This blog has six distribution channels, each serving a different audience and timeline. The same content distribution pipeline concept applies to any content platform — documentation sites, developer portals, knowledge bases — the channels differ but the architecture is the same. Here’s how they work together.

The Distribution Channels

graph TD
    A[git push] --> B[GitHub Actions Build]
    B --> C[GitHub Pages]
    B --> D[RSS Feed - feed.xml]
    B --> E[Sitemap - sitemap.xml]
    B --> F[Sitemap Index - sitemapindex.xml]
    F --> G[Google Search Console]
    C --> H[Direct Readers]
    D --> I[RSS Subscribers]
    G --> J[Google Search Results]
    C --> K[Substack Newsletter]
    K --> L[Newsletter Subscribers]
    C --> M[Social Sharing]
    M --> N[Reddit / LinkedIn / etc.]

RSS Feed

The RSS feed is the oldest and simplest distribution channel. The jekyll-feed plugin generates feed.xml automatically at build time.

# Gemfile
gem "jekyll-feed", "~> 0.17.0"

That’s it. Every post gets an entry in the feed with title, date, excerpt, and full content. Feed readers like Feedly, NewsBlur, and Miniflux pick it up automatically.

The feed URL is https://mcgarrah.org/feed.xml and is advertised via a <link> tag in the HTML head that feed readers auto-discover.

What RSS Gets Right

• Zero ongoing effort — Once configured, every new post is automatically in the feed
• Reader-controlled — Subscribers choose when and how to read. No algorithm, no inbox competition
• Full content — The feed includes the complete post, not just a teaser. Readers don’t have to click through

What RSS Misses

• Shrinking audience — RSS readership has declined since Google Reader shut down in 2013. Most non-technical readers don’t use feed readers
• No analytics — I can’t tell how many people read via RSS (by design — that’s a feature for privacy-conscious readers)

Sitemap and Sitemap Index

The sitemap tells search engines what pages exist and when they were last modified. This blog has a two-level sitemap structure because it hosts two Jekyll sites under one domain.

The Multi-Site Problem

The main blog lives at mcgarrah.org/ and the resume lives at mcgarrah.org/resume/. Each has its own sitemap.xml generated by jekyll-sitemap. But Google Search Console wants a single sitemap entry point for the domain.

The solution (added April 8, 2026) is a sitemapindex.xml at the domain root:

<?xml version="1.0" encoding="UTF-8"?>
<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
  <sitemap>
    <loc>https://mcgarrah.org/sitemap.xml</loc>
  </sitemap>
  <sitemap>
    <loc>https://mcgarrah.org/resume/sitemap.xml</loc>
  </sitemap>
</sitemapindex>

The robots.txt points to the index, not the individual sitemaps:

Sitemap: https://mcgarrah.org/sitemapindex.xml

This was a direct fix for the fragmented sitemap problem documented in Managing Multiple Jekyll Sites: Sitemap Challenges.

Sitemap Hygiene

The sitemap went through significant cleanup — from 434 URLs down to ~172 after excluding auto-generated tag pages, category pages, and pagination. That story is told in Your Jekyll Sitemap Is 60% Garbage. The SEO health check workflow validates the sitemap on every build.

Google Search Console

Google Search Console (GSC) is where the sitemap meets Google’s crawler. Submitting the sitemap index tells Google about every page on both the blog and resume sites.

The Indexing Journey

Getting Google to properly index the site was a multi-month process:

1. Domain verification — Proved ownership of mcgarrah.org via DNS TXT record
2. Sitemap submission — Submitted sitemapindex.xml pointing to both sitemaps
3. Canonical URL fixes — Resolved “Duplicate without user-selected canonical” errors by aligning url and canonical_url in _config.yml (published December 2025)
4. 404 cleanup — Removed testing artifacts from _site/ that were generating crawl errors
5. Sitemap bloat fix — Excluded thin tag/category/pagination pages that Google flagged as “Discovered – currently not indexed”

The SEO health check GitHub Actions workflow now validates all of this automatically on every push — canonical URL consistency, sitemap XML validity, correct domain usage, and broken links.

What GSC Tells You

• Coverage — Which pages are indexed, which are excluded, and why
• Performance — Search queries that lead to your site, click-through rates, average position
• Core Web Vitals — Page speed and user experience metrics
• Links — External sites linking to your content (this is where you see the Substack and Reddit inbound links)

Substack Newsletter

Substack is the highest-effort, highest-impact distribution channel. Each newsletter is a curated collection of blog posts with narrative connecting them, aimed at a broader audience than the blog’s typical reader.

The Cross-Posting Workflow

1. Write blog posts — Individual technical articles published on the blog over weeks/months
2. Identify a theme — Group related posts into a narrative arc
3. Write the newsletter — A 2,000-3,000 word article that tells the story across multiple posts, with links back to each one
4. Archive in _substack/ — Keep a markdown copy in the repository for version control

The _substack/ directory is excluded from the Jekyll build (the _ prefix ensures Jekyll ignores it). It’s purely for archival:

_substack/
├── README.md                                    # Publication schedule and tags
├── 2026-04-04-from-homelabs-to-machine-learning.md  # Published
└── 2026-04-20-from-markdown-to-production.md        # Published

The Inbound Link Effect

Each Substack newsletter contains 20-25 links back to specific blog posts:

These aren’t generic “visit my blog” links — each one points to a specific post URL like https://mcgarrah.org/proxmox-ceph-nearfull/. This is why permalink stability matters so much. If I changed the permalink structure, 47 newsletter links would break instantly, and I can’t edit published Substack articles retroactively.

The inbound links also serve as backlinks for SEO — external sites linking to your content is one of Google’s strongest ranking signals.

Publication Scheduling

Blog posts must be live before the newsletter that references them goes out. The DRAFTS.md tracker includes a dependency checklist for each Substack publication:

The Apr 20 Substack references the following blog posts that should be live:
- 2026-04-14-ceph-osd-recovery-power-failure.md ✅
- 2026-04-15-zfs-ceph-overlapping-failures.md ✅
- 2026-04-18-jekyll-markdown-feature-reference.md ✅
- 2026-04-19-setting-up-jekyll-blog-github-pages.md ✅

Planned Newsletters

Social Sharing

Reddit, LinkedIn, and other platforms are manual, per-post distribution. The effort is low (15 minutes to write a post title and context) but the reach is unpredictable — a Reddit post might get 3 views or 3,000.

What Makes Posts Shareable

• Clean URLs — mcgarrah.org/proxmox-ceph-nearfull/ looks better than a date-heavy URL in a Reddit title
• Open Graph meta tags — When someone pastes a link on LinkedIn or Twitter, the jekyll-seo-tag plugin provides the title, description, and image for the preview card
• Descriptive titles — “Your Jekyll Sitemap Is 60% Garbage” gets more clicks than “Sitemap Optimization Notes”

The Permalink Contract

Every external share creates a permanent reference to a specific URL. A Reddit post from 2025 still points to mcgarrah.org/proxmox-8-dell-wyse-3040-upgrade/. That URL must work forever — or at least redirect via jekyll-redirect-from if the post is renamed.

This is the same constraint as Substack links, but harder to track. I know exactly which URLs my newsletters reference (they’re in the _substack/ archive). I don’t know which URLs have been shared on Reddit or bookmarked by readers.

Cross-References Between Posts

The newest distribution channel is the “Related Posts” section at the bottom of articles. Currently 16 of 139 posts have hand-curated cross-references — all from September 2025 onward.

These serve double duty:

• Reader navigation — A reader finishing the Ceph OSD recovery post sees links to the ZFS failure post and the SSD acceleration post
• Internal linking for SEO — Google uses internal link structure to understand which pages are most important. Posts with many inbound internal links rank higher

How the Channels Reinforce Each Other

The channels aren’t independent — they form a flywheel:

1. Blog post published → appears in RSS feed and sitemap automatically
2. Google indexes it → organic search traffic starts arriving (days to weeks)
3. Substack newsletter bundles multiple posts → drives traffic spike to all referenced posts
4. Reddit/LinkedIn share → drives traffic spike to individual post
5. Inbound links from Substack and social → improve Google ranking → more organic traffic
6. Cross-references in new posts → drive traffic to older posts → keep them relevant

The daily GitHub Actions cron build ensures future-dated posts enter this pipeline automatically. The SEO health check ensures the pipeline stays healthy.

What I’d Add Next

• Social sharing buttons on posts — Currently on the TODO list. Would reduce friction for readers who want to share
• Substack RSS import — Substack can auto-import from an RSS feed, which would reduce the manual cross-posting effort
• Analytics per channel — Google Analytics shows referral sources, but I don’t track which Substack newsletter drove which traffic spike
• Automated cross-references — The 123 older posts without “Related Posts” sections could benefit from tag-based automated suggestions

Related Posts

• Jekyll Content Plumbing: Permalinks, Reading Time, Excerpts, and Redirects — Why permalink stability matters for distribution
• Your Jekyll Sitemap Is 60% Garbage — Sitemap cleanup
• Managing Multiple Jekyll Sites: Sitemap Challenges — The multi-site sitemap problem
• Jekyll SEO, Sitemap, and Canonical URL Fixes — Google Search Console indexing fixes
• The CI/CD Pipeline Behind This Jekyll Blog — The build system that powers the pipeline
• Building This Blog: Jekyll on GitHub Pages — Overall setup guide

The trigger was a content rewrite. I sat down to update five years of work at Envestnet — a role that had evolved from platform engineer to cross-enterprise operator to compliance leader to AI/ML initiator — and realized the template was fighting me at every turn. Condensing that arc into clear, quantified impact statements was hard enough without also wrestling with a sidebar layout that wasted half the viewport and a Pandoc pipeline that needed 16 regex patterns to produce a clean PDF. The content challenge made the architectural debt impossible to ignore. To be fair, I built some of this complexity myself in the rush to get resume content out quickly — so the debt was partly my own making.

Over the past two weeks I executed a ground-up rebuild — 80 commits across 9 days. New architecture, new content voice, new export pipeline, and a few improvements to the blog along the way.

What Was Wrong

The short version: the site loaded Bootstrap 3.4.1, jQuery, and the full Font Awesome library to render what is fundamentally a text document. The only JavaScript usage was animating skill progress bars — a feature I was removing anyway. IE8 shims were still in the <head>. A Liquid-based HTML minifier (compress.html) added complexity for negligible benefit. Nine SCSS color skins existed for a site that used exactly one.

The deeper problem was structural. The sidebar layout wasted horizontal space on a content-dense resume, and it made Pandoc exports painful. My jekyll-pandoc-exports plugin needed 16 regex patterns to strip sidebar markup, icon stacks, and CDN references before Pandoc could produce a clean PDF. That is not a sustainable architecture.

The Sunk Cost Problem

I had invested significantly in the old template. Over 107 commits across nine years, I had:

• Upgraded jQuery from 1.11.3 to 3.7.1 (addressing security vulnerabilities)
• Upgraded Bootstrap from 3.3.6 to 3.4.1 (the last 3.x release)
• Upgraded Font Awesome from the original 4.x local copy to 5.1.1, then to 6.6.0, then to 6.7.2 via CDN
• Converted all static dependencies from local copies to CDN with SRI integrity hashes (saving ~2MB of repo bloat)
• Added Dependabot monitoring, then immediately had to pin Bootstrap to ~3.4.x and Font Awesome to ^6.x to prevent Dependabot from proposing breaking major version upgrades
• Added a print view, certifications section, publications section, OSS contributions
• Created dark mode SCSS skins (that I never shipped)
• Built the details/summary collapsible pattern for the brief view
• Added GitHub Actions deployment, replacing the old github-pages gem approach

Each of those upgrades was defensible in isolation. jQuery 1.11.3 had known CVEs — upgrading to 3.7.1 was the responsible thing to do. Font Awesome 4.x was end-of-life — moving to 6.x was correct. Converting to CDN with SRI hashes was a security best practice.

But stepping back, the pattern was clear: I was spending effort maintaining dependencies the site did not actually need. Bootstrap provided a CSS reset and some utility classes — my layout was already CSS Grid. jQuery animated skill bars — a feature I wanted to remove. Font Awesome provided icons — I used fifteen of them. Every upgrade was polishing a dependency that should have been deleted.

This is the same pattern I see in enterprise architecture. Teams invest years upgrading Oracle 11g to 12c to 19c, carefully managing breaking changes and compatibility matrices, when the real question is whether they should be on PostgreSQL. The sunk cost of previous upgrades makes the “just upgrade again” path feel safer than the “start fresh” path — even when starting fresh is objectively less total effort and produces a better result.

The moment I realized I was writing commit messages like “Pin Bootstrap to 3.4.x to prevent major version upgrades” — actively fighting my own dependency management tooling to keep a library I barely used — was the moment the refactor became inevitable. The decision framework is simple: if you are spending more effort managing a dependency than the value it provides, the correct action is removal, not another upgrade cycle.

The Rebuild: Four Views, One Data Source

Everything renders from _data/data.yml. No content duplication across views.

The brief view uses native <details>/<summary> elements for progressive disclosure — no JavaScript required. The print view is linear HTML that Pandoc converts cleanly and serves as the comprehensive version that the shorter views link back to. The ultra-brief is a self-contained two-page resume — the kind you hand someone in an elevator — with every job title linking to its full entry in the print view via stable anchors. The machine view provides Schema.org structured data that makes the resume trivially parseable by recruiting tools.

