workoho · pull · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 2, 2026
diff --git a/.github/VOUCHED.td b/.github/VOUCHED.td
@@ -0,0 +1,17 @@
+# Vouched contributors for this project.
+#
+# See https://github.com/mitchellh/vouch for details.
+#
+# Syntax:
+#   - One handle per line (without @), sorted alphabetically.
+#   - Optional platform prefix: platform:username (e.g., github:user).
+#   - Denounce with minus prefix: -username or -platform:username.
+#   - Optional details after a space following the handle.
+-betterandbetterii impersonate as dvorak0, goestav, Kjasn, Loongphy, TonyRL, ttttmr and xbot. https://github.com/DIYgod/RSSHub/commit/9e6f84df79bc9efcfabb0ca0768d7fded6775a1a.
+diygod
+henryqw
+hyoban
+neverbehave
+pseudoyu
+tonyrl
+zhenlonghe
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -35,6 +35,7 @@ updates:
                   - '@oxlint/*'
                   - 'oxfmt'
                   - 'oxlint'
+                  - 'oxlint-plugin-eslint'
                   - 'oxlint-tsgolint'
           proxy-agent:
               patterns:
@@ -44,6 +45,19 @@ updates:
           typescript-eslint:
               patterns:
                   - '@typescript-eslint/*'
+          vitest:
+              patterns:
+                  - 'vitest'
+                  - '@vitest/coverage-v8'
+
+    - package-ecosystem: 'nix'
+      directory: '/'
+      schedule:
+          interval: daily
+          time: '08:00'
+      open-pull-requests-limit: 100
+      labels:
+          - dependencies
 
     - package-ecosystem: 'github-actions'
       directory: '/'

diff --git a/.github/workflows/build-assets.yml b/.github/workflows/build-assets.yml
@@ -20,7 +20,7 @@ jobs:
             - name: Checkout
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
             - name: Install pnpm
-              uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+              uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
             - name: Use Node.js Active LTS
               uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:

diff --git a/.github/workflows/comment-on-issue.yml b/.github/workflows/comment-on-issue.yml
@@ -14,15 +14,15 @@ jobs:
         if: github.event.sender.login != 'issuehunt-oss[bot]'
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                   node-version: lts/*
                   cache: 'pnpm'
             - name: Install dependencies (pnpm) # import remark-parse and unified
               run: pnpm i
             - name: Generate feedback
-              uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
                   script: |

diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -74,13 +74,13 @@ jobs:
               uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
               with:
                   username: ${{ vars.DOCKER_USERNAME }}
                   password: ${{ secrets.DOCKER_PASSWORD }}
 
             - name: Log in to the Container registry
-              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
               with:
                   registry: ghcr.io
                   username: ${{ github.actor }}
@@ -107,7 +107,7 @@ jobs:
 
             - name: Build and push Docker image (ordinary version)
               id: build-and-push
-              uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+              uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
               with:
                   context: .
                   tags: ${{ steps.image-name-ordinary.outputs.tags }}
@@ -132,7 +132,7 @@ jobs:
                   touch "${{ runner.temp }}/digests/ordinary/${digest#sha256:}"
 
             - name: Upload digest (ordinary version)
-              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
               with:
                   name: digests-ordinary-${{ env.PLATFORM_PAIR }}
                   path: ${{ runner.temp }}/digests/ordinary/*
@@ -160,7 +160,7 @@ jobs:
 
             - name: Build and push Docker image (Chromium-bundled version)
               id: build-and-push-chromium
-              uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+              uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
               with:
                   context: .
                   build-args: PUPPETEER_SKIP_DOWNLOAD=0
@@ -187,7 +187,7 @@ jobs:
                   touch "${{ runner.temp }}/digests/chromium/${digest#sha256:}"
 
             - name: Upload digest (Chromium-bundled version)
-              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
               with:
                   name: digests-chromium-${{ env.PLATFORM_PAIR }}
                   path: ${{ runner.temp }}/digests/chromium/*
@@ -207,13 +207,13 @@ jobs:
               uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
               with:
                   username: ${{ vars.DOCKER_USERNAME }}
                   password: ${{ secrets.DOCKER_PASSWORD }}
 
