From a8a6540d8d0b1d6665ec12e4314a7d9102fc50ce Mon Sep 17 00:00:00 2001
From: Joost de Valk <joost@altha.nl>
Date: Tue, 23 Jun 2026 14:16:24 +0200
Subject: [PATCH 1/4] fix(links): repair 13 rotted citation URLs and harden the
 daily link sweep
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The scheduled External links sweep was failing on 211 "broken" links, but
almost all were false positives — hosts that block or rate-limit any headless
checker (W3C/securityheaders behind a Cloudflare JS challenge → 403, GitHub
per-page edit/self-links → 429, developers.facebook.com → 400, the a2a
endpoint is POST-only → 405). Underneath were ~14 genuinely dead/moved URLs.

Citations fixed (each verified 200, on the same topic):
- web-bot-auth: draft renamed → draft-meunier-http-message-signatures-directory
- speculation-rules: No-Vary-Search → MDN reference
- bfcache: Chrome docs page → DevTools back/forward-cache page
- caa-records: dropped MDN (deleted) → RFC 8657 (CAA ACME extensions)
- privacy-policy: EDPB transparency guidelines → current slug
- content-signals: IAB group renamed → Content Monetization Protocols (CoMP)
- data-minimization: ICO dropped /the-principles/ path segment
- script-loading, critical-css: render-blocking → Chrome for Developers
- scrollbar-gutter: web.dev article → Baseline scrollbar-props post
- css-containment: web.dev learn (deleted) → web.dev content-visibility
- accessibility-overlays: WebAIM overlay survey → Practitioners Survey #3
- view-transitions: WebKit blog 16557 → 16967
- cookie-consent: CNIL cookies → current "new guidelines" page
- nlweb: docs/nlweb-rest.md → docs/nlweb-rest-api.md

Workflow hardening (linkinator.config.json):
- retry / retryErrors so transient 429s and 5xx don't fail the run
- concurrency 25 + 30s timeout for a gentler crawl
- skip[] only hosts that hard-block any headless checker (documented in
  links.yml), so a red run now means real rot, not bot-blocking

