
+
+### Adding a new page
+
+1. Create a `.md` file in the right directory. Start it with a top-level heading (`# Page Title`).
+2. Add the filename (without `.md`) to the `{toctree}` in the parent `index.md`.
+
+If you're making a new subdirectory, put an `index.md` inside it with its own toctree, then reference `subdir/index` from the parent.
+
+### What about redirects?
+
+The old MoinMoin wiki encoded special characters in URLs in its own way -- spaces became `(20)`, slashes became `(2f)`, German umlauts like `Ä` became `(c384)`. All 5,400+ redirects from old URLs to new paths live in `_redirects.json`.
+
+If you move or rename a page, add an entry there so existing links don't break. You can regenerate the full redirect map with:
+
+```bash
+make redirects
+```
+
+## Editing with Decap CMS
+
+For people who'd rather not touch Git at all, there's a browser-based editor at `/admin/` on the live site. It's powered by [Decap CMS](https://decapcms.org/) (the maintained fork of Netlify CMS).
+
+You log in with your GitHub account, pick a page from any of the three wiki sections, edit it in a rich-text-ish Markdown editor, and save. Behind the scenes, Decap CMS creates a branch and pull request on your behalf. The editorial workflow means your changes go through review before merging, same as any other PR.
+
+The CMS configuration lives in `_extra/admin/config.yml`. It defines three collections (one per wiki section) and uses `open_authoring`, which means anyone with a GitHub account can propose edits -- they don't need write access to the repo.
+
+:::{admonition} Contributing without a GitHub account
+:class: warning
+
+This is a work in progress. We're looking into options for allowing edits without requiring a GitHub account at all. The current CMS flow and the standard PR workflow both need one. If you have content to contribute but no GitHub account, reach out to the PSF or open an issue and we'll figure something out.
+:::
+
+## How the CMS authentication works
+
+Decap CMS needs an OAuth handshake with GitHub to get a token for the user. GitHub's OAuth flow requires a server-side component (client secrets can't live in browser JS), so there's a small [Litestar](https://litestar.dev/) app in the `oauth/` directory that handles this.
+
+The flow goes like this:
+
+1. User clicks "Login with GitHub" in the CMS.
+2. The CMS redirects to `GET /auth` on the OAuth proxy.
+3. The proxy redirects to GitHub's authorize page with the app's client ID.
+4. User approves, GitHub redirects back to `GET /callback?code=...`.
+5. The proxy exchanges that code for an access token server-side.
+6. The proxy returns a small HTML page that `postMessage`s the token back to the CMS window.
+
+That's the entire app. Three routes: `/auth`, `/callback`, and `/_health/` for load balancers. The source is `oauth/app.py` -- it's about 70 lines.
+
+### OAuth proxy stack
+
+The proxy is its own Python project with its own `pyproject.toml` and `uv.lock`, separate from the main wiki's Sphinx dependencies. It uses:
+
+- **Litestar** for the web framework
+- **httpx** for the async HTTP call to GitHub's token endpoint
+- **uvicorn** as the ASGI server
+
+In production, it runs on Cabotage (the PSF's deployment platform) behind an nginx ingress, binding to a Unix socket at `/var/run/cabotage/cabotage.sock`. The `Dockerfile` and `Procfile` in `oauth/` handle that. It's reachable at `api.wiki.python.org`.
+
+The OpenAPI docs for the proxy are auto-generated by Litestar and served at `/` via the Scalar UI plugin -- hit `http://localhost:8000/` when running locally and you'll see them.
+
+## Local development
+
+You need [uv](https://docs.astral.sh/uv/) and Python 3.14+.
+
+```bash
+make install
+```
+
+That's the whole setup. No virtualenv juggling, no pip -- uv does it all.
+
+### Previewing the wiki
+
+The wiki has ~3,500 pages total, so building everything takes a while. You almost certainly want to scope your build to whatever section you're working on:
+
+```bash
+# Just the PSF wiki (~400 pages, under a minute)
+make docs-serve-fast WIKI=psf
+
+# A single subsection (~100 pages, a few seconds)
+make docs-serve-fast WIKI=psf SECTION=PackagingWG
+
+# The full Python wiki (~3,400 pages)
+make docs-serve-fast WIKI=python
+```
+
+These start a live-reload server. Save a file, the browser refreshes.
+
+For a complete build of all sections (what CI runs):
+
+```bash
+make docs
+```
+
+### Running the OAuth proxy locally
+
+If you need to work on the CMS integration:
+
+```bash
+# Set your GitHub OAuth app credentials
+export GITHUB_CLIENT_ID=...
+export GITHUB_CLIENT_SECRET=...