What Got Dropped

• Bootstrap 3.4.1 (replaced by ~200 lines of hand-rolled CSS with CSS Grid)
• jQuery (zero JavaScript for presentation)
• Font Awesome CDN (replaced by an inline SVG sprite with ~12 icons)
• IE8/IE9 conditional comments and shims
• compress.html Liquid minifier
• Nine unused SCSS color skins
• github-pages gem (80+ transitive dependencies, conflicts with Jekyll 4.x)
• Sidebar layout entirely
• Skill bar animations
• Legacy static PDF snapshots in assets/pdf/
• Obsolete template files from the original orbit-theme

What Got Built

Content Overhaul First

Before touching the architecture, I rewrote the content. Five years at Envestnet meant five years of scope expansion — from a single platform to 20+ AWS accounts, from isolated evidence requests to leading eight simultaneous SOC audits, from supporting a data science team to delivering the first AI/ML production workload on the billing platform. Capturing that progression in concise, impact-focused language was the hardest part of the entire project. Every position got a fresh voice — clearer impact statements, better quantification, leadership framing where appropriate. I added consulting roles that had been missing (some dating back to the early 2000s), added recently published Python packages to the projects section, and restructured experience entries from flat markdown blobs into a structured subsections array with explicit titles. That last change solved a Pandoc rendering problem where job titles and subsection headings rendered at identical visual weight in PDF output.

Modern CSS with Light/Dark Mode

The entire stylesheet is CSS custom properties with a prefers-color-scheme media query. The site respects the user’s OS setting automatically — no JavaScript toggle, no cookie, no flash of wrong theme.

:root {
  --bg: #ffffff;
  --text: #3F4650;
  --accent: #4B6A78;
}
@media (prefers-color-scheme: dark) {
  :root {
    --bg: #1a1a2e;
    --text: #e0e0e0;
    --accent: #7fb3c8;
  }
}

Jinja2/XeLaTeX PDF Pipeline

The Pandoc-based export still works for quick DOCX generation, but for PDF I built a separate Python pipeline. A Jinja2 template reads the same _data/data.yml and produces LaTeX source that XeLaTeX compiles with full typographic control — proper font selection, precise spacing, and a visual hierarchy that CSS-to-PDF converters cannot match.

I evaluated WeasyPrint first (CSS-to-PDF via Python) and rejected it after a day. The rendering was acceptable for simple documents but lacked the fine-grained typographic control required for a professional resume — page break placement, precise header spacing, proper LaTeX ligatures, and conditional content based on template variant. XeLaTeX gives full control over every aspect of the output. The trade-off is build complexity (LaTeX toolchain installation), but that cost is paid once in CI and amortized across every subsequent build.

Three template variants exist:

• Long — Full detail, multi-page with company logos (34 pages with everything)
• Brief — Curated highlights, 5 pages
• Ultra-brief — Aggressive two-page format for job boards that penalize length

The pipeline lives in bin/generate-latex.py and runs independently of Jekyll. Same YAML data, different rendering engine, purpose-built output.

Company and University Logos

Both the HTML views and the LaTeX PDFs now include company and university logos alongside experience and education entries. I wanted the visual appeal that LinkedIn profiles have — a recognizable logo next to each role grounds the reader and adds credibility at a glance.

The implementation was more work than expected. The challenges fell into three categories:

Finding logos for defunct companies. Q+E Software was acquired by Intersolv in 1994, which became Merant, then Serena, then Micro Focus. No digital logo assets survive online — the only path would be scanning physical materials from the 1990s. Hosted Solutions (a Raleigh ISP from 2004) required the Wayback Machine. NC LIVE’s original purple logo from 2000 was similarly archived. For companies truly lost to history, I created custom SVG icons — a generic tooth for a dental practice, a database cylinder for a database consulting firm.

SVG clipping and viewBox manipulation. Many SVGs include both an icon mark and a wordmark. At 48px display size, the wordmark is unreadable — you want just the icon. The technique is adjusting the viewBox to “zoom in” on the icon portion: find the coordinate boundaries of the mark by examining path data, then set a cropped viewBox that frames just that area. This worked for USPS (eagle only), Measurement Incorporated (M+I+caliper only), and the AKC shield.

Except when it did not work. The AKC SVG uses a transform matrix (matrix(9.37,0,0,9.37,-2975,-5501)) with overflow:visible — the content renders at absolute positions regardless of viewBox. The fallback was rendering the full SVG to a high-resolution PNG with cairosvg, then cropping the raster image with Pillow. Sometimes the pragmatic solution wins.

Converting for LaTeX. XeLaTeX cannot embed SVG files directly. A Python script (bin/convert_logos_to_png.py) converts all SVGs to 400px-wide PNGs with transparent backgrounds using cairosvg, then the LaTeX template includes them with \includegraphics. Getting \IfFileExists paths correct so missing logos degrade gracefully (rather than crashing the build) took more iterations than I would like to admit.

The result is a preview.html page that shows all logos at resume scale in both light and dark mode — essential for catching dark-fill logos that disappear on dark backgrounds. The full inventory, sources, and lessons learned live in the logo README.

Ultra-Brief View

Beyond the three original planned views, I added an ultra-brief HTML page at /resume/ultra-brief/ — a self-contained, two-page resume with inline styles. It is designed for the “paste your resume” fields on job boards where you need maximum density. The corresponding XeLaTeX template produces a matching PDF.

Stable Anchor IDs — Linking Views Together

A problem I did not anticipate: how do the brief and ultra-brief views link back to the comprehensive view? When a recruiter reads the two-page ultra-brief PDF and wants more detail on a specific role, they need a reliable URL that takes them directly to that entry in the full /resume/print/ view.

The solution was adding an anchor field to every experience and education entry in _data/data.yml — a stable, human-readable ID following the convention {company-slug}-{start-year} (e.g., envestnet-2021, edu-gatech-2014). These anchors are rendered as HTML id attributes in the print view, and the ultra-brief PDF links each job title to mcgarrah.org/resume/print/#envestnet-2021.

The critical constraint: these anchors must never change. They are embedded in PDFs I hand to recruiters, linked from LinkedIn posts, and referenced in external documents. A broken anchor link in a resume PDF reflects poorly in exactly the way you cannot afford when job hunting. I added a stability warning comment at the top of data.yml and wrote the anchor generation as a one-time script (bin/add_anchors.py) so the IDs are deterministic and reproducible — not generated dynamically from content that might shift.

This turned out to be one of the more important architectural decisions. The different views are not isolated documents — they are a connected system where the brief versions serve as entry points that funnel interested readers toward the comprehensive version.

Machine-Readable Structured Data

The /resume/machine/ view embeds two JSON-LD blocks — a WebPage descriptor and a full Person entity with 17 credentials, 27 occupations, and semantic markup on every content element. The HTML uses <article>, <section>, <time datetime="...">, and Schema.org microdata attributes throughout.

After deploying to production, I ran Google’s Rich Results Test and fixed the Schema.org validation warnings it flagged — mostly ScholarlyArticle type issues in the publications section. The structured data now validates cleanly.

SEO and Social Sharing — The Cascade to the Blog

Adding an Open Graph image (og:image) to the resume site was straightforward — one branded SVG rendered to PNG, referenced in the config defaults. But validating the resume’s /resume/machine/ view with Google’s Rich Results Test revealed a broader gap: Google’s Article rich results require an image property on every page. My blog had 117 published posts, none with OG images.

This became the single biggest change to the blog during this sprint. I wrote a Python script (bin/generate-og-images.py) that generates branded social preview cards — SVG templates with the post title rendered in, converted to PNG via cairosvg. A companion script (bin/update-og-frontmatter.py) added the image: front matter field to all 117 posts. One commit, 350 files.

The blog also gained BlogPosting structured data support in _config.yml, enabling Article rich results across all posts. Both changes — the OG images and the structured data — trace directly back to the resume’s machine view work. Building the resume’s JSON-LD made me realize the blog was missing the same SEO fundamentals that I had just implemented for the resume.

This is the kind of cross-pollination that happens when you maintain related sites on the same domain. Improving one surfaces gaps in the other.

CI Pipeline Improvements

The GitHub Actions workflow now handles the full build pipeline:

• Jekyll build (HTML views)
• XeLaTeX compilation (long, brief, and ultra-brief PDFs)
• html-proofer for link integrity
• Apt package caching to cut 6+ minutes off deploy time

The apt caching was a nice win — XeLaTeX and its dependencies are large packages, and caching them between runs makes the CI feedback loop much tighter.

Developer Experience

Small things that made the iteration faster:

• jekyll-start.sh with automatic port detection and a --clean flag
• jekyll-clean.sh with soft/hard clean modes
• Sass modernization (@import → @use) to eliminate deprecation warnings
• Added Substack profile link across all views

The Dual-Language Architecture

The site now runs two rendering stacks deliberately:

• Ruby (Jekyll) — HTML views for the web (brief, print, machine, ultra-brief)
• Python (Jinja2 + XeLaTeX) — PDF generation with full typographic control

Both read from _data/data.yml. This is not accidental complexity — it is a deliberate architectural decision. Each tool does what it is best at. Jekyll excels at templating HTML for the web. XeLaTeX excels at typesetting documents for print. Trying to make one tool do both jobs is how you end up with 16 regex cleanup patterns — the same kind of impedance mismatch you see when teams force a single CI/CD tool to handle both container builds and infrastructure provisioning.

The shared data layer (data.yml) is the integration point. Content changes propagate to all outputs automatically. The rendering engines are independent and replaceable — if a better LaTeX alternative emerges, or if Jekyll is eventually replaced, the data layer remains stable.

Blog Improvements (Along the Way)

Beyond the OG image and structured data work described above, the blog picked up one housekeeping item:

• OG image publishing workflow — Documented the generation and front matter update process so future posts get OG images as part of the standard publishing workflow rather than as a bulk backfill.

What is Next

The structural rebuild is done — the foundation is solid. What remains is building on top of it:

• In-browser search — not Google Custom Search (which I actively dislike on the blog but needed something quick). For the resume, I want purpose-built semantic search that lets recruiters query by skill, role, or technology and get linked results across experiences. Pagefind is the pragmatic first step — static indexing at build time, swappable later for something smarter.
• Per-entry skills taxonomy — explicit skill-to-experience mapping for ATS keyword matching
• AI agent integration — conversational interface backed by the machine view’s structured data

The skills taxonomy is the one I am most interested in. Right now, skills live in a flat list at the bottom of the resume — disconnected from the experiences that developed them. I want to build a semantic map: which skills were used at which jobs, for how long, and how they cluster. The stable anchor IDs already give each experience entry a permanent address. Adding per-entry skill annotations creates the edges in a graph — connecting “Kubernetes” not just to a skills list but to specific roles, specific years, specific outcomes.

That kind of structured relationship data opens up interesting possibilities — semantic search across the resume (“show me everything involving Kubernetes in production”), automatic keyword optimization for specific job descriptions, and eventually feeding richer context to an AI agent that can answer recruiter questions with grounded, specific evidence rather than generic summaries. When someone asks “how long have you worked with EKS?” the answer should not be a number — it should be a linked trail through five years of specific clusters, upgrades, and incidents.

The machine view’s JSON-LD already provides the foundation. The next step is enriching it with per-entry skill annotations and seeing what becomes possible when the resume is not just a document but a queryable knowledge graph.

The broader implication: a resume should not be a static document you update twice a year. It should be a living system — structured data that multiple consumers can query, render, and reason about in ways appropriate to their needs. The rebuild gives me that foundation.

The site is live at mcgarrah.org/resume/ and the source is on GitHub.

Lessons Learned

Legacy templates accumulate invisible debt. The orbit-theme worked fine in 2017. By 2026 it was carrying 500KB of unused dependencies and architectural decisions that actively fought every change. This is true of any system that grows by accretion — the cost is not in any single dependency but in the aggregate maintenance burden and the cognitive overhead of understanding why each piece exists.

Separate concerns by output format. One rendering engine for web, another for print. The shared data layer (data.yml) is the integration point — not shared templates trying to serve both masters. This is the same principle behind separating API contracts from implementation: define the interface once, let each consumer render it appropriately.

Evaluate quickly, decide quickly. I tried WeasyPrint, found it lacking for my requirements, and removed it the same day. The git history shows the full arc: add WeasyPrint → evaluate → remove → build XeLaTeX pipeline. Rapid prototyping with a willingness to discard is faster than extended analysis paralysis. The key is having clear acceptance criteria before you start evaluating.

Structured data pays compound interest. The machine view took a day to build but serves three purposes: SEO, ATS compatibility, and future AI agent grounding context. Investments that serve multiple stakeholders from a single implementation are the highest-leverage work you can do.

Treat your views as a linked system, not isolated documents. The brief versions are entry points that funnel readers toward the comprehensive version. Stable anchor IDs in the data layer make that linking reliable — and once those IDs are in external PDFs, they are a contract you cannot break. This is the same principle as API versioning: once you publish an interface, backward compatibility becomes a constraint.

CSS has caught up. CSS Grid, custom properties, clamp(), :has(), prefers-color-scheme — you genuinely do not need a framework for a content site in 2026. The entire stylesheet is under 200 lines. Know when your dependencies have been superseded by the platform itself.

Cache your CI dependencies. Six minutes of apt downloads on every push adds up fast when you are iterating on LaTeX templates. One caching step fixed it. Build pipeline optimization is not glamorous work, but it directly multiplies developer velocity.

After scrolling past 130+ posts trying to spot my drafts one too many times, I added visual indicators — a pencil icon for drafts, a robot icon for future-dated posts (because robots are cool and futuristic), and italic text for both. The indicators only appear during local development because drafts and future posts don’t exist in production builds. Making system state visible at a glance is a UX principle that applies equally to monitoring dashboards, CI/CD pipelines, and content management — if you have to dig to find the status, the status isn’t working.

The Problem

Running jekyll serve --drafts --future --unpublished renders everything into site.posts. The archive page, home page, and paginated listings all show drafts and future posts mixed in with published content. There’s no visual distinction.

This matters when you have 50 drafts and 5 future-dated posts queued up. You want to:

• Quickly identify what’s live vs what’s scheduled
• Spot drafts that accidentally have published: true (they’ll deploy if moved to _posts/)
• Verify that future-dated posts have the correct dates before they go live

What Jekyll Exposes

Before building anything, I needed to confirm what data Jekyll makes available in templates.