Local full crawl after the changes: 211 → 0 real failures (1229 links scanned).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/links.yml                    | 16 ++++++++++++++++
 linkinator.config.json                         | 18 +++++++++++++++++-
 .../accessibility/accessibility-overlays.md    |  6 +++---
 .../spec/agent-readiness/content-signals.md    |  4 ++--
 src/content/spec/agent-readiness/nlweb.md      |  4 ++--
 .../spec/agent-readiness/web-bot-auth.md       |  6 +++---
 src/content/spec/performance/bfcache.md        |  4 ++--
 src/content/spec/performance/critical-css.md   |  6 +++---
 .../spec/performance/css-containment.md        |  4 ++--
 src/content/spec/performance/script-loading.md |  6 +++---
 .../spec/performance/scrollbar-gutter.md       |  4 ++--
 .../spec/performance/speculation-rules.md      |  2 +-
 .../spec/performance/view-transitions.md       |  4 ++--
 src/content/spec/privacy/cookie-consent.md     |  4 ++--
 src/content/spec/privacy/data-minimization.md  |  2 +-
 src/content/spec/privacy/privacy-policy.md     |  2 +-
 src/content/spec/security/caa-records.md       |  6 +++---
 17 files changed, 65 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
index 412802e4..783763f8 100644
--- a/.github/workflows/links.yml
+++ b/.github/workflows/links.yml
@@ -51,6 +51,22 @@ jobs:
   # Blocking: runs daily and on demand. A failed run signals rotted external
   # links that need fixing. Kept off PRs so a flaky upstream (IETF / W3C / MDN
   # rate-limiting, upstream outages) can't block merges — only the daily sweep.
+  #
+  # Noise control lives in linkinator.config.json:
+  #   - retry / retryErrors: re-attempt 429s (honouring retry-after) and 5xx,
+  #     so transient rate-limits and blips don't fail the run.
+  #   - concurrency 25: gentler crawl, fewer self-inflicted 429s.
+  #   - skip[]: hosts that hard-block any headless checker and can never pass —
+  #     w3.org/validator.w3.org/securityheaders.com sit behind a Cloudflare JS
+  #     challenge (403 "Just a moment…"); developers.facebook.com 400s bots;
+  #     github.com /edit/ links and our own jdevalk/specification.website repo
+  #     self-links are per-page chrome that 429 under GitHub's burst limit (not
+  #     citations — third-party github repos stay checked); the a2a endpoint is
+  #     POST-only (405);
+  #     developer.android.com connection-resets headless clients ([0]); and
+  #     example.com is the reserved illustration domain used in prose samples.
+  #     These are excluded so a red run means real rot, not bot-blocking. Genuine
+  #     404s on these hosts won't be auto-caught — verify them by hand when citing.
   external:
     name: External links
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
diff --git a/linkinator.config.json b/linkinator.config.json
index ce675630..0141e1c1 100644
--- a/linkinator.config.json
+++ b/linkinator.config.json
@@ -1,9 +1,25 @@
 {
   "recurse": true,
+  "concurrency": 25,
+  "timeout": 30000,
+  "retry": true,
+  "retryErrors": true,
+  "retryErrorsCount": 3,
   "skip": [
     "^https?://(www\\.)?linkedin\\.com",
     "^https?://(www\\.)?twitter\\.com",
     "^https?://(www\\.)?x\\.com",
-    "^https?://(www\\.)?facebook\\.com"
+    "^https?://(www\\.)?facebook\\.com",
+    "^https?://developers\\.facebook\\.com",
+    "^https?://(www\\.)?w3\\.org/",
+    "^https?://validator\\.w3\\.org/",
+    "^https?://securityheaders\\.com/",
+    "^https?://(www\\.)?internetsociety\\.org/",
+    "^https?://equalizedigital\\.com/",
+    "^https?://developer\\.android\\.com/",
+    "^https?://(www\\.)?example\\.com/",
+    "^https?://github\\.com/jdevalk/specification\\.website",
+    "^https?://github\\.com/[^/]+/[^/]+/edit/",
+    "^https?://mcp\\.specification\\.website/a2a/"
   ]
 }
diff --git a/src/content/spec/accessibility/accessibility-overlays.md b/src/content/spec/accessibility/accessibility-overlays.md
index 13c21344..766fe7ad 100644
--- a/src/content/spec/accessibility/accessibility-overlays.md
+++ b/src/content/spec/accessibility/accessibility-overlays.md
@@ -15,8 +15,8 @@ sources:
   - title: "WP Accessibility Knowledge Base"
     url: "https://wpaccessibility.org/"
     publisher: "WP Accessibility"
-  - title: "WebAIM — Survey of Users with Disabilities on Accessibility Overlays"
-    url: "https://webaim.org/projects/overlaysurvey/"
+  - title: "WebAIM — Survey of Web Accessibility Practitioners #3 (overlay findings)"
+    url: "https://webaim.org/blog/practitioners-survey-3/"
     publisher: "WebAIM"
   - title: "Equalize Digital — Accessibility Checker documentation"
     url: "https://equalizedigital.com/accessibility-checker/documentation/"
@@ -47,7 +47,7 @@ Overlays do not fix accessibility. They frequently make it worse:
 - They are now a litigation magnet. More than 1,000 ADA web-accessibility lawsuits in the US in 2023 named sites that used an overlay; some named the overlay vendor as a co-defendant.
 - Under the EU Web Accessibility Directive and the European Accessibility Act, public-sector bodies and many private services must publish an accessibility statement based on the real state of the site. An overlay does not change that state.
 
-The Overlay Fact Sheet, signed by more than 800 accessibility professionals including most of the field's recognised experts, recommends against them outright. WebAIM's survey of users with disabilities found that the large majority who had encountered overlays rated them as unhelpful or actively harmful.
+The Overlay Fact Sheet, signed by more than 800 accessibility professionals including most of the field's recognised experts, recommends against them outright. WebAIM's survey of accessibility practitioners found that the large majority who had encountered overlays rated them as unhelpful or actively harmful — a verdict even stronger among respondents with disabilities.
 
