--- marp: true theme: custom-default footer: '@Chris_L_Ayers - https://chris-ayers.com' --- # CI/CD with GitHub Actions ## Chris Ayers ![bg right w:90%](./img/bg.png) --- ![bg left:40%](./img/portrait.png) ## Chris Ayers ### Senior Site Reliability Engineer
Microsoft BlueSky: [@chris-ayers.com](https://bsky.app/profile/chris-ayers.com) LinkedIn: - [chris\-l\-ayers](https://linkedin.com/in/chris-l-ayers/) Blog: [https://chris-ayers\.com/](https://chris-ayers.com/) GitHub: [Codebytes](https://github.com/codebytes) Mastodon: @Chrisayers@hachyderm.io ~~ Twitter: @Chris_L_Ayers~~ --- ![bg left fit](./img/bg.png) # Agenda - YAML - CI / CD - Actions Overview - Demos ---

# YAML ## **Yet Another Markup Language** GitHub uses YAML for workflows Demo: [Online Parser](https://yaml-online-parser.appspot.com/)

| Feature | Description | | --------- | --------------------------------- | | Lists | Start with a – | | Key-Value | Key: value | | Objects | Objects:
Properties of objects |

--- # Workflows / Pipelines ![w:1080px](./img/pipelines.drawio.png) --- # What is CI/CD? ![w:900px](./img/cicd.png) --- ![bg right w:90%](./img/github-workflows.png) # Actions Overview - Live in the `.github/workflows` folder - Workflows are defined in YAML - Workflows are Event Driven --- # Events that trigger workflows [https://docs.github.com/actions/using-workflows/events-that-trigger-workflows](https://docs.github.com/actions/using-workflows/events-that-trigger-workflows)

- branch_protection_rule - checks - create / delete - deployment - discussion - fork - issue_comment - issues - label

- page_build - pull_request - pull_request_review - pull_request_review_comment - push - release - schedule - status - workflow_call / workflow_dispatch

--- ![bg right fit](./img/event-job.drawio.png) # Workflows - [Events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) trigger workflows - Workflows contain jobs - Jobs contain steps - Steps are commands or actions --- ![bg right fit](./img/job-runner.drawio.png) # Jobs - Workflows can contain multiple jobs - Jobs run in parallel by default - Each job runs on a [Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) - Steps and Shell Commands run in sequence --- # Runners - Specify the type of runner with `runs-on` (e.g., `ubuntu-latest`). - GitHub provisions a new VM for each job. - Steps in a job share information using the runner's filesystem. - VM is decommissioned after job completion. --- # Supported runners and hardware - GitHub-hosted runner application is open source. - OS: Windows, Linux, and macOS - Runners include preinstalled software, updated weekly. - There are also Large Hosted Runners - Self-Hosted Runners - You can install additional software on runners. --- ![bg right fit](./img/bg.png) # DEMOS --- # ACT ## Run Actions Locally [nektos/act](https://github.com/nektos/act) ![bg right:50% 95%](./img/act-quickstart-2.gif) --- # Supply Chain Attacks ![bg fit right:75%](img/supply.png) --- # Security

- Never use structured data as a secret - Register all secrets used within workflows - Audit how secrets are handled - Use credentials that are minimally scoped - Audit and rotate registered secrets - Consider requiring review for access to secrets

- Use an action instead of an inline script (recommended) - Use an intermediate environment variable - Use OpenID Connect to access cloud resources - Pin third-party actions to a full length commit SHA

--- # Actions Updates - Dependabot

- Actions are regularly updated for enhanced automation. - Dependabot keeps GitHub Actions references in workflow.yml up-to-date. - If newer action versions exist, Dependabot sends an update pull request. - Dependabot also updates git references for reusable workflows.

`.github/dependabot.yml` ```yaml version: 2 updates: # See documentation for possible values - package-ecosystem: "github-actions" # Location of package manifests directory: "/" schedule: interval: "weekly" ```

--- ![bg right fit](./img/bg.png) # DEMOS --- # Bonus - Private Networking - GitHub Actions is triggered. - Actions service creates a runner. - The runner service deploys the GitHub-hosted runner's NIC into your Azure VNET. - The runner agent picks up the workflow job. - The runner sends logs back to the GitHub Actions service. - NIC accesses private resources. ![bg right fit](img/private-networking.png) --- # GitHub Well-Architected Framework ![bg right fit](img/gh-waf.png) - **Community-driven guide** for deploying GitHub effectively. - Design principles - Framework pillars - Actionable, prescriptive advice --- # GitHub Well-Architected Framework ## Key Principles of the Framework

- Security - Scalability - Automation - Collaboration

- Observability - Performance - Governance - Innovation

--- # Questions ![bg auto](./img/background.jpg) ![bg](./img/owl.png) --- # Resources

## Links - [https://docs.github.com](https://docs.github.com) - [https://skills.github.com](https://docs.github.com) - [codebytes/github-actions-demos](https://github.com/codebytes/github-actions-demos) - [https://learn.microsoft.com/en-us/training/paths/automate-workflow-github-actions/](https://learn.microsoft.com/en-us/training/paths/automate-workflow-github-actions/)

## Follow Chris Ayers BlueSky: [@chris-ayers.com](https://bsky.app/profile/chris-ayers.com) LinkedIn: - [chris\-l\-ayers](https://linkedin.com/in/chris-l-ayers/) Blog: [https://chris-ayers\.com/](https://chris-ayers.com/) GitHub: [Codebytes](https://github.com/codebytes) Mastodon: @Chrisayers@hachyderm.io ~~ Twitter: @Chris_L_Ayers~~