             - name: Log in to the Container registry
-              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
               with:
                   registry: ghcr.io
                   username: ${{ github.actor }}

diff --git a/.github/workflows/docker-test-cont.yml b/.github/workflows/docker-test-cont.yml
@@ -23,17 +23,13 @@ jobs:
                   GH_TOKEN: ${{ github.token }}
                   # Best practice for scripts is to reference via ENV at runtime. Avoid using the expression syntax in the script content directly:
                   PR_TARGET_REPO: ${{ github.repository }}
-                  # If the PR is from a fork, prefix it with `<owner-login>:`, otherwise only the PR branch name is relevant:
-                  PR_BRANCH: |-
-                      ${{
-                        (github.event.workflow_run.head_repository.owner.login != github.event.workflow_run.repository.owner.login)
-                          && format('{0}:{1}', github.event.workflow_run.head_repository.owner.login, github.event.workflow_run.head_branch)
-                          || github.event.workflow_run.head_branch
-                      }}
+                  # The REST API `head` filter requires `<owner>:<branch>` format
+                  PR_BRANCH: ${{ format('{0}:{1}', github.event.workflow_run.head_repository.owner.login, github.event.workflow_run.head_branch) }}
               # Query the PR number by repo + branch, then assign to step output:
               run: |
-                  gh pr view --repo "${PR_TARGET_REPO}" "${PR_BRANCH}" \
-                    --json 'number' --jq '"number=\(.number)"' \
+                  gh api "repos/${PR_TARGET_REPO}/pulls" \
+                    --method GET -f head="${PR_BRANCH}" -f state=open \
+                    --jq '.[0] | "number=\(.number)"' \
                     >> "${GITHUB_OUTPUT}"
 
             - name: Fetch PR data via GitHub API
@@ -46,7 +42,7 @@ jobs:
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
 
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
@@ -58,7 +54,7 @@ jobs:
 
             - name: Fetch affected routes
               id: fetch-route
-              uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
               env:
                   PULL_REQUEST: ${{ steps.pr-data.outputs.data }}
               with:
@@ -74,7 +70,7 @@ jobs:
 
             - name: Fetch Docker image
               if: (env.TEST_CONTINUE)
-              uses: dawidd6/action-download-artifact@8a338493df3d275e4a7a63bcff3b8fe97e51a927 # v19
+              uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
               with:
                   workflow: ${{ github.event.workflow_run.workflow_id }}
                   run_id: ${{ github.event.workflow_run.id }}
@@ -127,7 +123,7 @@ jobs:
               if: (env.TEST_CONTINUE)
               id: generate-feedback
               timeout-minutes: 10
-              uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
               env:
                   TEST_BASEURL: http://localhost:1200
                   TEST_ROUTES: ${{ steps.fetch-route.outputs.result }}
@@ -171,17 +167,13 @@ jobs:
                   GH_TOKEN: ${{ github.token }}
                   # Best practice for scripts is to reference via ENV at runtime. Avoid using the expression syntax in the script content directly:
                   PR_TARGET_REPO: ${{ github.repository }}
-                  # If the PR is from a fork, prefix it with `<owner-login>:`, otherwise only the PR branch name is relevant:
-                  PR_BRANCH: |-
-                      ${{
-                        (github.event.workflow_run.head_repository.owner.login != github.event.workflow_run.repository.owner.login)
-                          && format('{0}:{1}', github.event.workflow_run.head_repository.owner.login, github.event.workflow_run.head_branch)
-                          || github.event.workflow_run.head_branch
-                      }}
+                  # The REST API `head` filter requires `<owner>:<branch>` format
+                  PR_BRANCH: ${{ format('{0}:{1}', github.event.workflow_run.head_repository.owner.login, github.event.workflow_run.head_branch) }}
               # Query the PR number by repo + branch, then assign to step output:
               run: |
-                  gh pr view --repo "${PR_TARGET_REPO}" "${PR_BRANCH}" \
-                    --json 'number' --jq '"number=\(.number)"' \
+                  gh api "repos/${PR_TARGET_REPO}/pulls" \
+                    --method GET -f head="${PR_BRANCH}" -f state=open \
+                    --jq '.[0] | "number=\(.number)"' \
                     >> "${GITHUB_OUTPUT}"
 
             - name: Pull Request Labeler

diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
@@ -40,7 +40,7 @@ jobs:
                   flavor: latest=true
 