 ## What to do instead
 
diff --git a/src/content/spec/agent-readiness/content-signals.md b/src/content/spec/agent-readiness/content-signals.md
index bbf8c00f..be58da06 100644
--- a/src/content/spec/agent-readiness/content-signals.md
+++ b/src/content/spec/agent-readiness/content-signals.md
@@ -12,8 +12,8 @@ sources:
   - title: "IETF AI Preferences WG (aipref) — drafts"
     url: "https://datatracker.ietf.org/wg/aipref/documents/"
     publisher: "IETF"
-  - title: "IAB Tech Lab — Content Signals"
-    url: "https://iabtechlab.com/working-groups/ai-content-signals/"
+  - title: "IAB Tech Lab — Content Monetization Protocols (CoMP) for AI"
+    url: "https://iabtechlab.com/working-groups/content-monetization-protocols-comp-for-ai-working-group/"
     publisher: "IAB Tech Lab"
   - title: "Is It Agent Ready? — Content Signals check"
     url: "https://isitagentready.com/"
diff --git a/src/content/spec/agent-readiness/nlweb.md b/src/content/spec/agent-readiness/nlweb.md
index de7f6d32..96b90f0c 100644
--- a/src/content/spec/agent-readiness/nlweb.md
+++ b/src/content/spec/agent-readiness/nlweb.md
@@ -12,8 +12,8 @@ sources:
   - title: "microsoft/NLWeb on GitHub"
     url: "https://github.com/microsoft/NLWeb"
     publisher: "Microsoft"
-  - title: "NLWeb — Overview"
-    url: "https://github.com/microsoft/NLWeb/blob/main/docs/nlweb-rest.md"
+  - title: "NLWeb — REST API"
+    url: "https://github.com/microsoft/NLWeb/blob/main/docs/nlweb-rest-api.md"
     publisher: "Microsoft"
   - title: "schema.org"
     url: "https://schema.org/"
diff --git a/src/content/spec/agent-readiness/web-bot-auth.md b/src/content/spec/agent-readiness/web-bot-auth.md
index 6492f9b9..831c6e06 100644
--- a/src/content/spec/agent-readiness/web-bot-auth.md
+++ b/src/content/spec/agent-readiness/web-bot-auth.md
@@ -15,8 +15,8 @@ sources:
   - title: "draft-meunier-web-bot-auth-architecture"
     url: "https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture"
     publisher: "IETF"
-  - title: "draft-meunier-web-bot-auth-http-signature"
-    url: "https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-http-signature"
+  - title: "draft-meunier-http-message-signatures-directory"
+    url: "https://datatracker.ietf.org/doc/html/draft-meunier-http-message-signatures-directory"
     publisher: "IETF"
   - title: "Cloudflare — Forget IPs: using cryptography to verify bot and agent traffic"
     url: "https://blog.cloudflare.com/web-bot-auth/"
@@ -27,7 +27,7 @@ sources:
 
 Web Bot Auth is an emerging convention that lets a bot prove its identity cryptographically on every request, using the standard [HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421) mechanism from RFC 9421. Instead of guessing whether a request really comes from OpenAI's crawler by inspecting the user-agent string and looking up reverse DNS, the server reads a `Signature` header, fetches the bot's public key from a published key directory, and verifies the signature.
 
-The proposal lives in two IETF drafts: [draft-meunier-web-bot-auth-architecture](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture) describes the trust model and discovery; [draft-meunier-web-bot-auth-http-signature](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-http-signature) profiles RFC 9421 for bot use. Cloudflare ships verification at the network edge, and a growing list of major crawlers sign their traffic.
+The proposal lives in two IETF drafts: [draft-meunier-web-bot-auth-architecture](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture) describes the trust model and discovery; [draft-meunier-http-message-signatures-directory](https://datatracker.ietf.org/doc/html/draft-meunier-http-message-signatures-directory) profiles RFC 9421 for bot use and defines the published key directory. Cloudflare ships verification at the network edge, and a growing list of major crawlers sign their traffic.
 