Future posts are straightforward. Every post has a post.date, and Jekyll provides site.time (the build timestamp). Compare them:

{% if post.date > site.time %}
  <!-- this post is future-dated -->
{% endif %}

Drafts are trickier. Jekyll doesn’t set a post.draft flag or expose the source collection. But drafts come from the _drafts/ directory, and that path is available:

{% if post.path contains '_drafts/' %}
  <!-- this post is a draft -->
{% endif %}

This works because post.path contains the relative path from the site root, including the directory name.

In production, neither check matters — drafts and future posts aren’t in site.posts at all when building without --drafts and --future. The conditionals are inert. No performance cost, no risk of leaking unpublished content.

The Implementation

Adding Icons to the SVG Sprite

This blog uses a Font Awesome SVG sprite that’s built at compile time from icons referenced in _config.yml. Only icons listed under navigation and external get included. To add the draft and future icons without polluting those lists, I added a new config key:

# _config.yml
post_status_icons:
  - {icon: pencil-alt}     # draft posts
  - {icon: robot}          # future-dated posts

And extended the sprite template to include them:

<!-- assets/fontawesome/icons.svg -->
{% assign keys = 'navigation,external,post_status_icons' | split: ',' %}
{% for key in keys %}
{% for link in site[key] %}
  {% assign icon = link.icon %}
  {% assign svg = site.data.font-awesome.icons[icon].svg | first %}
  <symbol id="{{ icon }}" viewBox="0 0 {{ svg[1].width }} {{ svg[1].height }}">
    <path d="{{ svg[1].path }}" />
  </symbol>
{% endfor %}
{% endfor %}

This adds exactly two SVG symbols to the sprite — no CDN load, no external requests.

Archive Page

The _includes/archive.html gets the detection logic and conditional rendering:

{% for post in site.posts %}
{%- assign is_draft = false -%}
{%- assign is_future = false -%}
{%- if post.path contains '_drafts/' -%}{%- assign is_draft = true -%}{%- endif -%}
{%- if post.date > site.time -%}{%- assign is_future = true -%}{%- endif -%}
<li>
  <time datetime="{{ post.date | date_to_xmlschema }}">{{ post.date | date: "%Y-%m-%d" }}</time>
  {%- if is_draft %}
  <svg aria-label="Draft" class="icon icon-status" title="Draft">
    <use xlink:href="{{ "/assets/fontawesome/icons.svg" | relative_url }}#pencil-alt"></use>
  </svg>
  {%- elsif is_future %}
  <svg aria-label="Future" class="icon icon-status" title="Scheduled">
    <use xlink:href="{{ "/assets/fontawesome/icons.svg" | relative_url }}#robot"></use>
  </svg>
  {%- endif %}
  {%- if is_draft or is_future %}
  <em><a href="{{ post.url | relative_url }}">{{ post.title }}</a></em>
  {%- else %}
  <a href="{{ post.url | relative_url }}">{{ post.title }}</a>
  {%- endif %}
</li>
{% endfor %}

Draft entries get a pencil icon. Future entries get a robot icon. Both get italic text. Published posts render normally with no extra markup.

Here’s what future-dated posts look like in the archive with the robot icon and italic styling:

And drafts with the pencil icon:

Home Page Excerpt Views

The _includes/meta.html header component passes the detection through as include parameters:

{% include meta.html post=post preview=true is_draft=is_draft is_future=is_future %}

Inside meta.html, the icon renders next to the post title:

<h1>
  <a href="{{ include.post.url | relative_url }}">{{ include.post.title }}</a>
  {%- if include.is_draft %}
  <svg aria-label="Draft" class="icon icon-status" title="Draft">
    <use xlink:href="{{ "/assets/fontawesome/icons.svg" | relative_url }}#pencil-alt"></use>
  </svg>
  {%- elsif include.is_future %}
  <svg aria-label="Future" class="icon icon-status" title="Scheduled">
    <use xlink:href="{{ "/assets/fontawesome/icons.svg" | relative_url }}#robot"></use>
  </svg>
  {%- endif %}
</h1>

The excerpt <article> wrapper also gets a class for italic styling:

<article{% if is_draft or is_future %} class="post-preview-unpublished"{% endif %}>

CSS

Two additions to _sass/classes.sass:

.icon-status
  height: .85em
  width: .85em
  opacity: .6
  margin: 0 .2em

.post-preview-unpublished
  font-style: italic

The status icons are slightly smaller and more transparent than navigation icons — they’re informational, not interactive. The italic class applies to the entire excerpt card for draft and future posts.

Files Changed

Why These Icons

Pencil (pencil-alt) for drafts — universally understood as “editing” or “work in progress.” It’s already in Font Awesome Free and visually distinct at small sizes.

Robot for future posts — a nod to the automated scheduled publishing via GitHub Actions cron. The daily build at 00:05 UTC is the “robot” that publishes future-dated posts when their date arrives. It’s also visually distinctive and unlikely to be confused with any other status.

I considered clock and hourglass for future posts but they’re too generic — they could mean “reading time” or “loading.” The robot is unambiguous in context.

Production Safety

This feature is inherently safe for production:

• No --drafts flag → no drafts in site.posts → no pencil icons rendered
• No --future flag → no future posts in site.posts → no robot icons rendered
• The Liquid conditionals evaluate to false and produce zero HTML output
• The SVG sprite includes the two extra icon symbols (~2KB), but they’re never referenced in production HTML

The only “cost” in production is two unused <symbol> elements in the SVG sprite file. They add negligible bytes and are never rendered by the browser.

Related Posts

• Jekyll Run Plugin: Local Development Settings That Actually Work — The predecessor article on configuring --drafts and --future flags
• How the Sausage Is Made: Every Feature Powering This Jekyll Blog — Complete feature reference
• Building This Blog: Jekyll on GitHub Pages from Zero to 130+ Posts — Blog setup guide
• The CI/CD Pipeline Behind This Jekyll Blog — How scheduled builds publish future-dated posts

References

• Jekyll Drafts Documentation — Official docs on the _drafts folder
• Jekyll Configuration: Show Drafts — CLI flags for draft and future rendering
• Font Awesome Free Icons — Icon browser

This post covers the configuration I use, the settings precedence that tripped me up, and a bash script fallback for when the extension gets confused.

Why Jekyll Run

Without the extension, local development means opening a terminal and running:

bundle exec jekyll serve --trace --drafts --future --unpublished --livereload --incremental

Jekyll Run wraps this into a button in the VS Code status bar. Click to start, click to stop. It picks up your workspace settings for command-line arguments and handles the process lifecycle.

For a blog with 130+ posts where I’m constantly previewing drafts and future-dated articles, the convenience is worth the occasional quirk.

Developer experience is a platform engineering concern, whether you’re standardizing IDE settings across a 50-person engineering organization or configuring a Jekyll plugin for a solo blog. The time lost to tooling friction — a missing CLI flag, a settings precedence conflict, a stale incremental build — compounds. Getting the local development environment right once means every future writing session starts clean.

The Flags That Matter

Here’s what each flag does and why I use all of them:

The critical ones are --future and --drafts. Without them, you can’t preview the content you’re actively writing.

Configuring the Extension

The extension reads its command-line arguments from the jekyll-run.commandLineArguments setting. Add this to your workspace’s .vscode/settings.json:

{
    "jekyll-run.commandLineArguments": "--trace --drafts --future --unpublished --livereload --incremental",
    "jekyll-run.stopServerOnExit": true
}

The stopServerOnExit setting kills the Jekyll process when you close VS Code, preventing orphaned processes that block port 4000 on the next launch.

Settings Precedence: Where It Gets Tricky

VS Code settings come from multiple sources, and higher-priority settings silently override lower ones. For the Jekyll Run extension, the precedence is:

1. Multi-root workspace file (.code-workspace) — highest priority
2. Workspace folder settings (.vscode/settings.json)
3. User settings (~/.vscode-server/data/User/settings.json)
4. Machine settings (~/.vscode-server/data/Machine/settings.json)

The Multi-Root Workspace Trap

If you use a multi-root workspace (multiple folders in one VS Code window), the .code-workspace file’s settings override per-folder .vscode/settings.json files. An empty settings block in the workspace file:

{
    "folders": [
        { "path": "my-blog" },
        { "path": "resume" }
    ],
    "settings": {}
}

…means the extension falls through to machine or user settings, which may not have your flags. The fix is to add the settings explicitly:

{
    "folders": [
        { "path": "my-blog" },
        { "path": "resume" }
    ],
    "settings": {
        "jekyll-run.commandLineArguments": "--trace --drafts --future --unpublished --livereload --incremental",
        "jekyll-run.stopServerOnExit": true
    }
}

macOS users: If you see TypeError: Cannot read properties of null (reading 'toString') in a multi-root workspace, the problem is deeper than settings — it’s related to macOS GUI PATH inheritance and Ruby version management. See Jekyll Run Plugin: Fixing the Multi-Root Workspace Crash for the full diagnosis and fix.

The Machine Settings Trap

On VS Code Remote (SSH, WSL, etc.), machine settings live at ~/.vscode-server/data/Machine/settings.json on the remote host. If someone — or an extension update — writes a jekyll-run.commandLineArguments value there with fewer flags, it can override your workspace settings depending on how the extension resolves precedence.

Check what’s actually there:

cat ~/.vscode-server/data/Machine/settings.json

Diagnosing Which Settings Win

The fastest way to confirm what the extension is actually using:

ps aux | grep jekyll | grep -v grep

This shows the exact command line. If you see --trace --drafts but not --future, your workspace settings aren’t being picked up.

The _config.yml Trap

Even with --future in your CLI flags, Jekyll will ignore it if _config.yml explicitly sets:

future: false

The config file value overrides the command-line flag. This is counterintuitive — you’d expect CLI flags to win — but that’s how Jekyll works.

The fix is to not set future in _config.yml at all. The default is false, which means:

• Production builds (GitHub Actions without --future) won’t publish future posts
• Local development (with --future flag) will show them

# Don't do this — it overrides the --future CLI flag
# future: false

# Do this — let the CLI flag control it
# (just leave it out entirely, or comment it)

This applies to show_drafts and unpublished as well. If you set them explicitly in _config.yml, the CLI flags become useless.

The Draft and Unpublished Visibility Trap

This one cost me hours. The --drafts and --unpublished flags make Jekyll render draft files and posts with published: false — but they don’t appear in site.posts. That means:

• They won’t show in your archive page
• They won’t show in tag or category listings
• They won’t show on the homepage pagination
• They are accessible by direct URL

The files exist in _site/. Jekyll built them. But any template that iterates site.posts (which is nearly every listing page) silently excludes them.

How to Confirm They Exist

Check the build output directly:

ls _site/your-draft-slug/

If index.html is there, Jekyll rendered it. You can view it at http://127.0.0.1:4000/your-draft-slug/. It just won’t appear in any listing.

Draft Sorting: They’re at the Bottom, Not the Top

Even when drafts do appear in site.posts, they show up at the end of the archive — after your oldest post. You’ll scroll past 100+ articles looking for your new draft at the top and conclude it’s missing.

Jekyll appends drafts after all regular posts in site.posts rather than sorting them into chronological position by their assigned date. So a draft dated 2026-05-10 appears after a post from 2001, not at the top of the list where you’d expect it.

Check the bottom of your archive page, not the top.

The Workaround

Set published: true in your draft’s front matter. The file is still in _drafts/ so it won’t deploy to production (GitHub Actions doesn’t use --drafts), but locally it will appear in all listings.

The published: false flag is useful for posts in _posts/ that you want to temporarily hide. For files in _drafts/, it’s counterproductive — you’re already using the drafts folder to prevent publication, and adding published: false makes them invisible even in local development.

The Bash Script Fallback

The Jekyll Run extension occasionally gets into a bad state — it thinks a server is running when nothing is on port 4000. When that happens, I fall back to a bash script:

#!/bin/bash
bundle exec jekyll serve --trace --drafts --future --unpublished --livereload --incremental

Save this as start-jekyll.sh in your project root. When the extension misbehaves:

1. Try Jekyll Run: Stop Server from the Command Palette (Ctrl+Shift+P)
2. If that doesn’t work, run Developer: Reload Window
3. If that doesn’t work, use the script: bash start-jekyll.sh

Clearing Stale State

If you’re getting build errors that don’t match your current code, incremental builds may be serving cached content. Clear everything:

rm -rf .jekyll-cache _site && bash start-jekyll.sh

This forces a full rebuild from scratch.

My Complete Setup

For reference, here’s every file involved in my local development configuration:

.vscode/settings.json (per workspace folder):

{
    "jekyll-run.commandLineArguments": "--trace --drafts --future --unpublished --livereload --incremental",
    "jekyll-run.stopServerOnExit": true
}

blog-workspace.code-workspace (multi-root workspace):

{
    "folders": [
        { "path": "mcgarrah.github.io" },
        { "path": "resume" }
    ],
    "settings": {
        "jekyll-run.commandLineArguments": "--trace --drafts --future --unpublished --livereload --incremental",
        "jekyll-run.stopServerOnExit": true
    }
}

start-jekyll.sh (fallback script):

#!/bin/bash
bundle exec jekyll serve --trace --drafts --future --unpublished --livereload --incremental

_config.yml (no explicit future setting):

# Future posts controlled by CLI --future flag
# Default is false, so production builds exclude future posts
# Local development uses --future to preview them

Related Posts

• Running GitHub Pages Jekyll Locally — Initial local development setup
• How the Sausage Is Made: Every Feature Powering This Jekyll Blog — Complete feature reference

References

• Jekyll Run Extension — VS Code Marketplace
• Jekyll Configuration Options — Official docs on CLI flags and config precedence
• VS Code Settings Precedence — How VS Code resolves settings from multiple sources

While that prevents the standard 404 error when a desktop browser requests the icon, it completely ignores the modern web. Mobile devices, tablets, and modern browsers expect high-resolution PNGs, Apple Touch icons, and web manifests. Without them, users bookmarking the site to their home screens get a generic, ugly letter block instead of a proper logo.

