Mermaid is a popular tool to create diagrams as code.
It was recently adopted by GitHub, so Mermaid diagrams are automatically displayed as diagrams in the Markdown files (not just in GH, BTW).
We use it in my team a lot and we’re very happy with it!
Here’s a Mermaid cheat sheet, so you can start using it as well (if not already)!
Their official documentation is good as well, although more verbose.
#mermaid #diagrams #github
It was recently adopted by GitHub, so Mermaid diagrams are automatically displayed as diagrams in the Markdown files (not just in GH, BTW).
We use it in my team a lot and we’re very happy with it!
Here’s a Mermaid cheat sheet, so you can start using it as well (if not already)!
Their official documentation is good as well, although more verbose.
#mermaid #diagrams #github
jojozhuang.github.io
Mermaid Cheat Sheet
Cheat Sheet for Mermaid.
❤11❤🔥1👍1
Remember that a couple of years ago GitHub has disabled automatic execution for its Actions?
The idea behind this decision is more or less described in this article - Build Pipeline Security. The problem described in this article is not some sort of a rocket science. Thus, any malicious actor can do something similar.
This brings me to the topic of CI integrations for public repositories. I think on some podcast or in some article I’ve heard an advice for the beginners to create their pet project and configure CI for it. So, you can show that you have some practical experience. Ok, GitHub has you covered, but what about other CIs which are available for public repositories? Thus, I might have been a good advice, if we were living in the world here all the people are kind to each other, which is not the case.
Does it mean that you cannot have a CI for your pet-project? Of course, not! Just be careful with what it actually can execute on each step. The author of the linked article suggests putting deploy scripts into a separate private repository. I think, nowadays any major VCS vendor allows one to have at least one private repository for free.
Yet, I would say that this is not good enough and you should also make sure that you should follow GitHub’s steps and enforce a mandatory approvals for CI runs as well as have some quotas in place for the compute resources available for your CI. Again, GitHub has you covered here, but if you want to use something else, you are on your own.
#cicd #security #github #aws
The idea behind this decision is more or less described in this article - Build Pipeline Security. The problem described in this article is not some sort of a rocket science. Thus, any malicious actor can do something similar.
This brings me to the topic of CI integrations for public repositories. I think on some podcast or in some article I’ve heard an advice for the beginners to create their pet project and configure CI for it. So, you can show that you have some practical experience. Ok, GitHub has you covered, but what about other CIs which are available for public repositories? Thus, I might have been a good advice, if we were living in the world here all the people are kind to each other, which is not the case.
Does it mean that you cannot have a CI for your pet-project? Of course, not! Just be careful with what it actually can execute on each step. The author of the linked article suggests putting deploy scripts into a separate private repository. I think, nowadays any major VCS vendor allows one to have at least one private repository for free.
Yet, I would say that this is not good enough and you should also make sure that you should follow GitHub’s steps and enforce a mandatory approvals for CI runs as well as have some quotas in place for the compute resources available for your CI. Again, GitHub has you covered here, but if you want to use something else, you are on your own.
#cicd #security #github #aws
sprocketfox.io
Build Pipeline Security
Security concerns with PR build systems
👍6❤3
Kelsey Hightower said that he’s retiring from Google.
So, I would like to share with an episode of the ReadME podcast with Kelsey.
ReadME is a community podcast by GitHub. So, you may also find other interesting episodes there.
#podcast #kubernetes #github
So, I would like to share with an episode of the ReadME podcast with Kelsey.
ReadME is a community podcast by GitHub. So, you may also find other interesting episodes there.
#podcast #kubernetes #github
👍3😢2
It may happen that you have a catch-all repository to store some work that may or may not be important. Notice, it's not quite a monorepo pattern, rather a single junkrepo. Like, I saw
But what if some things from those repos are actually important, and you want to have a dedicated home for those things? Here's a guide by GitHub that explains how to separate things from a repository while saving the Git history.
This guide is created by GitHub, but it should work with any Git repository. Although, I only tested it with GitHub.
Enjoy!
#git #github
devops, utils, tools, and similar repositories in quite a few companies.But what if some things from those repos are actually important, and you want to have a dedicated home for those things? Here's a guide by GitHub that explains how to separate things from a repository while saving the Git history.
This guide is created by GitHub, but it should work with any Git repository. Although, I only tested it with GitHub.
Enjoy!
#git #github
GitHub Docs
Splitting a subfolder out into a new repository - GitHub Docs
You can turn a folder within a Git repository into a brand new repository.
🤩7
Here’s some original content, folks!
I wrote an article on how to create a workflow in GitHub Actions that is triggered with a comment.
There are some caveats with such workflows in GHA. Also, you have to do some additional tweaks to make it better from the UX perspective.
You can read the article:
- In my blog
- On Substack
Hope, you’ll enjoy it!