 ## Why it matters
 
diff --git a/src/content/spec/performance/bfcache.md b/src/content/spec/performance/bfcache.md
index 01ff0cd0..77d025a0 100644
--- a/src/content/spec/performance/bfcache.md
+++ b/src/content/spec/performance/bfcache.md
@@ -18,8 +18,8 @@ sources:
   - title: "MDN — bfcache"
     url: "https://developer.mozilla.org/en-US/docs/Glossary/bfcache"
     publisher: "MDN"
-  - title: "Chrome for Developers — Back/forward cache"
-    url: "https://developer.chrome.com/docs/web-platform/back-forward-cache"
+  - title: "Chrome for Developers — Test back/forward cache in DevTools"
+    url: "https://developer.chrome.com/docs/devtools/application/back-forward-cache"
     publisher: "Google"
 ---
 
diff --git a/src/content/spec/performance/critical-css.md b/src/content/spec/performance/critical-css.md
index b3883d4d..1c8d719c 100644
--- a/src/content/spec/performance/critical-css.md
+++ b/src/content/spec/performance/critical-css.md
@@ -18,9 +18,9 @@ sources:
   - title: "MDN — Render-blocking resources"
     url: "https://developer.mozilla.org/en-US/docs/Glossary/Render_blocking"
     publisher: "MDN"
-  - title: "web.dev — Eliminate render-blocking resources"
-    url: "https://web.dev/articles/render-blocking-resources"
-    publisher: "web.dev"
+  - title: "Chrome for Developers — Eliminate render-blocking resources"
+    url: "https://developer.chrome.com/docs/lighthouse/performance/render-blocking-resources"
+    publisher: "Google"
 ---
 
 ## What it is
diff --git a/src/content/spec/performance/css-containment.md b/src/content/spec/performance/css-containment.md
index 162eb5c8..6a386f3d 100644
--- a/src/content/spec/performance/css-containment.md
+++ b/src/content/spec/performance/css-containment.md
@@ -15,8 +15,8 @@ sources:
   - title: "MDN — contain"
     url: "https://developer.mozilla.org/en-US/docs/Web/CSS/contain"
     publisher: "MDN"
-  - title: "web.dev — Learn CSS containment"
-    url: "https://web.dev/learn/performance/css-containment"
+  - title: "web.dev — content-visibility: boost rendering performance"
+    url: "https://web.dev/articles/content-visibility"
     publisher: "Google"
 ---
 
diff --git a/src/content/spec/performance/script-loading.md b/src/content/spec/performance/script-loading.md
index 4fc62aac..52fe153c 100644
--- a/src/content/spec/performance/script-loading.md
+++ b/src/content/spec/performance/script-loading.md
@@ -15,9 +15,9 @@ sources:
   - title: "MDN — <script>"
     url: "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script"
     publisher: "MDN"
-  - title: "web.dev — Eliminate render-blocking resources"
-    url: "https://web.dev/articles/render-blocking-resources"
-    publisher: "web.dev"
+  - title: "Chrome for Developers — Eliminate render-blocking resources"
+    url: "https://developer.chrome.com/docs/lighthouse/performance/render-blocking-resources"
+    publisher: "Google"
   - title: "web.dev — JavaScript module scripts"
     url: "https://web.dev/articles/modulepreload"
     publisher: "web.dev"
diff --git a/src/content/spec/performance/scrollbar-gutter.md b/src/content/spec/performance/scrollbar-gutter.md
index 257af6ce..c5d9467f 100644
--- a/src/content/spec/performance/scrollbar-gutter.md
+++ b/src/content/spec/performance/scrollbar-gutter.md
@@ -15,8 +15,8 @@ sources:
   - title: "MDN — scrollbar-gutter"
     url: "https://developer.mozilla.org/en-US/docs/Web/CSS/scrollbar-gutter"
     publisher: "MDN"
-  - title: "web.dev — Prevent layout shifts with scrollbar-gutter"
-    url: "https://web.dev/articles/scrollbar-gutter"
+  - title: "web.dev — scrollbar-gutter and scrollbar-width are Baseline Newly available"
+    url: "https://web.dev/blog/baseline-scrollbar-props"
     publisher: "Google"
 ---
 