             - name: Build Docker image
-              uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+              uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
               with:
                   context: .
                   build-args: PUPPETEER_SKIP_DOWNLOAD=0 # also test bundling Chromium
@@ -69,7 +69,7 @@ jobs:
               run: docker save rsshub:latest | zstdmt -o rsshub.tar.zst
 
             - name: Upload Docker image
-              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
               with:
                   name: docker-image
                   path: rsshub.tar.zst

diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
@@ -15,7 +15,7 @@ jobs:
 
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                   node-version: lts/*

diff --git a/.github/workflows/issue-command.yml b/.github/workflows/issue-command.yml
@@ -36,6 +36,49 @@ jobs:
                   token: ${{ secrets.GITHUB_TOKEN }}
                   trigger: '/wip'
 
+    vouch-manage:
+        name: Vouch Manage
+        if: ${{ startsWith(github.event.comment.body, 'vouch') || startsWith(github.event.comment.body, 'unvouch') || startsWith(github.event.comment.body, 'denounce') }}
+        runs-on: ubuntu-slim
+        timeout-minutes: 5
+        permissions:
+            contents: write
+            issues: write
+            pull-requests: write
+        concurrency:
+            group: vouch-manage
+            cancel-in-progress: false
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+            - id: vouch
+              uses: mitchellh/vouch/action/manage-by-issue@c6d80ead49839655b61b422700b7a3bc9d0804a9 # v1.4.2
+              with:
+                  issue-id: ${{ github.event.issue.number }}
+                  comment-id: ${{ github.event.comment.id }}
+                  roles: admin,maintain,write
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Close PR if denounced
+              if: ${{ github.event.issue.pull_request && steps.vouch.outputs.status == 'denounced' }}
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+              with:
+                  script: |
+                      const prNumber = context.payload.issue.number;
+                      await github.rest.issues.createComment({
+                          owner: context.repo.owner,
+                          repo: context.repo.repo,
+                          issue_number: prNumber,
+                          body: 'This pull request has been automatically closed.',
+                      });
+                      await github.rest.pulls.update({
+                          owner: context.repo.owner,
+                          repo: context.repo.repo,
+                          pull_number: prNumber,
+                          state: 'closed',
+                      });
+
     test-on-demand:
         name: Test route on demand
         if: startsWith(github.event.comment.body, '/test')
@@ -68,7 +111,7 @@ jobs:
                   ref: ${{ fromJson(steps.pr-data.outputs.data).head.ref }}
 
             - name: Install pnpm
-              uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+              uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
 
             - name: Use Node.js Active LTS
               uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -81,7 +124,7 @@ jobs:
 
             - name: Fetch affected routes
               id: fetch-route
-              uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
               env:
                   EVENT: ${{ toJson(github.event) }}
               with:
@@ -109,7 +152,7 @@ jobs:
 
             - name: Generate feedback
               if: env.TEST_CONTINUE
-              uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
               env:
                   TEST_BASEURL: http://localhost:1200
                   TEST_ROUTES: ${{ steps.fetch-route.outputs.result }}
@@ -129,7 +172,7 @@ jobs:
               run: cat ${{ github.workspace }}/logs/combined.log
 
             - name: Upload Artifact
-              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
               with:
                   name: logs
                   path: logs

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -21,7 +21,7 @@ jobs:
             security-events: write
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                   node-version: lts/*
@@ -39,7 +39,7 @@ jobs:
                   sarif_file: oxlint-results.sarif
                   wait-for-processing: true
             - name: Upload Artifact
-              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
               with:
                   path: oxlint-results.sarif
 
@@ -68,3 +68,23 @@ jobs:
             - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
               with:
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+    vouch-check-pr:
+        name: Vouch check PR
+        if: ${{ github.event_name == 'pull_request_target' && github.event.action == 'opened' && github.repository == 'DIYgod/RSSHub' }}
+        permissions:
+            contents: read
+            issues: write
+            pull-requests: write
+        runs-on: ubuntu-slim
+        timeout-minutes: 5
+        steps:
+            - name: Checkout
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+            - name: Check if PR author is denounced
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+              with:
+                  script: |
+                      const { default: checkPr } = await import('${{ github.workspace }}/scripts/workflow/vouch/check-pr.mjs')
+                      await checkPr({ github, context, core })
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -23,7 +23,7 @@ jobs:
             HUSKY: 0
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                   node-version: lts/*