It was sitting on my internal TODO.md as a “Quick Win” for far too long. Here is how I finally fixed it and implemented a modern favicon set.

“It’s the small things that matter. The details.” — The Twelfth Doctor

The Problem with Just favicon.ico

If you check your web server logs, you’ll likely see a stream of 404 errors for files you never created:

• /apple-touch-icon-precomposed.png
• /apple-touch-icon.png

iOS devices automatically request these files when a user adds your site to their home screen. Android devices look for an Android Chrome manifest. If they aren’t there, you get degraded UX and messy logs.

Here is the source image I started with — a TARDIS icon at 1067x1067 pixels with a solid white background:

Step 1: Generate the Assets

You have two choices here. I went with the CLI route because I wanted control over the transparency — the web generators do not offer that option — and because I am a UNIX guy of old who is perfectly comfortable in a terminal. That said, if you just want a zip file of correctly sized icons without thinking about it, the web generator is the faster path.

Option A: The Fast Track (Web Generator)

If you do not need transparency or custom processing, this is the easiest route.

1. Start with a high-resolution version of your logo (ideally a square PNG or SVG, at least 260x260 pixels).
2. Go to RealFaviconGenerator.net.
3. Upload your image and configure the exact padding, background colors, and styling for iOS, Android, Windows Metro, and macOS Safari pinned tabs.
4. Generate and download the resulting .zip package.

Option B: The Local CLI Route (ImageMagick)

This is the route I took. If you want full control over the output — especially transparency — ImageMagick gives you that. Assuming your source image is logo.png:

Optional: Make the background transparent

If your source image has a solid background (like white) and you want it transparent, you can strip it out first. This is the main reason I chose the CLI route — none of the web generators I found offered this.

The trick is the fuzz factor. A naive -transparent white only removes exact #FFFFFF pixels and misses the slightly blended, anti-aliased pixels at the edges of the logo, leaving a visible white halo. I started at 5% and it still had noticeable halo artifacts, so I bumped it 5% at a time until 10% produced a clean result:

convert logo.png -fuzz 10% -transparent white transparent-logo.png

Here is the result — the same icon after stripping the white background at 10% fuzz. The anti-aliased edges are clean with no visible halo:

(If you do this, just substitute transparent-logo.png for logo.png in the sizing commands below.)

Convert files

# Generate the Apple Touch icon
convert logo.png -resize 180x180 apple-touch-icon.png

# Generate the standard PNG favicons
convert logo.png -resize 32x32 favicon-32x32.png
convert logo.png -resize 16x16 favicon-16x16.png

# Combine them into a multi-resolution favicon.ico
convert favicon-16x16.png favicon-32x32.png favicon.ico

# Generate Android Chrome icons for the manifest
convert logo.png -resize 192x192 favicon-192x192.png
convert logo.png -resize 512x512 favicon-512x512.png

You will also need to manually create the site.webmanifest JSON file to register your Android icons:

{
  "name": "McGarrah Technical Blog",
  "short_name": "McGarrah",
  "icons": [
    { "src": "/favicon-192x192.png", "sizes": "192x192", "type": "image/png" },
    { "src": "/favicon-512x512.png", "sizes": "512x512", "type": "image/png" }
  ],
  "theme_color": "#ffffff",
  "background_color": "#ffffff",
  "display": "standalone"
}

Step 2: Add Files to the Jekyll Root

If you used the web generator, extract the .zip directly into your Jekyll project’s root directory. If you used ImageMagick, move the generated files there along with your hand-written site.webmanifest. Either way, you should end up with a collection of files including:

• apple-touch-icon.png (180x180)
• favicon-32x32.png
• favicon-16x16.png
• site.webmanifest
• favicon.ico

Note: It’s important to keep these at the root level (/), as many tools and legacy browsers request them from the root by default without parsing your HTML.

Step 3: Update the HTML Head

The web generator provides a block of HTML to paste into your site. In a standard Jekyll setup, this goes into _includes/head.html or directly inside the <head> block of _layouts/default.html. If you took the ImageMagick route, the block below is what you need.

To ensure the links work regardless of environment or subdirectories, use Jekyll’s relative_url filter. I added this block just before the closing </head> tag:

<!-- Favicons -->
<link rel="apple-touch-icon" sizes="180x180" href="{{ '/apple-touch-icon.png' | relative_url }}">
<link rel="icon" type="image/png" sizes="32x32" href="{{ '/favicon-32x32.png' | relative_url }}">
<link rel="icon" type="image/png" sizes="16x16" href="{{ '/favicon-16x16.png' | relative_url }}">
<link rel="manifest" href="{{ '/site.webmanifest' | relative_url }}">
<link rel="shortcut icon" href="{{ '/favicon.ico' | relative_url }}">
<meta name="theme-color" content="#ffffff">

Using relative_url ensures that if I ever preview the site in a sub-path or change domains, the asset links won’t break.

Testing Locally Before Pushing

Before pushing any of this to GitHub Pages, I tested it locally with bundle exec jekyll serve several times. Favicons are notoriously sticky in browser caches, so I made a habit of hard-refreshing (Ctrl+Shift+R) and checking the Network tab in DevTools to confirm the browser was actually fetching the new assets instead of serving stale ones.

Beyond the icons themselves, I verified that the HTML changes in _layouts/default.html were rendering correctly by viewing the page source and confirming all six <link> tags appeared in the <head>. I also hit http://localhost:4000/site.webmanifest directly in the browser to make sure Jekyll was serving the manifest file and that the JSON was valid with the correct icon paths. A missing or malformed manifest is silent — no errors in the console, just a broken “Add to Home Screen” experience that you would never notice without checking.

The transparency fuzz factor was the main thing I iterated on locally. Each time I regenerated the PNGs with a different percentage, I restarted Jekyll and checked the Apple Touch icon at 180x180 to see if the halo was gone. That feedback loop — regenerate, restart, hard-refresh — is much faster against a local server than waiting for a GitHub Pages deploy.

Once everything looked right locally, I pushed to GitHub and verified on the live site at mcgarrah.org. The deploy picked it up on the next build and the icons rendered identically to what I saw in local testing.

The Result

The whole process took about thirty minutes of actual work, spread across an hour of wall time because I was multitasking. Most of that was the local iteration on ImageMagick transparency — the favicon generation and HTML changes themselves were genuinely quick. After deploying, the stream of /apple-touch-icon.png 404 errors in my server logs disappeared immediately. More importantly, bookmarking the site to an iPhone home screen now shows my actual logo instead of a generic gray letter “M” in a rounded square.

Here is the final set of generated icons at their actual sizes, from the 512x512 Android Chrome icon down to the 16x16 browser tab favicon:

Icon	Size	Preview
favicon-512x512.png	512x512
favicon-192x192.png	192x192
apple-touch-icon.png	180x180
favicon-32x32.png	32x32
favicon-16x16.png	16x16

If you have a Jekyll site with just a bare favicon.ico, check your logs — you are almost certainly serving 404s for assets that mobile devices expect to exist. A few generated PNGs and six lines of HTML in your layout is all it takes to fix it.

My resume site runs as a sub-path off the same domain, so it picks up the root-level favicon assets automatically. Its Jekyll theme has its own _includes/head.html, which needed the same <link> block added, but the image files are shared. If you run multiple Jekyll projects under one domain, that is one less thing to duplicate.

“Never ignore the little things. In the whole wide universe, the little things are the most important.” — The Eleventh Doctor

Gallifreyan script generated with the Gallifreyan Translation Helper.

Most Jekyll blogs on GitHub Pages use the default build. Push to main, GitHub builds it, done. That worked for me too — until I needed custom plugins, scheduled future posts, and wanted to stop deploying broken sitemaps.

Here’s how it all fits together.

The Pipeline at a Glance

graph LR
    A[git push to main] --> B[Jekyll Build & Deploy]
    A --> C[CodeQL Security Scan]
    A --> D[SEO Health Check]
    E[Daily 10:05 UTC] --> B
    F[Weekly Friday 02:43 UTC] --> C
    G[Weekly Monday 06:00 UTC] --> D
    H[Dependabot] --> I[PRs for dependency updates]
    I --> A

Workflow 1: Build and Deploy

This is the core workflow. It replaced the default GitHub Pages build in August 2024 when I needed custom plugins that aren’t in the GitHub Pages whitelist.

name: Deploy Jekyll site to Pages

on:
  push:
    branches: ["main"]
  schedule:
    - cron: '5 10 * * *'
  workflow_dispatch:

permissions:
  contents: read
  pages: write
  id-token: write

concurrency:
  group: "pages"
  cancel-in-progress: false

Why a Custom Build?

The default GitHub Pages Jekyll build is convenient but limiting:

• No custom plugins — Only whitelisted gems run. My tag/category generator and Pandoc exports plugin need a custom build.
• No Ruby version pinning — GitHub controls the Ruby version. I pin to 3.2.6 for reproducibility.
• No build validation — The default build deploys whatever Jekyll produces. I validate the sitemap before deploying.

Scheduled Builds for Future Posts

The schedule trigger is the key feature that makes future-dated posts work:

schedule:
  - cron: '5 10 * * *'  # 10:05 UTC daily (6:05 AM EDT)

See GitHub’s scheduled events documentation for cron syntax details.

Jekyll’s future: false setting (the default) excludes posts with dates in the future from the build output. When a post’s date arrives, the next build picks it up. The daily cron at 10:05 UTC (6:05 AM EDT) means a post dated 2026-05-15 will go live within 24 hours of that date — close enough for a blog.

Without this, I’d have to manually push a commit or trigger a build on the day I want a post to go live.

The --future Flag Gotcha

During local development, bundle exec jekyll serve also respects future: false — future-dated posts won’t render locally unless you add the --future flag:

bundle exec jekyll serve --future

This confused me early on. I’d write a post with tomorrow’s date, run the local server, and the post wouldn’t appear. The future: false config setting only controls the build output, not whether the file is recognized. The --future flag overrides it for local previewing. In production, the daily cron handles it — you never need future: true in _config.yml.

Sitemap Validation

After discovering that a bad build once deployed a sitemap full of localhost URLs, I added a pre-deploy validation step:

- name: Validate sitemap URLs
  run: |
    if grep -q 'localhost' ./_site/sitemap.xml; then
      echo "::error::sitemap.xml contains localhost URLs"
      grep 'localhost' ./_site/sitemap.xml | head -5
      exit 1
    fi
    echo "Sitemap OK: all URLs use production domain"

This is a cheap check that has saved me at least once. The JEKYLL_ENV: production environment variable is also critical — without it, Jekyll may use development URLs.

Build Steps

The full build job:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: ruby/setup-ruby@v1.300.0
        with:
          ruby-version: '3.2.6'
          bundler-cache: true
          cache-version: 1
      - uses: actions/configure-pages@v6
      - name: Build with Jekyll
        run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
        env:
          JEKYLL_ENV: production
      - name: Validate sitemap URLs
        run: |
          if grep -q 'localhost' ./_site/sitemap.xml; then
            echo "::error::sitemap.xml contains localhost URLs"
            exit 1
          fi
      - uses: actions/upload-pages-artifact@v4

Key details:

• bundler-cache: true — Caches installed gems between runs. Cuts build time significantly.
• cache-version: 1 — Increment this to force a fresh gem install if the cache gets corrupted.
• configure-pages — Sets the base path for GitHub Pages. Required for correct URL generation.
• cancel-in-progress: false — Don’t cancel a running deployment if a new push arrives. Let it finish.

Evolution

The build workflow has been through nine commits since August 2024:

1. Aug 2024 — Initial creation, replacing default GitHub Pages build
2. Jan 2025 — Ruby version updates and deploy comments
3. May 2025 — Fix caching issues during build
4. Sep 2025 — Add scheduled daily builds for future posts
5. Sep 2025 — Dependabot bumps for checkout and upload-pages-artifact
6. Apr 2026 — Add sitemap localhost validation
7. Apr 2026 — Update all actions to Node 24 compatible versions

Workflow 2: CodeQL Security Scanning

name: "CodeQL Advanced"

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]
  schedule:
    - cron: '43 2 * * 5'  # Weekly Friday at 02:43 UTC

What Does CodeQL Scan on a Jekyll Blog?

Not much, honestly. The initial setup in September 2025 included Ruby and JavaScript language analysis, but those were removed the same day — CodeQL’s Ruby analysis isn’t useful for Jekyll plugins (they’re too simple), and the JavaScript is mostly CDN-loaded.

What remains is GitHub Actions workflow analysis (language: actions), which scans the workflow YAML files themselves for security issues like:

• Untrusted input in run steps
• Missing permission restrictions
• Vulnerable action versions
• Script injection via ${{ }} expressions

strategy:
  fail-fast: false
  matrix:
    include:
    - language: actions
      build-mode: none

Is It Worth It?

For a static blog? Marginally. The Actions language scanner has caught zero issues so far. But it’s free, runs weekly, and takes under a minute. The real value is that it’s already configured — if I add more complex JavaScript or Ruby in the future, I can re-enable those language scanners with one line change.

Workflow 3: SEO Health Check

This is the most complex workflow and has its own dedicated article. Here’s the summary of what it validates on every content push and weekly:

Triggers

on:
  schedule:
    - cron: '0 6 * * 1'  # Weekly Monday at 6 AM UTC
  workflow_dispatch:
  push:
    branches: [main]
    paths:
      - '_config.yml'
      - '_layouts/**'
      - '_includes/**'
      - '_plugins/**'
      - '_posts/**'
      - '_sass/**'
      - 'assets/**'
      - 'robots.txt'
      - '.github/workflows/seo-health-check.yml'
      - '.lighthouserc.json'

The paths filter is important — this workflow only runs on pushes that change content or configuration, not on README edits or draft changes. This saves CI minutes.