#github #cicd
I wrote an article on how to create a workflow in GitHub Actions that is triggered with a comment.
There are some caveats with such workflows in GHA. Also, you have to do some additional tweaks to make it better from the UX perspective.
You can read the article:
- In my blog
- On Substack
Hope, you’ll enjoy it!
#github #cicd
YR's Blog
Trigger a GitHub Action Pipeline with a Comment
How to Trigger a GitHub Actions Pipeline with a Comment
UPD 2023-09-07: Clarified some caveats around checking out the code when triggering a pipeline with a comment. Look for the UPD 2023-09-07 text on this page.
Building comment-based workflows is a pretty…
UPD 2023-09-07: Clarified some caveats around checking out the code when triggering a pipeline with a comment. Look for the UPD 2023-09-07 text on this page.
Building comment-based workflows is a pretty…
👍10
I have updated my article on triggering GHA workflows with comments.
Recently, I have found another caveat that has really bitten me in the ass. You can look for the keywords UPD 2023-09-07 on the page.
As usual, you can read it:
- In my blog
- On Substack
#cicd #github
Recently, I have found another caveat that has really bitten me in the ass. You can look for the keywords UPD 2023-09-07 on the page.
As usual, you can read it:
- In my blog
- On Substack
#cicd #github
YR's Blog
Trigger a GitHub Action Pipeline with a Comment
How to Trigger a GitHub Actions Pipeline with a Comment
UPD 2023-09-07: Clarified some caveats around checking out the code when triggering a pipeline with a comment. Look for the UPD 2023-09-07 text on this page.
Building comment-based workflows is a pretty…
UPD 2023-09-07: Clarified some caveats around checking out the code when triggering a pipeline with a comment. Look for the UPD 2023-09-07 text on this page.
Building comment-based workflows is a pretty…
🐳5
S3 cache for GitHub Actions - a drop-in replacement for the native GHA
I haven’t used it personally and I don’t have an AWS account to test it. This thing comes as a part of RunsOn - a solution to setup your self-hosted runners for GHA in AWS.
Might be worth checking if you want to bring your own worker nodes to GHA but don’t want the hustle configuring them.
#github #gha #cicd
cache functionality that is technically unlimited because of S3.I haven’t used it personally and I don’t have an AWS account to test it. This thing comes as a part of RunsOn - a solution to setup your self-hosted runners for GHA in AWS.
Might be worth checking if you want to bring your own worker nodes to GHA but don’t want the hustle configuring them.
#github #gha #cicd
RunsOn
S3 cache for GitHub Actions
Use an S3 bucket as a cache backend for your actions, to enjoy faster download and upload speeds + unlimited cache sizes
👍13🔥2
Anyone can Access Deleted and Private Repository Data on GitHub
Sounds scary, if you didn't deep dive into how git works and how GitHub hosts it.
TL;DR: If some repo can
Only after the visibility of the repo changes - new commits will be not discoverable.
For more details and examples, check this article, which was brought to us from CatOps Chat.
#security #git #github
Sounds scary, if you didn't deep dive into how git works and how GitHub hosts it.
TL;DR: If some repo can
git fetch upstream - all these fetchable commits will be always accessible from this fork/main repo.Only after the visibility of the repo changes - new commits will be not discoverable.
For more details and examples, check this article, which was brought to us from CatOps Chat.
#security #git #github
Trufflesecurity
Anyone can Access Deleted and Private Repository Data on GitHub ◆ Truffle Security Co.
You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.
❤11🔥3👍2
There are two types of folks: those who pin their dependencies to (often) mutable tags and other pointers, and those who already pin to hash sums.
This is true for GitHub Actions as well. For example, most tags in the tj-actions/changed-files repository were repointed to compromised versions by an attacker, potentially affecting 23,000 repositories until GitHub shut down the entire repository.
Manually pinning dependencies can be tedious, so it's better to utilize tools like Renovate. The SpotOnInc/renovate-config preset does exactly that. Note that you can pin it to a hash sum too, just in case ;)
P.S. If you used that GitHub Action, here is a list of possible mitigation steps: antonbabenko/pre-commit-terraform#837.
#security #github #gha
This is true for GitHub Actions as well. For example, most tags in the tj-actions/changed-files repository were repointed to compromised versions by an attacker, potentially affecting 23,000 repositories until GitHub shut down the entire repository.
Manually pinning dependencies can be tedious, so it's better to utilize tools like Renovate. The SpotOnInc/renovate-config preset does exactly that. Note that you can pin it to a hash sum too, just in case ;)
P.S. If you used that GitHub Action, here is a list of possible mitigation steps: antonbabenko/pre-commit-terraform#837.
#security #github #gha
www.stepsecurity.io
Harden-Runner detection: tj-actions/changed-files action is compromised - StepSecurity
👍2
GitHub has its own container registry for quite some time. Also, starting from the Helm version
Here's an article that describes how to do that.