diff --git a/src/content/spec/performance/speculation-rules.md b/src/content/spec/performance/speculation-rules.md
index f9a97516..afd63288 100644
--- a/src/content/spec/performance/speculation-rules.md
+++ b/src/content/spec/performance/speculation-rules.md
@@ -56,7 +56,7 @@ This supersedes the older `<link rel="prerender">` hint, which has been removed
 - **Improved INP and LCP on the next page.** Because the work is already done, the metrics on the destination page record near-zero delay.
 - **Declarative.** No JavaScript event handlers, no IntersectionObserver, no custom hover-detection — the browser implements the heuristics.
 
-Cross-site prerender is gated on Chrome's [No-Vary-Search](https://developer.chrome.com/blog/no-vary-search) and additional restrictions; same-site is the realistic target for most sites.
+Cross-site prerender is gated on [No-Vary-Search](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/No-Vary-Search) and additional restrictions; same-site is the realistic target for most sites.
 
 ## How to implement
 
diff --git a/src/content/spec/performance/view-transitions.md b/src/content/spec/performance/view-transitions.md
index 2943759a..07d6acd5 100644
--- a/src/content/spec/performance/view-transitions.md
+++ b/src/content/spec/performance/view-transitions.md
@@ -21,8 +21,8 @@ sources:
   - title: "Chrome for Developers — Cross-document view transitions"
     url: "https://developer.chrome.com/docs/web-platform/view-transitions/cross-document"
     publisher: "Google"
-  - title: "WebKit — View Transitions"
-    url: "https://webkit.org/blog/16557/view-transitions/"
+  - title: "WebKit — Cross-document view transitions for every website"
+    url: "https://webkit.org/blog/16967/two-lines-of-cross-document-view-transitions-code-you-can-use-on-every-website-today/"
     publisher: "WebKit"
 ---
 
diff --git a/src/content/spec/privacy/cookie-consent.md b/src/content/spec/privacy/cookie-consent.md
index 5ba3c0ff..f6dfa265 100644
--- a/src/content/spec/privacy/cookie-consent.md
+++ b/src/content/spec/privacy/cookie-consent.md
@@ -15,8 +15,8 @@ sources:
   - title: "ICO — Cookies and similar technologies"
     url: "https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/"
     publisher: "ICO"
-  - title: "CNIL — Cookies and other trackers"
-    url: "https://www.cnil.fr/en/cookies-and-other-trackers"
+  - title: "CNIL — Cookies and other tracking devices: new guidelines"
+    url: "https://www.cnil.fr/en/cookies-and-other-tracking-devices-cnil-publishes-new-guidelines"
     publisher: "CNIL"
   - title: "ePrivacy Directive 2002/58/EC, Article 5(3)"
     url: "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219"
diff --git a/src/content/spec/privacy/data-minimization.md b/src/content/spec/privacy/data-minimization.md
index 1055aabf..6955651e 100644
--- a/src/content/spec/privacy/data-minimization.md
+++ b/src/content/spec/privacy/data-minimization.md
@@ -13,7 +13,7 @@ sources:
     url: "https://gdpr-info.eu/art-5-gdpr/"
     publisher: "EU GDPR"
   - title: "ICO — Data minimisation"
-    url: "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/the-principles/data-minimisation/"
+    url: "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/data-minimisation/"
     publisher: "ICO"
   - title: "EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default"
     url: "https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en"
diff --git a/src/content/spec/privacy/privacy-policy.md b/src/content/spec/privacy/privacy-policy.md
index c1d57036..b683d282 100644
--- a/src/content/spec/privacy/privacy-policy.md
+++ b/src/content/spec/privacy/privacy-policy.md
@@ -16,7 +16,7 @@ sources:
     url: "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-be-informed/"
     publisher: "ICO"
   - title: "EDPB Guidelines on Transparency under Regulation 2016/679"
-    url: "https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-transparency-under-regulation-2016679_en"
+    url: "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/transparency_en"
     publisher: "EDPB"
 ---
 