What It Checks

The workflow builds the site, serves it locally, then runs a gauntlet of checks:

1. Lighthouse CI — Performance (≥0.8), accessibility (≥0.9), best practices (≥0.8), SEO (≥0.9 — hard fail). Runs 3 times per URL and averages. Blocks AdSense and Analytics scripts to get clean scores.
2. Canonical URL consistency — Every <link rel="canonical"> tag must use mcgarrah.org
3. Sitemap validation — Valid XML, correct domain, no www prefix
4. Sitemap index validation — References both blog and resume sitemaps
5. Robots.txt — Exists, references correct sitemap index
6. Meta tags — Description and Open Graph tags on homepage
7. RSS feed — Valid XML
8. Link checking — Lychee for broken links across all HTML
9. Structured data — JSON-LD presence
10. Image optimization — Missing alt text, oversized images (>500KB)
11. Content quality — Duplicate titles, duplicate meta descriptions, generic link text (“click here”, “read more”)
12. Mobile optimization — Viewport meta tag coverage
13. Accessibility indicators — Invalid anchors, small tap targets

Lighthouse Configuration

The .lighthouserc.json blocks ad and analytics scripts to get clean performance scores:

{
  "ci": {
    "collect": {
      "numberOfRuns": 3,
      "settings": {
        "blockedUrlPatterns": [
          "**/pagead/js/adsbygoogle.js*",
          "**/googlesyndication.com/**",
          "**/googletagmanager.com/**"
        ]
      }
    },
    "assert": {
      "assertions": {
        "categories:performance": ["warn", {"minScore": 0.8}],
        "categories:accessibility": ["warn", {"minScore": 0.9}],
        "categories:seo": ["error", {"minScore": 0.9}]
      }
    }
  }
}

SEO is the only hard fail (error). Performance and accessibility are warnings — I want to know about regressions but don’t want to block deploys over a 0.79 performance score.

The Canonical URL Bug

The SEO health check went through five rapid-fire commits on April 8, 2026 — all fixing the same class of problem. The canonical URL check was matching mcgarrah.org in blog post content (syntax-highlighted code examples), not just in <link> tags. The fix narrowed the grep to match only actual <link rel="canonical"> tags:

find _site -name "*.html" -exec grep -h '<link[^>]*rel="canonical"' {} \;

Lesson: when your blog posts contain code examples about your own blog’s configuration, your CI checks will match the examples. Always be specific in your grep patterns.

Dependabot

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "."
    schedule:
      interval: "daily"
  - package-ecosystem: "bundler"
    directory: "./"
    schedule:
      interval: "daily"
  - package-ecosystem: "npm"
    directory: "./"
    schedule:
      interval: "weekly"

Three ecosystems, three schedules:

• GitHub Actions (daily) — Catches action version bumps quickly. These are the most security-sensitive since they run with repo permissions.
• Bundler (daily) — Jekyll and Ruby gem updates. The Gemfile.lock pins exact versions.
• npm (weekly) — Tracks CDN library versions in package.json for security scanning, even though the actual libraries load from CDN at runtime. See the security dependency management post for why.

Dependabot creates PRs automatically. Each PR triggers the build and CodeQL workflows, so I get a test build before merging.

How the Pieces Interact

The workflows aren’t isolated — they form a feedback loop:

1. Dependabot creates a PR to bump actions/checkout from v5 to v6
2. The PR triggers CodeQL (scans the updated workflow YAML) and Build (tests the build with the new action version)
3. I merge the PR → push to main
4. Push triggers all three workflows: Build deploys, CodeQL scans, SEO Health Check validates
5. If the SEO check finds a regression (broken link, missing meta tag), I fix it and push again

The daily cron on the build workflow handles future-dated posts without any manual intervention. The weekly crons on CodeQL and SEO catch drift — a dependency that introduced a vulnerability, or an external link that went dead.

Cost

All of this runs on GitHub’s free tier for public repositories. The monthly usage is minimal:

• Build & Deploy: ~30 runs/month (daily cron + pushes), ~2 min each
• CodeQL: ~8 runs/month (weekly + pushes), ~1 min each
• SEO Health Check: ~12 runs/month (weekly + content pushes), ~4 min each
• Total: ~100 minutes/month, well within the 2,000 free minutes

What I’d Add Next

• HTML-Proofer — More thorough internal link validation than my custom script
• Pa11y — Automated accessibility testing beyond Lighthouse
• Build time tracking — Alert if build time exceeds a threshold (currently ~90 seconds)
• Deployment notifications — Slack or email on successful deploy of future-dated posts

Related Posts

• Advanced Jekyll SEO Health Checks — Deep dive into the SEO workflow
• Building This Blog: Jekyll on GitHub Pages — Setup guide with CI/CD overview
• Using GitHub Actions with pip-audit — Similar CI pattern for Python projects
• Building a Custom Tag and Category Generator Plugin — One of the custom plugins that requires this pipeline
• Your Jekyll Sitemap Is 60% Garbage — The sitemap problem that led to the validation step
• How the Sausage Is Made — Full feature inventory
• Ruby Gem Release Automation — CI/CD for the Pandoc exports gem

But comments need state. Someone writes a comment, it has to be stored somewhere, and the next visitor needs to see it. Adding state to a stateless platform is a fundamental design tension — you need a data store, but you chose a platform specifically because it doesn’t have one.

The Problem

I wanted comments on this blog for a simple reason: readers ask good questions. When someone finds a gap in a Proxmox walkthrough or catches an error in a Ceph command, that feedback is valuable — not just to me, but to the next person reading the same post. Email works for one-to-one, but comments are one-to-many.

The requirements:

1. No self-hosted infrastructure — I’m not running a database for blog comments
2. Free or very cheap — This is a hobby blog
3. GitHub-friendly — My readers are technical; most have GitHub accounts
4. GDPR-compatible — No third-party tracking cookies
5. Persistent — Comments survive site rebuilds and theme changes
6. Searchable — Ideally indexed and findable
7. Low maintenance — No moderation queue to babysit

The Alternatives I Evaluated

Disqus — The Default Choice (Rejected)

Disqus is the most common comment system for static sites. It’s easy to embed and has a large user base.

Why I rejected it:

• Ads on the free tier — Disqus injects ads into your comment section unless you pay
• Tracking and privacy — Disqus loads significant third-party JavaScript and tracks users across sites. This is a GDPR nightmare for a blog that already went through extensive GDPR compliance work
• Data ownership — Comments live on Disqus’s servers. If they shut down or change terms, your comments are gone
• Heavy JavaScript — The embed script is large and slows page load

The original Jekyll theme I forked (Contrast) actually had Disqus support built in. The dead code is still in my post.html layout — a disqus_thread div that never renders because site.comments.disqus_shortname is never set.

Isso — Self-Hosted Alternative (Rejected)

Isso is a self-hosted, lightweight commenting server. It stores comments in a SQLite database and has a clean, minimal interface.

Why I rejected it:

• Requires a server — You need to run the Isso daemon somewhere. That’s infrastructure I don’t want to maintain for blog comments
• SQLite on a server — Backups, uptime, security patches — all for a comment system

The theme also had Isso support built in. Same dead code situation — isso_domain is never configured.

GitHub Issues API — Custom Lambda (Evaluated Deeply)

This approach uses GitHub Issues as the comment store. Each blog post maps to a GitHub Issue. Comments on the Issue appear as comments on the post. Aleksandr Hovhannisyan’s implementation is the best-known version.

I went deep on this one — deep enough to have ChatGPT convert the original Netlify serverless function to a Python Lambda. The full prototype:

def get_comments_for_post(event, context):
    """
    Lambda function to fetch comments for a GitHub issue dynamically.
    """

    try:
        # Extract query parameters
        query_params = event.get("queryStringParameters", {})
        issue_number = query_params.get("id")
        github_url = query_params.get("url")

        if not issue_number or not issue_number.isdigit():
            return {
                "statusCode": 400,
                "body": json.dumps({"error": "You must specify a valid issue ID."}),
            }

        # Determine owner and repo
        if github_url:
            owner, repo = extract_owner_and_repo(github_url)
        else:
            owner = query_params.get("owner")
            repo = query_params.get("repo")

        if not owner or not repo:
            return {
                "statusCode": 400,
                "body": json.dumps({"error": "You must specify 'owner' and 'repo' or provide a valid GitHub URL."}),
            }

        issue_number = int(issue_number)

        # Check API rate limit
        rate_limit = octokit.request("GET /rate_limit")["rate"]
        remaining_requests = rate_limit["remaining"]
        print(f"GitHub API requests remaining: {remaining_requests}")
        if remaining_requests == 0:
            return {
                "statusCode": 503,
                "body": json.dumps({"error": "API rate limit exceeded."}),
            }

        # Fetch comments for the given issue
        comments_response = octokit.paginate(
            "GET /repos/{owner}/{repo}/issues/{issue_number}/comments",
            {"owner": owner, "repo": repo, "issue_number": issue_number},
        )

        # Process comments
        response = []
        for comment in comments_response:
            response.append({
                "user": {
                    "avatarUrl": comment["user"]["avatar_url"],
                    "name": escape(comment["user"]["login"]),
                    "isAuthor": comment["author_association"] == "OWNER",
                },
                "dateTime": comment["created_at"],
                "dateRelative": str((datetime.now() - datetime.fromisoformat(
                    comment["created_at"].replace("Z", ""))).days) + " days ago",
                "isEdited": comment["created_at"] != comment["updated_at"],
                "body": escape(markdown(comment["body"])),
            })

        return {
            "statusCode": 200,
            "body": json.dumps({"data": response}),
        }

    except Exception as e:
        print(f"Error: {e}")
        return {
            "statusCode": 500,
            "body": json.dumps({"error": "Unable to fetch comments for this post."}),
        }

This prototype handled input validation, GitHub API rate limiting, pagination, relative date formatting, edit detection, and Markdown rendering. It worked — but it was a lot of moving parts for blog comments.

Why I ultimately rejected it:

• Requires a serverless function — Whether it’s Netlify Functions, AWS Lambda, or Cloudflare Workers, you need a backend to proxy the GitHub API (to avoid exposing tokens client-side)
• GitHub Issues aren’t designed for comments — Issues have a flat structure. No threading, no reactions on individual comments (only on the issue itself)
• Manual issue creation — You have to create a GitHub Issue for each post and link them. That’s a maintenance burden
• API rate limits — The GitHub API has rate limits that could be hit on popular posts

Utterances — GitHub Issues, Client-Side (Close Second)

Utterances solves the serverless function problem by using a GitHub App to authenticate directly from the client. It still uses GitHub Issues as the backend but doesn’t need a proxy.

Why I almost chose it:

• No server needed — just a <script> tag
• Clean, minimal UI
• GitHub authentication (my audience has GitHub accounts)
• Open source

Why I chose Giscus instead:

• Utterances uses Issues, Giscus uses Discussions — Discussions have threading, categories, and reactions
• Utterances was less actively maintained at the time I evaluated it
• Giscus is essentially “Utterances but better” — same concept, newer implementation, more features

Staticman — Git-Based Comments (Rejected)

Staticman takes a different approach: comments are submitted via a form, processed by a bot, and committed to your repository as data files (YAML/JSON). Jekyll then renders them at build time.

Why I rejected it:

• Build required for every comment — Each comment triggers a site rebuild. That’s slow and burns CI minutes
• Moderation via pull requests — Clever, but adds friction
• Self-hosted bot or shared instance — The shared instance has availability issues; self-hosting is more infrastructure

GDPR-Compliant Approaches

The Jekyll Codex GDPR-compliant comments guide was useful for understanding the privacy landscape. Any solution that loads third-party JavaScript or sends user data to external servers needs consent management.

Why Giscus Won

Giscus uses GitHub Discussions as the comment backend. It’s a single <script> tag that embeds a widget powered by the GitHub Discussions API via a GitHub App.

The key insight: everything stays in the GitHub ecosystem. The blog source is on GitHub. The build runs on GitHub Actions. The site deploys to GitHub Pages. Comments live in GitHub Discussions. There’s no external service, no separate database, no additional account.

What sealed the decision:

• Threaded replies — Discussions support nested replies, Issues don’t
• Reactions — Readers can react to individual comments, not just the top-level post
• Categories — Comments go into the “Announcements” category, keeping them organized
• Automatic mapping — pathname mapping means Giscus creates a Discussion for each post URL automatically. No manual issue creation
• Lazy loading — The widget loads only when scrolled into view (loading: lazy)
• Theme matching — preferred_color_scheme follows the reader’s dark/light mode preference
• Searchable — GitHub Discussions are fully searchable, both on GitHub and via search engines
• No server — Just a <script> tag and a _config.yml entry
• GDPR-friendly — Giscus loads from giscus.app (a GitHub App), not a third-party ad network. No tracking cookies. The self-hosting option exists if you want full control

Implementation

Step 1: Enable GitHub Discussions

In the repository settings (mcgarrah/mcgarrah.github.io), enable the Discussions feature and create an “Announcements” category.

Step 2: Install the Giscus GitHub App

Go to giscus.app, select your repository, and configure the options. It generates the <script> tag and gives you the repo_id and category_id values.