As a bonus, here's another article that provides an example of a GitHub Action workflow that allows you to publish your multi-architecture images to GHCR using GoReleaser. Actions' versions are outdated in that article, but you can simply set the new ones.
#github #helm #ghcr
3.8, it's possible to use any OCI registry to store your Helm charts. So, why not to store them on GitHub?Here's an article that describes how to do that.
As a bonus, here's another article that provides an example of a GitHub Action workflow that allows you to publish your multi-architecture images to GHCR using GoReleaser. Actions' versions are outdated in that article, but you can simply set the new ones.
#github #helm #ghcr
entbit. by Niklas Metje
Use GitHub Container Registry (GHCR) to host your Helm Charts
I recently started to check out Helm and thought about the combination of hosting the charts on GitHub Container Registry (GHCR) since the charts follow t…
👍8
"From April 24 onward, interaction data—specifically inputs, outputs, code snippets, and associated context—from Copilot Free, Pro, and Pro+ users will be used to train and improve our AI models unless they opt out."
Official statement.
You can opt out in Copilot's "Privacy" settings, or migrate to Codeberg :D
#github #ai
Official statement.
You can opt out in Copilot's "Privacy" settings, or migrate to Codeberg :D
#github #ai
The GitHub Blog
Updates to GitHub Copilot interaction data usage policy
From April 24 onward, interaction data from Copilot Free, Pro, and Pro+ users will be used to train and improve our AI models unless they opt out.
❤2
The Comforting Lie Of SHA Pinning is an article inspired by those supply chain attacks that happened lately.
It shows some quirks of how GitHub works with SHAs, which are quite unexpected. The gist and the main excerpt:
The article also describes the way of how to mitigate this risk in GitHub organizations, if you have one.
#security #github
It shows some quirks of how GitHub works with SHAs, which are quite unexpected. The gist and the main excerpt:
From the platform’s perspective, a fork is a separate repository with a shared object graph/history. When the runner resolves the reference, it ultimately looks up the commit in the Git object database; if that object exists and is reachable, it can be used regardless of which fork introduced it. A commit object is globally identifiable. If the SHA exists anywhere reachable, that is apparently sufficient.
The article also describes the way of how to mitigate this risk in GitHub organizations, if you have one.
#security #github
👍3🌚2
If you're hosting GitHub Enterprise Server, you need to update to address a recently discovered CVE.
What's interesting about this CVE is that it is a legit CVE that was discovered with AI. As WIZ researchers put it in the related article
Security notice from GitHub.
Fixed versions:
- GitHub Enterprise Server 3.14.25 or later
- GitHub Enterprise Server 3.15.20 or later
- GitHub Enterprise Server 3.16.16 or later
- GitHub Enterprise Server 3.17.13 or later
- GitHub Enterprise Server 3.18.7 or later
- GitHub Enterprise Server 3.19.4 or later
- GitHub Enterprise Server 3.20.0 or later
P.S. These news came from our chat (in Ukrainian).
#security #github
What's interesting about this CVE is that it is a legit CVE that was discovered with AI. As WIZ researchers put it in the related article
Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified.
Security notice from GitHub.
Fixed versions:
- GitHub Enterprise Server 3.14.25 or later
- GitHub Enterprise Server 3.15.20 or later
- GitHub Enterprise Server 3.16.16 or later
- GitHub Enterprise Server 3.17.13 or later
- GitHub Enterprise Server 3.18.7 or later
- GitHub Enterprise Server 3.19.4 or later
- GitHub Enterprise Server 3.20.0 or later
P.S. These news came from our chat (in Ukrainian).
#security #github
wiz.io
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown | Wiz Blog
A CVSS 8.7 vulnerability in GitHub Enterprise Server allows remote code execution. Read the threat brief and find vulnerable GHES instances from Wiz.
You may have heard already that Mitchell Hashimoto plans to move Ghostty away from GitHub.
It could be that you plan such a move yourself for whatever reason, but you're not sure yet. Here's a guide on how to push changes to GitHub and Codeberg simultaneously, so you could still keep the door open.
Codeberg is a non-profit European Git hosting. Although, this guide should work for any provider as long as you can use SSH keys for auth.
#programming #github
It could be that you plan such a move yourself for whatever reason, but you're not sure yet. Here's a guide on how to push changes to GitHub and Codeberg simultaneously, so you could still keep the door open.
Codeberg is a non-profit European Git hosting. Although, this guide should work for any provider as long as you can use SSH keys for auth.
#programming #github
Scripting on Caffeine
Pushing to GitHub and Codeberg Simultaneously with Git
Learn how to configure Git to push your code to both GitHub and Codeberg with a single command, including SSH key setup and a handy shell alias for branch-specific control.
👍5