--- marp: true theme: custom-default footer: '@Chris_L_Ayers - https://chris-ayers.com' --- # CI/CD with GitHub Actions ## Chris Ayers ![bg right w:90%](./img/bg.png) --- ![bg left:40%](./img/portrait.png) ## Chris Ayers ### Senior Customer Engineer
Microsoft Twitter: @Chris\_L\_Ayers Mastodon: @Chrisayers@hachyderm.io LinkedIn: - [chris\-l\-ayers](https://linkedin.com/in/chris-l-ayers/) Blog: [https://chris-ayers\.com/](https://chris-ayers.com/) GitHub: [Codebytes](https://github.com/codebytes) --- ![bg left fit](./img/bg.png) # Agenda - YAML - CI / CD - Actions Overview - Demos ---

# YAML ## **Yet Another Markup Language** GitHub uses YAML for workflows Demo: [Online Parser](https://yaml-online-parser.appspot.com/)

| Feature | Description | | --- | --- | | Lists | Start with a – | | Key-Value | Key: value | | Objects | Objects:
Properties of objects |

--- # What is CI/CD?

flowchart LR subgraph Continuous Integration direction LR A[Code] --Check In--> B[Build] B -- Auto --> C[Unit Tests] C -- Auto --> D[Dev Release] D -- Auto --> E[Additional Tests] end

flowchart LR subgraph Continuous Delivery direction LR G[Code] --Check In--> H[Build] H -- Auto --> I[Unit Tests] I -- Auto --> J[Dev Release] J -- Auto --> K[Additional Tests] K --Manual--> L[Release] end linkStyle 4 color:red;

flowchart LR subgraph Continuous Deployment direction LR M[Code] --Check In--> N[Build] N -- Auto --> O[Unit Tests] O -- Auto --> P[Dev Release] P -- Auto --> Q[Additional Tests] Q -- Auto --> R[Release] end linkStyle 4 color:green;

--- ![bg right fit](./img/bg.png) # Actions Overview - Live in the .github/workflows folder - Workflows are defined in YAML - Workflows are Event Driven --- ![bg right:60% w:700](./img/event-job.drawio.png) # Workflows - [Events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) trigger workflows - Workflows contain jobs - Jobs contain steps - Steps are commands or actions --- ![bg right:65% w:725](./img/job-runner.drawio.png) # Jobs - Workflows can contain multiple jobs - Each job runs on a [Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) --- # ACT ## Run Actions Locally [nektos/act](https://github.com/nektos/act) ![bg right:50% 95%](./img/act-quickstart-2.gif) --- ![bg right fit](./img/bg.png) # DEMOS --- # Security

- Never use structured data as a secret - Register all secrets used within workflows - Audit how secrets are handled - Use credentials that are minimally scoped - Audit and rotate registered secrets - Consider requiring review for access to secrets

- Use an action instead of an inline script (recommended) - Use an intermediate environment variable - Use OpenID Connect to access cloud resources - Pin third-party actions to a full length commit SHA

--- # Actions Updates - Dependabot

- Actions are regularly updated for enhanced automation. - Dependabot keeps GitHub Actions references in workflow.yml up-to-date. - If newer action versions exist, Dependabot sends an update pull request. - Dependabot also updates git references for reusable workflows.

```.github/dependabot.yml``` ```yaml version: 2 updates: # See documentation for possible values - package-ecosystem: "github-actions" # Location of package manifests directory: "/" schedule: interval: "weekly" ```

--- # Questions ![bg auto](./img/background.jpg) ![bg](./img/owl.png) --- # Resources

## Links [https://docs.github.com](https://docs.github.com) [https://skills.github.com](https://docs.github.com) [https://docs.github.com/actions/security-guides](https://docs.github.com/actions/security-guides) [codebytes/github-actions-demos](https://github.com/codebytes/github-actions-demos)

## Follow Chris Ayers Twitter: @Chris\_L\_Ayers Mastodon: @Chrisayers@hachyderm.io LinkedIn: - [chris\-l\-ayers](https://linkedin.com/in/chris-l-ayers/) Blog: [https://chris-ayers\.com/](https://chris-ayers.com/) GitHub: [Codebytes](https://github.com/codebytes)