Step 3: Add Configuration to _config.yml

giscus:
  repo: mcgarrah/mcgarrah.github.io
  repo_id: R_kgDOKBKIdw
  category: Announcements
  category_id: DIC_kwDOKBKId84Cq3DK
  mapping: pathname
  strict: 0
  reactions_enabled: 1
  emit_metadata: 0
  input_position: bottom
  theme: preferred_color_scheme
  lang: en
  loading: lazy

Key configuration choices:

• mapping: pathname — Maps posts to Discussions by URL path. This means /proxmox-ceph-nearfull/ gets its own Discussion automatically
• strict: 0 — Fuzzy matching on the pathname. Tolerates minor URL changes
• input_position: bottom — Comment box below existing comments (natural reading order)
• loading: lazy — Don’t load the iframe until the reader scrolls to the comments section. Improves initial page load performance
• theme: preferred_color_scheme — Matches the reader’s OS dark/light mode setting

Step 4: Add the Widget to the Post Layout

In _layouts/post.html:

{%- if site.giscus -%}
<section class="page__comments">
  <script src="https://giscus.app/client.js"
          data-repo="{{ site.giscus.repo }}"
          data-repo-id="{{ site.giscus.repo_id }}"
          data-category="{{ site.giscus.category }}"
          data-category-id="{{ site.giscus.category_id }}"
          data-mapping="{{ site.giscus.mapping }}"
          data-strict="{{ site.giscus.strict }}"
          data-reactions-enabled="{{ site.giscus.reactions_enabled }}"
          data-emit-metadata="{{ site.giscus.emit_metadata }}"
          data-input-position="{{ site.giscus.input_position }}"
          data-theme="{{ site.giscus.theme }}"
          data-lang="{{ site.giscus.lang }}"
          data-loading="{{ site.giscus.loading }}"
          crossorigin="anonymous"
          async>
  </script>
</section>
{%- endif -%}

Every _config.yml value is templated via Liquid — no hardcoded values in the layout. The {%- if site.giscus -%} guard means the widget only renders if Giscus is configured, so the theme works without it.

Legacy Dead Code

The post layout still contains the original theme’s Isso and Disqus support:

{% if page.comments != false and site.comments.isso or site.comments.disqus %}
  {% if site.comments.isso_domain %}<div id="isso-thread"></div>{% endif %}
  {% if site.comments.disqus_shortname %}<div id="disqus_thread"></div>{% endif %}
{% endif %}

This never renders because neither site.comments.isso_domain nor site.comments.disqus_shortname is set in _config.yml. It’s harmless dead code from the Contrast theme fork. I’ve left it in case someone forks this blog and wants to use those systems instead.

The GitHub Ecosystem Advantage

What I find elegant about this setup is how the pieces reinforce each other:

Everything is in one place. One login, one set of permissions, one backup strategy (the git repository itself). If GitHub goes down, the whole blog is down anyway — there’s no additional point of failure from the comment system.

Comments are also version-controlled in a sense — GitHub Discussions have full edit history, and they’re tied to the repository. If I ever migrate the blog, the Discussions come with the repo.

The broader pattern here is worth noting: keeping your entire operational surface area in a single ecosystem — source, build, hosting, comments, security scanning, dependency management — reduces the number of vendor relationships, authentication boundaries, and failure domains you have to manage. It’s the same principle behind choosing a single cloud provider for tightly coupled services.

What I’d Do Differently

• Clean up the dead Isso/Disqus code — It’s been there since the fork. Time to remove it
• Add a comments: false front matter option — The Isso/Disqus code checks page.comments != false, but the Giscus block doesn’t. Some posts (like the privacy policy) shouldn’t have comments
• Consider self-hosting Giscus — The self-hosting guide would eliminate the dependency on giscus.app. Low priority since the service has been reliable

Related Posts

• Building This Blog: Jekyll on GitHub Pages — Setup guide with brief Giscus section
• How the Sausage Is Made — Feature inventory including comments
• Implementing GDPR Compliance for Jekyll with AdSense — The GDPR work that informed comment system requirements
• The CI/CD Pipeline Behind This Jekyll Blog — How GitHub Actions ties into the ecosystem

GitHub Pages with Jekyll gives you tags and categories in front matter, but no pages for them. You can tag a post proxmox all day long — there’s no /tags/proxmox/ page unless you build one. Manually creating a page for each tag doesn’t scale. This plugin solves it: a single Ruby file that generates a page for every tag and every category at build time.

The Problem

Jekyll’s built-in site.tags and site.categories hashes collect posts by taxonomy, but they don’t generate browsable pages. Most Jekyll themes include a tags.html that lists all tags on one page, but clicking a tag doesn’t go anywhere useful.

The common solutions are:

1. Manual pages — Create a markdown file per tag. Doesn’t scale.
2. Third-party plugins — jekyll-tagging, jekyll-archives. Not whitelisted on GitHub Pages (if using the default build).
3. Custom generator plugin — Write your own. Works with GitHub Actions builds.

Useful references I consulted during the decision:

• Long Qian’s Jekyll tag page guide — The approach I adapted
• Untangled.dev tag management — Alternative approach
• Jekyll docs on tags — Official reference

I went with option 3 because I was already using GitHub Actions for the build (required for other custom plugins), and I wanted full control over URL structure and SEO behavior.

Evolution of the Plugin

The plugin went through three distinct versions, each driven by a real problem. The git history tells the story.

Version 1: Basic Generator (July 2025)

The initial version was straightforward — two Generator classes and two Page classes. It iterated site.tags and site.categories, created a page for each, and was done:

module Jekyll
  class TagPageGenerator < Generator
    safe true

    def generate(site)
      site.tags.each do |tag, posts|
        site.pages << TagPage.new(site, site.source, tag, posts)
      end
    end
  end

  # ... CategoryPageGenerator identical pattern ...

  class TagPage < Page
    def initialize(site, base, tag, posts)
      @site = site
      @base = base
      @dir = File.join('tags', tag.downcase.gsub(' ', '-'))
      @name = 'index.html'

      self.process(@name)
      self.read_yaml(File.join(base, '_layouts'), 'tag_page.html')
      self.data['tag'] = tag
      self.data['posts'] = posts
      self.data['title'] = "Posts tagged with \"#{tag}\""
    end
  end
end

This worked fine for months. Then AdSense review forced a closer look at the sitemap.

Version 2: Sitemap Exclusion and Noindex (April 6, 2026 — morning)

During AdSense review preparation, I audited the sitemap and found it had 434 URLs, 262 of which (60%) were auto-generated tag, category, and pagination pages with little unique content. This dilutes content quality signals.

The fix added two lines to each Page class and a Jekyll::Hooks callback for pagination:

# Added to TagPage and CategoryPage:
self.data['sitemap'] = false
self.data['noindex'] = true if posts.size < 3

# Added for pagination pages:
Jekyll::Hooks.register :pages, :post_init do |page|
  if page.url =~ %r{^/page\d+/}
    page.data['sitemap'] = false
  end
end

Result: sitemap dropped from 434 to 172 URLs. 195 thin tag/category pages got noindex.

Version 3: Hook-to-Generator Refactor (April 6, 2026 — afternoon)

The Jekyll::Hooks :pages :post_init approach broke pagination within hours. The hook fired during page initialization — before jekyll-paginate had created its pagination pages. This caused the homepage to display as page 32 of 32 (oldest posts first) and prevented pagination directories from being created.

The fix replaced the hook with a lowest-priority Generator that runs after jekyll-paginate has finished:

class PaginationSitemapExcluder < Generator
  safe true
  priority :lowest

  def generate(site)
    site.pages.each do |page|
      if page.dir =~ %r{^/page\d+}
        page.data['sitemap'] = false
      end
    end
  end
end

The key insight: priority :lowest ensures this generator runs after all other generators (including jekyll-paginate), so the pagination pages exist by the time we iterate them. The hook approach was too early in the lifecycle.

Result: homepage showed newest posts again (page 1 of 32), all 31 pagination directories restored, pagination pages still excluded from sitemap.

The Final Plugin

The current version lives in _plugins/tag_category_generator.rb:

module Jekyll
  class TagPageGenerator < Generator
    safe true

    def generate(site)
      site.tags.each do |tag, posts|
        site.pages << TagPage.new(site, site.source, tag, posts)
      end
    end
  end

  class CategoryPageGenerator < Generator
    safe true

    def generate(site)
      site.categories.each do |category, posts|
        site.pages << CategoryPage.new(site, site.source, category, posts)
      end
    end
  end

  class TagPage < Page
    def initialize(site, base, tag, posts)
      @site = site
      @base = base
      @dir = File.join('tags', tag.downcase.gsub(' ', '-'))
      @name = 'index.html'

      self.process(@name)
      self.read_yaml(File.join(base, '_layouts'), 'tag_page.html')
      self.data['tag'] = tag
      self.data['posts'] = posts
      self.data['title'] = "Posts tagged with \"#{tag}\""
      self.data['sitemap'] = false
      self.data['noindex'] = true if posts.size < 3
    end
  end

  class CategoryPage < Page
    def initialize(site, base, category, posts)
      @site = site
      @base = base
      @dir = File.join('categories', category.downcase.gsub(' ', '-').gsub('_', '-'))
      @name = 'index.html'

      self.process(@name)
      self.read_yaml(File.join(base, '_layouts'), 'category_page.html')
      self.data['category'] = category
      self.data['posts'] = posts
      self.data['title'] = "Posts in category \"#{category}\""
      self.data['sitemap'] = false
      self.data['noindex'] = true if posts.size < 3
    end
  end

  class PaginationSitemapExcluder < Generator
    safe true
    priority :lowest

    def generate(site)
      site.pages.each do |page|
        if page.dir =~ %r{^/page\d+}
          page.data['sitemap'] = false
        end
      end
    end
  end
end

Design Decisions

safe true — Marks the generator as safe for GitHub Pages compatibility. Even though we’re building with GitHub Actions, this is good practice.

URL structure — Tags go to /tags/tag-name/ and categories to /categories/category-name/. The downcase.gsub(' ', '-') normalizes spaces to hyphens. Categories also convert underscores to hyphens for consistency.

sitemap: false — This was added after discovering that the generated pages were bloating the sitemap. With 237 tags, that’s 237 extra URLs in sitemap.xml — most pointing to pages with only one or two posts. See Your Jekyll Sitemap Is 60% Garbage for the full story.

noindex for thin content — Tags with fewer than 3 posts get noindex to avoid search engines indexing low-value pages. This is a soft SEO signal — the page still exists for users, but search engines are asked to skip it.

PaginationSitemapExcluder — A bonus generator that excludes /page2/, /page3/, etc. from the sitemap. These pagination pages add no SEO value and were another source of sitemap bloat. This was originally a Jekyll::Hooks :pages :post_init callback, but that broke jekyll-paginate because the hook fired before pagination pages existed. The priority :lowest Generator approach runs after all other generators have finished.

The Layouts

Both layouts are nearly identical. Here’s _layouts/tag_page.html:

---
layout: default
---

<article class="page">
  <h1 class="page-title">{{ page.title }}</h1>
  <div class="page-content">
    <div class="posts-list">
      {% for post in page.posts %}
        <article class="post-item">
          <h2><a href="{{ post.url | relative_url }}">{{ post.title }}</a></h2>
          <time datetime="{{ post.date | date_to_xmlschema }}">{{ post.date | date: site.date_format }}</time>
          {% if post.excerpt %}
            <div class="post-excerpt">{{ post.excerpt }}</div>
          {% endif %}
        </article>
      {% endfor %}
    </div>
  </div>
</article>

The category_page.html layout is identical. You could DRY this up with an include, but for two files it’s not worth the indirection.

The Index Pages

Users need a way to browse all tags and categories. These are simple Liquid pages:

tags.html:

---
layout: list_page
title: All Tags
---
<div class="taxonomies-list">
  {% for tag_hash in site.tags %}
    {% assign tag_name = tag_hash[0] %}
    {% assign num_posts = tag_hash[1].size %}
    <a href="{{ site.baseurl }}/tags/{{ tag_name | slugify }}/" class="taxonomy-item">
      {{ tag_name }} ({{ num_posts }})
    </a>
  {% endfor %}
</div>

categories.html follows the same pattern with site.categories.

GitHub Actions Requirement

This plugin won’t work with the default GitHub Pages Jekyll build — only whitelisted plugins run there. You need a GitHub Actions workflow that runs jekyll build yourself and deploys the output.

If you’re already using GitHub Actions for your Jekyll build (which you’ll need for any custom plugin), this just works — drop the .rb file in _plugins/ and it’s picked up automatically.

Lessons Learned

Tag proliferation is real. At 237 tags across 139 posts, many tags have only 1-2 posts. This creates thin content pages that dilute SEO. The noindex threshold helps, but the real fix is disciplined tagging — reuse existing tags rather than inventing new ones for every post.

Sitemap exclusion matters. The original version of this plugin didn’t set sitemap: false. The result was a sitemap with 434 URLs where 262 were auto-generated junk. Google Search Console flagged many as “Discovered – currently not indexed.” Adding sitemap: false cut the sitemap to meaningful content only.

Jekyll hook ordering is treacherous. The :post_init hook seemed like the right place to tag pagination pages for sitemap exclusion — it fires when a page is initialized. But jekyll-paginate creates pages during generation, not initialization. The hook fired too early, interfered with pagination’s template detection, and the homepage showed the oldest posts instead of the newest. The fix was moving to a priority :lowest Generator. Lesson: when modifying pages created by other plugins, use a Generator with lowest priority, not a hook.

Categories vs tags — In practice, categories on this blog are broad buckets (technical, homelab, web-development) while tags are specific topics (proxmox, ceph, jekyll). The plugin treats them identically but they serve different navigation purposes.

Current Stats

As of this writing:

• 139 published posts
• 237 unique tags → 237 generated tag pages
• 53 unique categories → 53 generated category pages
• Top tags: homelab (32), proxmox (23), jekyll (23), ceph (19), storage (18)
• Top categories: technical (63), homelab (22), web-development (21), hardware (20)

Related Posts

• Your Jekyll Sitemap Is 60% Garbage — The sitemap bloat problem this plugin caused and how it was fixed
• Building This Blog: Jekyll on GitHub Pages from Zero to 130+ Posts — Broader setup guide that mentions this plugin
• How the Sausage Is Made: Every Feature Powering This Jekyll Blog — Feature inventory including tag/category pages

Migration context: On May 1, 2026, AWS published the Amazon Q Developer end-of-support announcement. If you’re migrating from Amazon Q Developer to Kiro on Windows, WSL2 support is likely a hard requirement. This article covers exactly that gap.