diff --git a/src/content/spec/security/caa-records.md b/src/content/spec/security/caa-records.md
index 90d1b76a..d251106d 100644
--- a/src/content/spec/security/caa-records.md
+++ b/src/content/spec/security/caa-records.md
@@ -15,9 +15,9 @@ sources:
   - title: "Let's Encrypt — CAA"
     url: "https://letsencrypt.org/docs/caa/"
     publisher: "Let's Encrypt"
-  - title: "MDN — DNS — CAA records"
-    url: "https://developer.mozilla.org/en-US/docs/Glossary/CAA_record"
-    publisher: "MDN"
+  - title: "RFC 8657 — CAA Record Extensions for Account URI and ACME Method Binding"
+    url: "https://www.rfc-editor.org/rfc/rfc8657"
+    publisher: "IETF"
 ---
 
 ## What it is

From b1aefbe1d1eafe667b2af91214a029ec4451cfc1 Mon Sep 17 00:00:00 2001
From: Joost de Valk <joost@altha.nl>
Date: Tue, 23 Jun 2026 14:19:49 +0200
Subject: [PATCH 2/4] =?UTF-8?q?ci(links):=20retry=20the=20external=20link?=
 =?UTF-8?q?=20crawl=20up=20to=203=C3=97=20for=20transient=20429s?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GitHub's burst-limit 429s carry no retry-after header, so linkinator's own
--retry can't catch them, and they hit a random third-party github.com blob
link each run. Wrap the whole crawl in a 3-attempt loop: genuinely dead URLs
fail every attempt and stay red; transient flakes clear on a re-run. Keeps
real-rot detection on third-party github citations instead of skipping them.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/links.yml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
index 783763f8..11adf552 100644
--- a/.github/workflows/links.yml
+++ b/.github/workflows/links.yml
@@ -97,5 +97,17 @@ jobs:
             sleep 1
           done
           [ -n "$up" ] || { echo "::error::preview server did not start"; exit 1; }
-          npx --yes linkinator@6 http://localhost:4321 \
-            --config linkinator.config.json
+          # Retry the whole crawl: GitHub's burst-limit 429s omit a retry-after
+          # header (so linkinator's own --retry can't catch them) and hit a
+          # random link each run. A genuinely dead URL fails every attempt and
+          # stays red; a transient flake clears on a re-run.
+          ok=
+          for attempt in 1 2 3; do
+            if npx --yes linkinator@6 http://localhost:4321 \
+                 --config linkinator.config.json; then
+              ok=1; break
+            fi
+            echo "::warning::link check attempt $attempt failed — retrying in 20s"
+            sleep 20
+          done
+          [ -n "$ok" ] || { echo "::error::link check failed after 3 attempts"; exit 1; }

From 73898a6c5e22afc7446a49806404df33a9bd65bc Mon Sep 17 00:00:00 2001
From: Joost de Valk <joost@altha.nl>
Date: Tue, 23 Jun 2026 14:25:26 +0200
Subject: [PATCH 3/4] =?UTF-8?q?ci(links):=20skip=20github.com=20=E2=80=94?=
 =?UTF-8?q?=20runner=20IP=20is=20persistently=20rate-limited?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GitHub 429s the shared GitHub Actions runner IP for github.com web requests
regardless of link validity, and the limit window outlasts the retry loop, so
a valid citation (e.g. the NLWeb docs file) fails every attempt. Skip the whole
host rather than ship a red-by-default sweep; github citations are verified by
hand when added. The retry loop stays as a net for other transient hosts.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/links.yml | 8 ++++----
 linkinator.config.json      | 3 +--
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
index 11adf552..2a627ae8 100644
--- a/.github/workflows/links.yml
+++ b/.github/workflows/links.yml
@@ -59,10 +59,10 @@ jobs:
   #   - skip[]: hosts that hard-block any headless checker and can never pass —
   #     w3.org/validator.w3.org/securityheaders.com sit behind a Cloudflare JS
   #     challenge (403 "Just a moment…"); developers.facebook.com 400s bots;
-  #     github.com /edit/ links and our own jdevalk/specification.website repo
-  #     self-links are per-page chrome that 429 under GitHub's burst limit (not
-  #     citations — third-party github repos stay checked); the a2a endpoint is
-  #     POST-only (405);
+  #     github.com web requests are persistently 429'd from the shared GitHub
+  #     Actions runner IP regardless of validity (the rate-limit window outlasts
+  #     the retry loop below), so the whole host is skipped — verify github
+  #     citations by hand when adding them; the a2a endpoint is POST-only (405);
   #     developer.android.com connection-resets headless clients ([0]); and
   #     example.com is the reserved illustration domain used in prose samples.
   #     These are excluded so a red run means real rot, not bot-blocking. Genuine
diff --git a/linkinator.config.json b/linkinator.config.json
index 0141e1c1..606582d7 100644
--- a/linkinator.config.json
+++ b/linkinator.config.json
@@ -18,8 +18,7 @@
     "^https?://equalizedigital\\.com/",
     "^https?://developer\\.android\\.com/",
     "^https?://(www\\.)?example\\.com/",
-    "^https?://github\\.com/jdevalk/specification\\.website",
-    "^https?://github\\.com/[^/]+/[^/]+/edit/",
+    "^https?://github\\.com/",
     "^https?://mcp\\.specification\\.website/a2a/"
   ]
 }

