GitHub presented Mermaid - a tool to include diagrams into Markdown files.

Basically, it allows to output a diagram in JS-enabled environments and a Markdown syntax in non-JS environments.

I haven't checked if it already works in READMEs on GitHub, but I assume it should.

#markdown #github #microsoft

One can create a lot of the automation based on GitHub labels. Also, labels are great indicators for the teammates and reviewers to indicate the status of a pull request.

Labeler GitHub action allows you to automate PR labeling. You can add specific labels based on the changed files. This would be useful for people who run trigger automation with labels. For example, you can add exclude-e2e-test label if only .md files have changed. Or if you’re running a monorepo, you can visually assign respective teams to code changes with automated labels.

There’s also a complementary tool for this Action called Retrolabeler, which can retrospectively label your PRs according to the Labeler rules.

#cicd #github

It's been a while since we had some practical materials here.

So, here's an article that helped me a lot today. It's about how to split outputs of a GitHub Actions step into an array that is suitable for a matrix property of a GHA job.

You see, the problem is that GHA don't have a native "split" functionality. So, you need a way to work around it. Moreover, that fromJson() function is important there, 'coz otherwise it doesn't work.

This could be useful if you need to run multiple jobs based on, for example, changed files. Also, here's a bonus article on how to get the changed files in GHA without 3rd party Actions.

P.S. Well... One can hate Jenkins until they need to write some more or less custom logic in a YAML-based CI.

#github #cicd

Mermaid is a popular tool to create diagrams as code.

It was recently adopted by GitHub, so Mermaid diagrams are automatically displayed as diagrams in the Markdown files (not just in GH, BTW).

We use it in my team a lot and we’re very happy with it!

Here’s a Mermaid cheat sheet, so you can start using it as well (if not already)!

Their official documentation is good as well, although more verbose.

#mermaid #diagrams #github

Remember that a couple of years ago GitHub has disabled automatic execution for its Actions?

The idea behind this decision is more or less described in this article - Build Pipeline Security. The problem described in this article is not some sort of a rocket science. Thus, any malicious actor can do something similar.

This brings me to the topic of CI integrations for public repositories. I think on some podcast or in some article I’ve heard an advice for the beginners to create their pet project and configure CI for it. So, you can show that you have some practical experience. Ok, GitHub has you covered, but what about other CIs which are available for public repositories? Thus, I might have been a good advice, if we were living in the world here all the people are kind to each other, which is not the case.

Does it mean that you cannot have a CI for your pet-project? Of course, not! Just be careful with what it actually can execute on each step. The author of the linked article suggests putting deploy scripts into a separate private repository. I think, nowadays any major VCS vendor allows one to have at least one private repository for free.

Yet, I would say that this is not good enough and you should also make sure that you should follow GitHub’s steps and enforce a mandatory approvals for CI runs as well as have some quotas in place for the compute resources available for your CI. Again, GitHub has you covered here, but if you want to use something else, you are on your own.

#cicd #security #github #aws

Kelsey Hightower said that he’s retiring from Google.

So, I would like to share with an episode of the ReadME podcast with Kelsey.

ReadME is a community podcast by GitHub. So, you may also find other interesting episodes there.

#podcast #kubernetes #github

It may happen that you have a catch-all repository to store some work that may or may not be important. Notice, it's not quite a monorepo pattern, rather a single junkrepo. Like, I saw devops, utils, tools, and similar repositories in quite a few companies.

But what if some things from those repos are actually important, and you want to have a dedicated home for those things? Here's a guide by GitHub that explains how to separate things from a repository while saving the Git history.

This guide is created by GitHub, but it should work with any Git repository. Although, I only tested it with GitHub.

Enjoy!

#git #github

Here’s some original content, folks!

I wrote an article on how to create a workflow in GitHub Actions that is triggered with a comment.

There are some caveats with such workflows in GHA. Also, you have to do some additional tweaks to make it better from the UX perspective.

You can read the article:

- In my blog
- On Substack

Hope, you’ll enjoy it!

#github #cicd

I have updated my article on triggering GHA workflows with comments.

Recently, I have found another caveat that has really bitten me in the ass. You can look for the keywords UPD 2023-09-07 on the page.

As usual, you can read it:

- In my blog
- On Substack

#cicd #github

S3 cache for GitHub Actions - a drop-in replacement for the native GHA cache functionality that is technically unlimited because of S3.

I haven’t used it personally and I don’t have an AWS account to test it. This thing comes as a part of RunsOn - a solution to setup your self-hosted runners for GHA in AWS.

Might be worth checking if you want to bring your own worker nodes to GHA but don’t want the hustle configuring them.

#github #gha #cicd

Anyone can Access Deleted and Private Repository Data on GitHub

Sounds scary, if you didn't deep dive into how git works and how GitHub hosts it.

TL;DR: If some repo can git fetch upstream - all these fetchable commits will be always accessible from this fork/main repo.
Only after the visibility of the repo changes - new commits will be not discoverable.

For more details and examples, check this article, which was brought to us from CatOps Chat.

#security #git #github

There are two types of folks: those who pin their dependencies to (often) mutable tags and other pointers, and those who already pin to hash sums.

This is true for GitHub Actions as well. For example, most tags in the tj-actions/changed-files repository were repointed to compromised versions by an attacker, potentially affecting 23,000 repositories until GitHub shut down the entire repository.

Manually pinning dependencies can be tedious, so it's better to utilize tools like Renovate. The SpotOnInc/renovate-config preset does exactly that. Note that you can pin it to a hash sum too, just in case ;)

P.S. If you used that GitHub Action, here is a list of possible mitigation steps: antonbabenko/pre-commit-terraform#837.

#security #github #gha

GitHub has its own container registry for quite some time. Also, starting from the Helm version 3.8, it's possible to use any OCI registry to store your Helm charts. So, why not to store them on GitHub?

Here's an article that describes how to do that.

As a bonus, here's another article that provides an example of a GitHub Action workflow that allows you to publish your multi-architecture images to GHCR using GoReleaser. Actions' versions are outdated in that article, but you can simply set the new ones.

#github #helm #ghcr