The Open Remote - WSL extension by jeanp413 fills this gap. It’s a community-built, Open VSX-compatible implementation that enables WSL2 support in any VS Code fork, including Kiro. The Kiro GitHub issue #17 tracks the ongoing community experience — 38+ comments of workarounds, breakage reports, and fixes that inform everything in this article.

The extension works. It also breaks predictably on Kiro updates, has an easy-to-miss configuration requirement, and routes terminal commands to the wrong shell if you don’t set a default profile. None of these are dealbreakers, but they’ll cost you time if you don’t know about them going in.

The Problem

VS Code’s WSL integration is built on Microsoft’s proprietary Remote Development extensions. These extensions are:

• Licensed exclusively for use with Microsoft’s VS Code builds
• Published only to Microsoft’s Visual Studio Marketplace, not Open VSX
• Not available in Kiro’s extension marketplace

Without WSL support, Kiro on Windows can only access the Windows filesystem. Your Linux development environments, toolchains, and MCP servers running inside WSL2 are unreachable from the IDE. As multiple users in the tracking issue put it bluntly: Kiro is “completely useless” for Windows developers who do all their work inside WSL2.

Kiro itself acknowledges the gap — if you install the Linux version inside WSL2, it displays a message directing you to install the Windows version instead and use the remote extension approach.

Installation and the argv.json Requirement

Install the extension from Kiro’s extension panel or the command line:

kiro --install-extension jeanp413.open-remote-wsl

This is the step most people miss. The extension requires proposed API access to function. Without it, the extension installs silently but does nothing. Enable it in your ~/.kiro/argv.json file (or open it via the command palette: Preferences: Configure Runtime Arguments):

{
    "enable-proposed-api": [
        "jeanp413.open-remote-wsl"
    ]
}

Restart Kiro after making this change. If you have other entries in argv.json, add the enable-proposed-api array alongside them — don’t replace the file contents. If WSL commands don’t appear in the command palette after installing the extension, this missing configuration is almost certainly the reason.

After installation, the command palette gains WSL-specific commands:

• WSL: New Window — Open a new Kiro window connected to your default WSL distribution
• WSL: New Window using Distro... — Choose a specific distribution
• WSL: Open Folder in WSL... — Open a Linux folder directly
• WSL: Reopen Folder in WSL — Switch the current folder to WSL context

The Terminal Default Profile Gotcha

With the extension installed and a WSL2 folder open, Kiro’s agentic chat will attempt to run terminal commands. By default, it routes them to PowerShell — not the WSL terminal. This means commands that should execute in your Linux environment run in Windows instead, producing confusing failures.

The fix is to set the WSL distribution as your default terminal profile. Add this to your Kiro settings (%APPDATA%\Kiro\User\settings.json):

{
    "wsl.defaultDistro": "Ubuntu",
    "terminal.integrated.defaultProfile.windows": "WSL (Ubuntu)",
    "terminal.integrated.profiles.windows": {
        "WSL (Ubuntu)": {
            "path": "C:\\Windows\\System32\\wsl.exe",
            "args": ["-d", "Ubuntu"]
        }
    }
}

Replace Ubuntu with your distribution name. This ensures both manual terminal sessions and agent-initiated commands execute inside WSL2.

Opening WSL2 Folders

From PowerShell or the Windows command line:

# Open a specific Linux folder
kiro --folder-uri "vscode-remote://wsl+Ubuntu/home/username/projects"

# Open with the --remote flag
kiro --remote wsl+Ubuntu

From inside a WSL2 terminal:

# If the kiro CLI is on PATH (installed by the Windows Kiro installer)
kiro .

Note: launching kiro . from inside WSL2 doesn’t always auto-detect the WSL context correctly. If Kiro opens in Windows mode instead of WSL mode, use the explicit --folder-uri or --remote flags from PowerShell, or use the command palette (WSL: Open Folder in WSL...) from within Kiro.

A community-contributed launcher script addresses this by detecting whether the path is a WSL path and automatically constructing the correct --folder-uri:

#!/bin/bash
# Save as /usr/local/bin/kiro-wsl or replace the Kiro bin/kiro script
KIRO_ROOT="$(dirname "$(dirname "$(readlink -f "$0")")")"

ARGS=()
for arg in "$@"; do
    if [[ "$arg" != -* ]] && { [ -d "$arg" ] || [[ "$arg" == "." ]] || [[ "$arg" == ".." ]]; }; then
        FOLDER="$(realpath -m "$arg")"
        ARGS+=("--folder-uri" "vscode-remote://wsl+${WSL_DISTRO_NAME}${FOLDER}")
    elif [[ "$arg" != -* ]] && [ -f "$arg" ]; then
        FILE="$(realpath -m "$arg")"
        ARGS+=("--file-uri" "vscode-remote://wsl+${WSL_DISTRO_NAME}${FILE}")
    else
        ARGS+=("$arg")
    fi
done

"$KIRO_ROOT/Kiro.exe" "${ARGS[@]}" </dev/null &>/dev/null &
disown

The Kiro Update Breakage Cycle

This is the most significant operational issue. When Kiro updates, the kiro-server binary installed inside WSL2 (at ~/.kiro-server/) becomes incompatible with the new Kiro version. The extension tries to install a new server, and the installation script can fail — sometimes due to stale cached binaries, sometimes due to quoting bugs in the generated bash script.

The symptom is always the same:

[Error] Error resolving authority
Error: Couldn't install vscode server on remote server,
       install script returned non-zero exit status

Recovery Procedure

When WSL2 connectivity breaks after a Kiro update:

# Inside WSL2
rm -rf ~/.kiro-server

Then restart Kiro and reconnect to WSL2. The extension will perform a fresh server installation. This has been the reliable fix across multiple Kiro versions (confirmed working through v0.1.25 and beyond in the tracking issue).

The Server Installation Script Quoting Bug

In some Kiro versions, the server installation script that the extension generates contains improperly escaped single quotes ('\'') that fail in bash. If the rm -rf ~/.kiro-server approach doesn’t resolve the issue:

1. Open Kiro’s Output panel and select the WSL extension output channel
2. Copy the full bash script content from the output
3. Save it to a file inside WSL2 (e.g., ~/kiro-server-install.sh)
4. Fix the three quoting errors (look for '\'' patterns that break bash parsing)
5. Run the fixed script manually: bash ~/kiro-server-install.sh

This is a known issue in the community extension’s server bootstrapping code. The manual fix is tedious but reliable.

WSL2 Path Escaping Issues

Kiro’s agent sometimes generates Windows-style UNC paths when it should be using Linux paths inside WSL2. Commands like:

cd "\\wsl.localhost\Ubuntu\home\username\project"

…fail because the agent is constructing a Windows UNC path instead of the native Linux path /home/username/project. This is a known limitation of how the remote extension bridges the two filesystems. The agent doesn’t always correctly detect that it’s operating in a Linux context.

There’s no configuration fix for this — it’s a behavioral issue in how Kiro’s agent interacts with the remote extension’s filesystem abstraction. When it happens, the workaround is to manually correct the path in the terminal or re-prompt the agent with explicit Linux path context.

Chat Window Disabled: “Unsafe Environment”

Some users report that after connecting to WSL2, the Kiro chat sidebar shows “Drag a view here to display” or displays an “unsafe environment” warning that disables the chat window entirely. This appears to be related to workspace trust settings.

If you encounter this:

1. Open the command palette and run Workspaces: Manage Workspace Trust
2. Trust the WSL2 workspace folder
3. If the chat window still doesn’t appear, close the WSL2 window and reopen it via WSL: New Window

The alternative approach — running the Linux version of Kiro natively inside WSL2 via WSLg — avoids this issue entirely but introduces its own problems (GUI scaling issues on multi-monitor setups, occasional terminal hangs, and general WSLg instability).

MCP Servers in WSL2

This is where WSL2 support becomes particularly relevant for Kiro’s agentic workflows. MCP servers that depend on Linux toolchains — Python uvx packages, Node.js tools, Docker containers — run natively inside WSL2 rather than through Windows compatibility layers.

When Kiro connects to WSL2 via the Open Remote extension, the kiro-agent’s MCP server processes spawn inside the Linux environment. This means:

• uvx-based MCP servers use the Linux Python installation
• Docker-based MCP servers connect to the WSL2 Docker daemon
• File paths in MCP server configs use Linux paths (/home/...), not Windows paths
• Environment variables resolve from the Linux shell, not PowerShell

WSL2-Side Configuration

The ~/.kiro directory inside WSL2 is independent from %USERPROFILE%\.kiro on the Windows side. When connected to WSL2, Kiro reads:

/home/username/.kiro/
├── settings/mcp.json    # MCP servers configured for Linux execution
├── powers/              # Powers available in Linux context
├── hooks/               # Hooks that run in Linux shell
├── steering/            # Steering rules
└── secrets/             # Linux-side credentials

This natural separation means your Windows-side Kiro configuration (with Windows-native MCP servers) and your WSL2-side configuration (with Linux-native MCP servers) are already isolated by the filesystem boundary. You don’t need the persona isolation techniques to separate Windows and Linux configs — the remote extension handles that by virtue of running in a different filesystem.

The Alternative: Running Kiro Natively in WSL2

Several users in the tracking issue have tried running the Linux .deb version of Kiro directly inside WSL2 using WSLg (Windows Subsystem for Linux GUI). This bypasses the remote extension entirely — Kiro runs as a native Linux application with direct filesystem access.

It works, with caveats:

• Multi-monitor scaling: WSLg doesn’t respect Windows display scaling. On multi-monitor setups (especially mixed DPI), the mouse cursor may be oversized and click targets may be offset.
• Terminal stability: The integrated terminal can hang after extended use in some configurations.
• GTK dependencies: Requires up-to-date GTK packages in the WSL2 distribution. Missing or outdated libraries cause rendering issues.
• Performance: Noticeably slower than the remote extension approach for UI rendering.

Kiro itself discourages this approach — the Linux installer displays a message suggesting you use the Windows version with the remote extension instead. But for developers who find the remote extension’s breakage cycle unacceptable, it’s a viable if rough alternative.

Relationship to Persona Isolation

If you’re running parallel Kiro personas on Windows, WSL2 adds a third dimension to the isolation story. The Windows-side personas (director and developer) each have their own %USERPROFILE%\.kiro-* directories. When either persona connects to WSL2, it sees the single /home/username/.kiro/ inside Linux.

For most workflows this is fine — the WSL2 config is developer-focused by nature. The more common pattern is: director persona runs on Windows (Atlassian, GitLab, observability MCPs), developer persona connects to WSL2 (code toolchains, Docker, Linux-native MCP servers).

Setup Checklist

1. Install WSL2 with your preferred distribution (wsl --install -d Ubuntu)
2. Install the Open Remote - WSL extension in Kiro (jeanp413.open-remote-wsl)
3. Enable proposed API in ~/.kiro/argv.json — this is the step most people miss
4. Restart Kiro
5. Set WSL as the default terminal profile in Kiro settings
6. Open a WSL2 folder (command palette → WSL: New Window)
7. On first connection, allow the kiro-server installation inside WSL2
8. Configure ~/.kiro/settings/mcp.json inside WSL2 for Linux-native MCP servers
9. Verify MCP servers start correctly from the Kiro terminal (should show Linux paths)

After Every Kiro Update

1. If WSL2 connectivity breaks: rm -rf ~/.kiro-server inside WSL2, then restart Kiro
2. If that doesn’t work: extract the server install script from Kiro’s Output panel, fix quoting, run manually
3. Verify argv.json still contains the enable-proposed-api entry (updates occasionally reset it)

The State of Things

WSL2 support in Kiro is functional but fragile. The community extension works, the configuration is straightforward once you know about argv.json, and the recovery procedure after updates is reliable. But it’s a community-maintained bridge over a gap that arguably shouldn’t exist in a product targeting Windows developers.

The tracking issue remains open with the pending-maintainer-response label. Multiple users have requested either native WSL support or at minimum official documentation for the community extension setup. Until one of those happens, this article and that issue thread are the primary references.

References

• Kiro GitHub Issue #17: WSL Support — The canonical community thread
• Open Remote - WSL on Open VSX
• jeanp413/open-remote-wsl on GitHub
• WSL2 Documentation
• Kiro IDE: Running Parallel Personas — Companion article on persona isolation

Migration context: On May 1, 2026, AWS published the Amazon Q Developer end-of-support announcement. If you’re evaluating Kiro as the migration path from Amazon Q Developer, the timeline is now official. The configuration depth covered here is worth understanding before you commit to the switch.

My use case: a Senior Director persona loaded with Atlassian (Jira, Confluence), GitLab, NewRelic, Wiz, and AWS pricing MCPs for ticket management, architecture reviews, and operational oversight — running alongside a developer persona stripped down to Terraform, AWS docs, and code-focused tooling. These configurations don’t overlap well. The director’s MCP servers add latency, consume resources, and clutter the tool list when I’m writing code. The developer’s minimal setup lacks the integrations I need when triaging incidents or managing a sprint.

VS Code solved this years ago with profiles. Kiro inherited the --profile flag, but it doesn’t do what you’d expect.

The Problem: What --profile Actually Isolates

Kiro has two separate configuration stores:

The --profile flag creates named profiles under the VS Code state directory — separate editor settings, extensions, keybindings, and UI state. That’s the inherited VS Code profile system working as designed.

But everything that makes Kiro Kiro lives in ~/.kiro/:

~/.kiro/
├── agents/          # Agent persona definitions
├── hooks/           # Automation hooks (AWS guard rails, VPN checks)
├── powers/          # MCP power integrations (Atlassian, GitLab, etc.)
├── settings/
│   └── mcp.json     # MCP server configurations
├── steering/        # Steering rules
├── skills/          # Custom skills
└── secrets/         # Encrypted credentials

All profiles share this single ~/.kiro/ directory. There’s no flag, environment variable, or configuration option to redirect it.