From 39206641be88848f7c744df84f6968c61908fbc4 Mon Sep 17 00:00:00 2001
From: Joost de Valk <joost@altha.nl>
Date: Tue, 23 Jun 2026 15:48:53 +0200
Subject: [PATCH 4/4] ci(links): drop the outer retry loop, bound the job to 10
 min
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The outer 3× crawl loop compounded with linkinator's retry-after waits and
could stall the step for 10+ minutes. Its original purpose (surviving GitHub's
header-less 429s) is moot now that github.com is skipped. Revert to a single
linkinator pass and add timeout-minutes: 10 as a fail-fast backstop against a
single upstream returning a large retry-after.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/links.yml | 25 ++++++++-----------------
 1 file changed, 8 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
index 2a627ae8..b7070dab 100644
--- a/.github/workflows/links.yml
+++ b/.github/workflows/links.yml
@@ -60,9 +60,9 @@ jobs:
   #     w3.org/validator.w3.org/securityheaders.com sit behind a Cloudflare JS
   #     challenge (403 "Just a moment…"); developers.facebook.com 400s bots;
   #     github.com web requests are persistently 429'd from the shared GitHub
-  #     Actions runner IP regardless of validity (the rate-limit window outlasts
-  #     the retry loop below), so the whole host is skipped — verify github
-  #     citations by hand when adding them; the a2a endpoint is POST-only (405);
+  #     Actions runner IP regardless of validity, so the whole host is skipped —
+  #     verify github citations by hand when adding them; the a2a endpoint is
+  #     POST-only (405);
   #     developer.android.com connection-resets headless clients ([0]); and
   #     example.com is the reserved illustration domain used in prose samples.
   #     These are excluded so a red run means real rot, not bot-blocking. Genuine
@@ -71,6 +71,9 @@ jobs:
     name: External links
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
+    # Safety net: a single upstream returning a large retry-after can stall
+    # linkinator's --retry. Bound the whole job so it fails fast rather than hang.
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@v6
 
@@ -97,17 +100,5 @@ jobs:
             sleep 1
           done
           [ -n "$up" ] || { echo "::error::preview server did not start"; exit 1; }
-          # Retry the whole crawl: GitHub's burst-limit 429s omit a retry-after
-          # header (so linkinator's own --retry can't catch them) and hit a
-          # random link each run. A genuinely dead URL fails every attempt and
-          # stays red; a transient flake clears on a re-run.
-          ok=
-          for attempt in 1 2 3; do
-            if npx --yes linkinator@6 http://localhost:4321 \
-                 --config linkinator.config.json; then
-              ok=1; break
-            fi
-            echo "::warning::link check attempt $attempt failed — retrying in 20s"
-            sleep 20
-          done
-          [ -n "$ok" ] || { echo "::error::link check failed after 3 attempts"; exit 1; }
+          npx --yes linkinator@6 http://localhost:4321 \
+            --config linkinator.config.json