+
+# Or put them in oauth/.env or .env at the repo root
+
+make oauth-serve
+```
+
+This starts the proxy at `http://localhost:8000` with auto-reload. Run the test suite with:
+
+```bash
+make oauth-test
+```
+
+## CI/CD
+
+Three GitHub Actions workflows keep things running:
+
+**`docs.yml`** -- Builds the full Sphinx site on every push to `main` and deploys to GitHub Pages. Also runs on PRs to catch build errors before merge. Uses the Sphinx doctree cache so incremental builds don't start from scratch.
+
+**`preview.yml`** -- Generates a deploy preview for every pull request. It detects which wiki section(s) changed and scopes the build accordingly -- if you only touched files in `psf/`, it only builds the PSF wiki. The preview URL gets posted as a comment on the PR.
+
+**`linkcheck.yml`** -- Runs weekly (Monday 6am UTC) to scan for dead external links across all pages. Results get uploaded as artifacts.
+
+## Project layout
+
+```
+python/                 Python wiki content (3,274 pages)
+psf/                    PSF wiki content (378 pages)
+jython/                 Jython wiki content (433 pages)
+oauth/                  GitHub OAuth proxy for Decap CMS
+  app.py                The Litestar application (3 routes)
+  Dockerfile            Production container image
+  Procfile              Cabotage process definition
+  pyproject.toml        Proxy-specific dependencies
+  tests/                Proxy test suite
+  k8s/                  Kubernetes manifests (ingress)
+_extra/admin/           Decap CMS frontend (config.yml + loader HTML)
+_static/                CSS and static assets
+_templates/             Sphinx HTML template overrides
+_redirects.json         All 5,400+ redirect mappings
+_redirects_html/        Generated static redirect pages
+scripts/                Conversion and maintenance tooling
+  convert.py            MoinMoin HTML → MyST Markdown converter
+  gen_old_wiki_redirects.py   Builds the old-URL redirect map
+  gen_redirect_pages.py       Generates static HTML redirect files
+  strip_attrs.py        Strips pandoc attribute cruft from .md files
+  fix_moin_links.py     Fixes remaining MoinMoin-style links
+  reorganize.py         Moves pages into subdirectories
+  sync.sh               Pulls raw HTML from the wiki server
+conf.py                 Sphinx configuration
+pyproject.toml          Wiki build dependencies (uv-managed)
+Makefile                All the build/serve/lint commands
+```
+
+## Make targets
+
+Run `make help` to see everything, but here's the short version:
+
+::::{tab-set}
+
+:::{tab-item} Setup
+```
+make install            Install all dependencies
+```
+:::
+
+:::{tab-item} Content Pipeline
+```
+make sync               Sync raw HTML from wiki server
+make convert            Re-run the HTML → Markdown conversion
+```
+:::
+
+:::{tab-item} Documentation
+```
+make docs               Build the full Sphinx site
+make docs-serve         Serve with live reload (all sections)
+make docs-serve-fast    Scoped build (WIKI=python|psf|jython [SECTION=subdir])
+make docs-clean         Remove Sphinx build output
+```
+:::
+
+:::{tab-item} Code Quality
+```
+make lint               Run pre-commit hooks
+make redirects          Regenerate redirect mapping and static HTML files
+```
+:::
+
+:::{tab-item} OAuth Proxy
+```
+make oauth-serve        Run OAuth proxy locally (needs GITHUB_CLIENT_ID/SECRET)
+make oauth-test         Run OAuth proxy tests
+```
+:::
+
+:::{tab-item} Utility
+```
+make clean              Remove all build artifacts
+```
+:::
+
+::::
diff --git a/index.md b/index.md
@@ -187,4 +187,5 @@ JVM Integration · Java Interop · Guides
 python/index
 psf/index
 jython/index
+contributing
 ```
diff --git a/oauth/k8s/ingress.yml b/oauth/k8s/ingress.yml
@@ -0,0 +1,48 @@
+# Wiki OAuth Proxy - Cabotage Ingress
+# Apply manually: kubectl apply -f k8s/ingress.yml
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: wiki-wiki-oauth-app-web
+  namespace: coffee
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: 10s
+    nginx.ingress.kubernetes.io/proxy-read-timeout: 10s
+    nginx.ingress.kubernetes.io/proxy-send-timeout: 10s
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+  labels:
+    app: wiki-wiki-oauth-app
+    process: web
+    resident-service.cabotage.io: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: coffee-wiki-wiki-oauth-app-web.ingress.us-east-2.psfhosted.computer
+    http:
+      paths:
+      - backend:
+          service:
+            name: wiki-wiki-oauth-app-web
+            port:
+              number: 8000
+        path: /
+        pathType: Prefix
+  - host: api.wiki.python.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: wiki-wiki-oauth-app-web
+            port:
+              number: 8000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - coffee-wiki-wiki-oauth-app-web.ingress.us-east-2.psfhosted.computer
+    - api.wiki.python.org
+    secretName: ingress-wiki-wiki-oauth-app-web