How Kiro Resolves the ~/.kiro Path

I traced the path resolution through Kiro’s source to understand the full chain. There are two independent code paths that both land on ~/.kiro:

Main Process (Electron Layer)

The main Electron process resolves user data through a priority chain:

1. VSCODE_PORTABLE env var  → join(PORTABLE, "user-data")
2. VSCODE_APPDATA env var   → join(VSCODE_APPDATA, nameShort)
3. --user-data-dir flag     → direct path
4. Platform default         → macOS: ~/Library/Application Support/Kiro
                              Windows: %APPDATA%\Kiro

For ~/.kiro specifically (argv.json, extensions, policy), it uses:

// product.json: dataFolderName = ".kiro"
get argvResource() {
    const portable = process.env.VSCODE_PORTABLE;
    return portable
        ? URI.file(join(portable, "argv.json"))
        : joinPath(this.userHome, this.product.dataFolderName, "argv.json");
}

this.userHome comes from os.homedir(), which on both macOS and Windows reads the HOME / USERPROFILE environment variable.

Kiro Agent Extension (Powers, Hooks, Agents)

The kiro-agent extension — the code that actually loads powers, hooks, agents, and steering — has its own getHomeDir function:

var getHomeDir = () => {
    const { HOME, USERPROFILE, HOMEPATH, HOMEDRIVE = `C:${path.sep}` } = process.env;
    if (HOME) return HOME;
    if (USERPROFILE) return USERPROFILE;
    if (HOMEPATH) return `${HOMEDRIVE}${HOMEPATH}`;
    // ... fallback to os.homedir()
};

Then it hardcodes the .kiro string:

const powersPath = path.join(this.homeDir, ".kiro", "powers", "installed", name);
const mcpSettingsPath = path.join(this.homeDir, ".kiro", "settings", "mcp.json");
const steeringDir = path.join(this.homeDir, ".kiro", "steering");

The string ".kiro" is not read from product.json — it’s a literal in the extension bundle. This is the key constraint that shapes every solution.

What Doesn’t Work

Before covering what does work, here’s what I evaluated and rejected:

--profile flag: Only isolates VS Code state, not ~/.kiro/. Useless for this problem.

VSCODE_PORTABLE env var: Redirects the VS Code data path chain (user-data, extensions, argv), but the kiro-agent extension ignores it entirely and still reads ~/.kiro/ from HOME/USERPROFILE. Partial solution at best.

--user-data-dir flag: Same limitation — redirects VS Code state but not the kiro-agent’s ~/.kiro/ resolution.

Symlink swapping: Works for sequential use but not parallel. Two simultaneous Kiro instances would race on the symlink target.

Approach 1: HOME/USERPROFILE Override

The kiro-agent checks HOME (macOS/Linux) or USERPROFILE (Windows) before falling back to os.homedir(). Override it per instance, and each Kiro resolves a different ~/.kiro.

macOS

Create a fake home directory per persona that symlinks everything back to the real home except .kiro:

# One-time setup
REAL_HOME="$HOME"
PERSONA_HOME="$HOME/kiro-homes/engineer"
mkdir -p "$PERSONA_HOME"

# Symlink .kiro to persona-specific config
cp -R ~/.kiro ~/.kiro-engineer
ln -sfn ~/.kiro-engineer "$PERSONA_HOME/.kiro"

# Symlink everything else Kiro or shells might need
for item in .zshrc .zshenv .ssh .gnupg .gitconfig .config Library; do
    ln -sfn "$REAL_HOME/$item" "$PERSONA_HOME/$item" 2>/dev/null
done

# Launch
env HOME="$PERSONA_HOME" \
    kiro --user-data-dir "$REAL_HOME/Library/Application Support/Kiro-Engineer"

Windows (PowerShell)

$realProfile = $env:USERPROFILE
$personaHome = "$realProfile\kiro-homes\engineer"
New-Item -ItemType Directory -Force -Path $personaHome

# Copy .kiro config
Copy-Item -Recurse "$realProfile\.kiro" "$realProfile\.kiro-engineer"

# Symlink .kiro in fake home (requires Developer Mode or admin)
New-Item -ItemType SymbolicLink -Path "$personaHome\.kiro" -Target "$realProfile\.kiro-engineer"

# Symlink essentials back to real profile
foreach ($item in @('.ssh', '.gitconfig', 'AppData', 'Documents', 'Downloads')) {
    if (Test-Path "$realProfile\$item") {
        New-Item -ItemType SymbolicLink -Path "$personaHome\$item" -Target "$realProfile\$item" -ErrorAction SilentlyContinue
    }
}

# Launch
$env:USERPROFILE = $personaHome
& "$env:LOCALAPPDATA\Programs\Kiro\Kiro.exe" --user-data-dir "$realProfile\AppData\Roaming\Kiro-Engineer"
$env:USERPROFILE = $realProfile

Trade-offs: Works on both platforms. The fake home directory is the main annoyance — any tool that resolves paths relative to HOME/USERPROFILE sees the fake home. The symlinks cover common cases, but you’ll occasionally discover something missing and need to add another symlink. On Windows, creating symlinks requires either Developer Mode enabled or an elevated prompt.

Approach 2: Duplicate App with Patched product.json

Copy the Kiro installation, modify product.json to change the dataFolderName, and patch the kiro-agent extension to match. Each copy is a fully independent Kiro instance.

macOS

# Copy the app bundle
cp -R /Applications/Kiro.app /Applications/Kiro-Engineer.app

# Patch product.json
python3 -c "
import json
p = '/Applications/Kiro-Engineer.app/Contents/Resources/app/product.json'
with open(p) as f: d = json.load(f)
d['dataFolderName'] = '.kiro-engineer'
d['darwinBundleIdentifier'] = 'dev.kiro.desktop.engineer'
with open(p, 'w') as f: json.dump(d, f, indent=2)
"

# Patch the kiro-agent extension (hardcoded ".kiro" string)
sed -i '' 's/".kiro"/".kiro-engineer"/g' \
    /Applications/Kiro-Engineer.app/Contents/Resources/app/extensions/kiro.kiro-agent/dist/extension.js

# Re-sign (macOS requires valid signature)
codesign --remove-signature /Applications/Kiro-Engineer.app
codesign --force --deep --sign - /Applications/Kiro-Engineer.app

# Create the engineer's config directory
cp -R ~/.kiro ~/.kiro-engineer

The darwinBundleIdentifier change is critical — macOS uses it to distinguish app instances. With different bundle IDs, both apps appear separately in the Dock and can run truly in parallel.

Windows

No code signing needed. The parallel-instance constraint on Windows is a named mutex:

# Copy the installation
$source = "$env:LOCALAPPDATA\Programs\Kiro"
$dest = "$env:LOCALAPPDATA\Programs\Kiro-Engineer"
Copy-Item -Recurse -Path $source -Destination $dest

# Patch product.json
$productJson = "$dest\resources\app\product.json"
$product = Get-Content $productJson | ConvertFrom-Json
$product.dataFolderName = ".kiro-engineer"
$product.win32MutexName = "kiro-engineer"
$product.win32AppUserModelId = "Kiro-Engineer"
$product | ConvertTo-Json -Depth 10 | Set-Content $productJson

# Patch kiro-agent extension
$extJs = "$dest\resources\app\extensions\kiro.kiro-agent\dist\extension.js"
(Get-Content $extJs -Raw) -replace '".kiro"', '".kiro-engineer"' | Set-Content $extJs

# Create the engineer's config directory
Copy-Item -Recurse "$env:USERPROFILE\.kiro" "$env:USERPROFILE\.kiro-engineer"

# Optional: create Start Menu shortcut
$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Kiro Engineer.lnk")
$shortcut.TargetPath = "$dest\Kiro.exe"
$shortcut.Save()

The win32MutexName change is the Windows equivalent of darwinBundleIdentifier — without it, the second instance would detect the mutex and hand off to the first instance instead of launching independently.

Trade-offs: Cleanest runtime behavior — no fake home directories, no symlink gymnastics, both instances use your real home directory for git, SSH, and everything else. The cost is maintenance: you re-apply the patch after every Kiro update. A 10-line script handles it.

Approach 3: Portable Mode (Partial Solution)

Kiro inherits VS Code’s portable mode. If a specific directory exists, Kiro auto-sets VSCODE_PORTABLE and redirects all VS Code state into it:

# macOS: enable portable mode
mkdir -p "/Applications/Kiro.app/Contents/Resources/kiro-portable-data/tmp"

# Windows (PowerShell): enable portable mode
New-Item -ItemType Directory -Force -Path "$env:LOCALAPPDATA\Programs\Kiro\data\tmp"

This redirects user-data, extensions, argv.json, and policy — but not the kiro-agent’s ~/.kiro/ resolution. Powers, hooks, agents, and steering still come from the home directory. Portable mode is useful for carrying a self-contained Kiro on a USB drive, but it doesn’t solve the persona isolation problem on its own.

Recommended Setup

For parallel personas, I recommend Approach 2 (duplicate app + patch) because:

• Both instances run simultaneously with full isolation
• No fake home directories or symlink maintenance
• Each instance appears as a separate app in the Dock / Taskbar
• Git, SSH, and shell tools work normally from both instances
• The only maintenance is re-running the patch script after Kiro updates

Post-Setup: Stripping the Developer Persona

After creating ~/.kiro-engineer, remove the director-specific integrations:

# Remove director powers
rm -rf ~/.kiro-engineer/powers/atlassian
rm -rf ~/.kiro-engineer/powers/gitlab
rm -rf ~/.kiro-engineer/powers/github

# Remove director agents
rm ~/.kiro-engineer/agents/app-expert-*.md
rm ~/.kiro-engineer/agents/iac-expert-*.md

# Remove director hooks
rm ~/.kiro-engineer/hooks/aws-*.kiro.hook
rm ~/.kiro-engineer/hooks/vpn-check-gitlab.kiro.hook

Then edit ~/.kiro-engineer/settings/mcp.json to keep only coding-relevant MCP servers (Terraform, AWS docs) and remove Atlassian, GitLab, NewRelic, and Wiz.

Update Automation

macOS (update-kiro-engineer.sh)

#!/bin/bash
set -euo pipefail

APP="/Applications/Kiro-Engineer.app"
SRC="/Applications/Kiro.app"
PRODUCT="$APP/Contents/Resources/app/product.json"
EXTENSION="$APP/Contents/Resources/app/extensions/kiro.kiro-agent/dist/extension.js"

echo "Updating Kiro-Engineer from Kiro..."
rm -rf "$APP"
cp -R "$SRC" "$APP"

python3 -c "
import json
with open('$PRODUCT') as f: d = json.load(f)
d['dataFolderName'] = '.kiro-engineer'
d['darwinBundleIdentifier'] = 'dev.kiro.desktop.engineer'
with open('$PRODUCT', 'w') as f: json.dump(d, f, indent=2)
"

sed -i '' 's/\".kiro\"/\".kiro-engineer\"/g' "$EXTENSION"

codesign --remove-signature "$APP"
codesign --force --deep --sign - "$APP"

echo "Done. ~/.kiro-engineer/ config is preserved."

Windows (Update-KiroEngineer.ps1)

$source = "$env:LOCALAPPDATA\Programs\Kiro"
$dest = "$env:LOCALAPPDATA\Programs\Kiro-Engineer"

Write-Host "Updating Kiro-Engineer from Kiro..."
Remove-Item -Recurse -Force $dest -ErrorAction SilentlyContinue
Copy-Item -Recurse -Path $source -Destination $dest

$productJson = "$dest\resources\app\product.json"
$product = Get-Content $productJson | ConvertFrom-Json
$product.dataFolderName = ".kiro-engineer"
$product.win32MutexName = "kiro-engineer"
$product.win32AppUserModelId = "Kiro-Engineer"
$product | ConvertTo-Json -Depth 10 | Set-Content $productJson

$extJs = "$dest\resources\app\extensions\kiro.kiro-agent\dist\extension.js"
(Get-Content $extJs -Raw) -replace '".kiro"', '".kiro-engineer"' | Set-Content $extJs

Write-Host "Done. $env:USERPROFILE\.kiro-engineer\ config is preserved."

Platform-Specific Notes

macOS

• Ad-hoc code signing (codesign --force --deep --sign -) is required after modifying any file inside the .app bundle. macOS Gatekeeper will block unsigned modified apps.
• The darwinBundleIdentifier must differ between copies for macOS to treat them as separate applications. Without this, the second instance may not launch or may share window state with the first.
• Kiro auto-updates only affect the original /Applications/Kiro.app. The engineer copy must be manually updated via the script above.

Windows 11 Pro

• No code signing is required for locally installed applications.
• The win32MutexName must differ between copies. Windows uses a named kernel mutex for single-instance enforcement — identical mutex names cause the second launch to hand off to the existing instance.
• If Kiro was installed via the system installer (to C:\Program Files\Kiro\), copying and patching requires administrator privileges. The user installer (%LOCALAPPDATA%\Programs\Kiro\) does not have this limitation.
• Creating symbolic links on Windows requires either Developer Mode enabled in Settings or an elevated PowerShell prompt. This only matters for Approach 1 (HOME override). Approach 2 doesn’t need symlinks.
• Kiro auto-updates only affect the original installation. The engineer copy must be manually updated.

What Kiro Could Do Natively

The underlying issue is that the kiro-agent extension hardcodes ".kiro" as a string literal rather than reading dataFolderName from product.json or exposing a configuration option. If the agent resolved its config directory through the same dataFolderName mechanism the main process uses, the --profile flag or --user-data-dir could potentially isolate everything.

Even simpler: a KIRO_HOME environment variable that overrides the ~/.kiro path would eliminate the need for any of these workarounds. VS Code’s VSCODE_PORTABLE demonstrates the pattern — Kiro just needs to extend it to the agent layer.

Until then, the duplicate-and-patch approach works reliably on both platforms. The friction is real, but the workaround is a one-time setup plus a 10-second script after updates.