7.4 KiB
7.4 KiB
marp, theme, footer
| marp | theme | footer |
|---|---|---|
| true | custom-default | @Chris_L_Ayers - https://chris-ayers.com |
CI/CD with GitHub Actions
Chris Ayers
Chris Ayers
Senior Site Reliability Engineer
Microsoft
BlueSky: @chris-ayers.com
LinkedIn: - chris-l-ayers
Blog: https://chris-ayers.com/
GitHub: Codebytes
Mastodon: @Chrisayers@hachyderm.io
Twitter: @Chris_L_Ayers
Agenda
- YAML
- CI / CD
- Actions Overview
- Demos
| Feature | Description |
|---|---|
| Lists | Start with a – |
| Key-Value | Key: value |
| Objects | Objects: Properties of objects |
Workflows / Pipelines
What is CI/CD?
Actions Overview
- Live in the
.github/workflowsfolder - Workflows are defined in YAML
- Workflows are Event Driven
Events that trigger workflows
https://docs.github.com/actions/using-workflows/events-that-trigger-workflows
- branch_protection_rule
- checks
- create / delete
- deployment
- discussion
- fork
- issue_comment
- issues
- label
- page_build
- pull_request
- pull_request_review
- pull_request_review_comment
- push
- release
- schedule
- status
- workflow_call / workflow_dispatch
Workflows
- Events trigger workflows
- Workflows contain jobs
- Jobs contain steps
- Steps are commands or actions
Jobs
- Workflows can contain multiple jobs
- Jobs run in parallel by default
- Each job runs on a Runner
- Steps and Shell Commands run in sequence
Runners
- Specify the type of runner with
runs-on(e.g.,ubuntu-latest). - GitHub provisions a new VM for each job.
- Steps in a job share information using the runner's filesystem.
- VM is decommissioned after job completion.
Supported runners and hardware
- GitHub-hosted runner application is open source.
- OS: Windows, Linux, and macOS
- Runners include preinstalled software, updated weekly.
- There are also Large Hosted Runners
- Self-Hosted Runners
- You can install additional software on runners.
DEMOS
ACT
Run Actions Locally
Supply Chain Attacks
Security
- Never use structured data as a secret
- Register all secrets used within workflows
- Audit how secrets are handled
- Use credentials that are minimally scoped
- Audit and rotate registered secrets
- Consider requiring review for access to secrets
- Use an action instead of an inline script (recommended)
- Use an intermediate environment variable
- Use OpenID Connect to access cloud resources
- Pin third-party actions to a full length commit SHA
Actions Updates - Dependabot
- Actions are regularly updated for enhanced automation.
- Dependabot keeps GitHub Actions references in workflow.yml up-to-date.
- If newer action versions exist, Dependabot sends an update pull request.
- Dependabot also updates git references for reusable workflows.
.github/dependabot.yml
version: 2
updates:
# See documentation for possible values
- package-ecosystem: "github-actions"
# Location of package manifests
directory: "/"
schedule:
interval: "weekly"
DEMOS
Bonus - Private Networking
- GitHub Actions is triggered.
- Actions service creates a runner.
- The runner service deploys the GitHub-hosted runner's NIC into your Azure VNET.
- The runner agent picks up the workflow job.
- The runner sends logs back to the GitHub Actions service.
- NIC accesses private resources.
GitHub Well-Architected Framework
- Community-driven guide for deploying GitHub effectively.
- Design principles
- Framework pillars
- Actionable, prescriptive advice
GitHub Well-Architected Framework
Key Principles of the Framework
- Security
- Scalability
- Automation
- Collaboration
- Observability
- Performance
- Governance
- Innovation
Questions
Resources
Links
Follow Chris Ayers
BlueSky: @chris-ayers.com
LinkedIn: - chris-l-ayers
Blog: https://chris-ayers.com/
GitHub: Codebytes
Mastodon: @Chrisayers@hachyderm.io
Twitter: @Chris_L_Ayers