Eating One’s Own Dogfood: GitHub Using Actions and Runners for GitHub.com
GitHub has embraced its own GitHub Actions as a part of its continuous integration system to enhance the way it ships software. This move has allowed them to run 15,000 CI jobs across 150,000 cores, demonstrating the scalability and effectiveness of GitHub Actions. In this process, GitHub also expanded the capabilities of its larger runners for all users.
Critical features of GitHub Actions, like reusable workflows and the ability to reuse previous workflow outcomes, played a significant role in this transition. Reusable workflows simplify adding CI to repositories by managing a collection of workflows in a single repository. Reusing previous workflow outcomes optimizes the process by avoiding redundant workflow runs when file contents remain unchanged.
Another challenge addressed by GitHub engineers was enabling larger runners to access private infrastructure, such as artifact storage and application metadata services. They developed a remote access solution with an OIDC token in GitHub Actions, which is passed to a remote access gateway. This gateway authorizes the request and proxies it to the private service, ensuring secure access to personal resources.
GitHub has also provided a basic scaffolding of a gateway for users interested in implementing a similar approach for their runners.
Read the full article on InfoQ
These questions delve into the complex and critical issues surrounding software development, trust, security, and ethics in the digital age.
- Trust in Software: Trusting software is a multifaceted challenge. On one hand, software has become an integral part of our daily lives, driving everything from personal devices to critical infrastructure. On the other hand, the complexity of software systems often means that no single individual fully understands every aspect of a system. To build trust, there are several approaches:
- Transparency and Open Source: Making the source code available for review can help build trust. Open-source software allows for community scrutiny, uncovering flaws and vulnerabilities that a closed team might miss.
- Rigorous Testing and Verification: Implementing comprehensive testing strategies, including automated testing, unit testing, integration testing, and even formal methods for critical systems, can increase confidence in software.
- Continuous Monitoring and Updates: Recognizing that no software is ever completely secure, continuous monitoring for new vulnerabilities and regular updates are essential for maintaining trust over time.
- Security and Vulnerability: Addressing the threat of hidden vulnerabilities requires a multi-layered approach:
- Proactive Security Practices include adopting secure coding practices, regular code audits, and vulnerability assessments.
- Education and Awareness: Training developers in secure coding practices and raising awareness about common security pitfalls.
- Collaboration and Information Sharing: Encouraging collaboration within the software development community to share knowledge about vulnerabilities and best practices for security.
- Incident Response Plans: Having robust plans for responding to security breaches can help mitigate the impact of vulnerabilities when they are exploited.
- Ethical Responsibility of Programmers: Programmers hold significant ethical responsibilities, especially as software becomes more ingrained in societal functions:
- Integrity in Coding: Ensuring their code is as secure and error-free as possible.
- Consideration of Societal Impact: Being aware of how their software can be used or misused in a societal context and striving to prevent adverse impacts.
- Privacy and Data Protection: Respecting user privacy and ensuring that personal data is protected and used ethically.
- Inclusivity and Accessibility: Making software accessible to all users, regardless of their abilities or disabilities.
- Whistleblowing: In cases where software is used unethically or could cause harm, programmers must speak up.
These issues highlight the need for a holistic approach to software development that integrates technical excellence with ethical considerations, ensuring that the software we rely on is functional, trustworthy, and beneficial to society.