Podcasts about github actions

Bret and Nirmal are joined by Michael Irwin to discuss Docker's comprehensive AI toolkit, covering everything from local model deployment to cloud-based container orchestration across multiple interconnected tools and services.

Episode Summary:AWS Morning Brief for the week of August 11th, 2025, with Corey Quinn.Links: AWS Cloud Visibility Best PracticesThis Ars articleAWS European Sovereign Cloud to be operated by EU citizensAmazon killing a user's accountMountpoint for Amazon S3 CSI driver v2: Accelerated performance and improved resource usage for Kubernetes workloadsStreamlining outbound emails with Amazon SES Mail ManagerAWS Lambda now supports GitHub Actions to simplify function deploymentAnthropic's Claude Opus 4.1 now in Amazon BedrockAmazon CloudWatch introduces organization-wide VPC flow logs enablementUnderstanding and Remediating Cold Starts: An AWS Lambda PerspectiveAmazon SQS increases maximum message payload size to 1 MiBOpenAI open weight models now available on AWS Best practices for analyzing AWS Config recording frequenciesAmazon EKS adds safety control to prevent accidental cluster deletionAWS Console Mobile App now offers access to AWS SupportAmazon EC2 now supports force terminate for EC2 instances Amazon DynamoDB adds support for Console-to-CodeUsing generative AI for building AWS networksSimplify network connectivity using Tailscale with Amazon EKS Hybrid NodesCost tracking multi-tenant model inference on Amazon Bedrock

In this high-energy episode, returning guests Gilbert Sanchez and Jake Hildreth join Andrew for a deep dive into: Module templating with PSStucco Building for accessibility in PowerShell Creating open source GitHub orgs like PSInclusive How PowerShell can lead to learning modern dev workflows like GitHub Actions and CI/CD What begins with a conversation about a live demo gone hilariously sideways turns into an insightful exploration of how PowerShell acts as a launchpad into bigger ecosystems like GitHub, YAML, JSON, and continuous integration pipelines.Bios &   Bios: Gilbert Sanchez is a Staff Software Development Engineer at Tesla, specifically working on PowerShell. Formerly known as "Señor Systems Engineer" at Meta. A loud advocate for DEI, DevEx, DevOps, and TDD.   Jake Hildreth is a Principal Security Consultant at Semperis, Microsoft MVP, and longtime builder of tools that make identity security suck a little less. With nearly 25 years in IT (and the battle scars to prove it), he specializes in helping orgs secure Active Directory and survive the baroque disaster that is Active Directory Certificate Services. He's the creator of Locksmith, BlueTuxedo, and PowerPUG!, open-source tools built to make life easier for overworked identity admins. When he's not untangling Kerberos or wrangling DNS, he's usually hanging out with his favorite people and most grounding reality check: his wife and daughter.   Links https://gilbertsanchez.com/posts/stucco-create-powershell-module/ https://jakehildreth.github.io/blog/2025/07/02/PowerShell-Module-Scaffolding-with-PSStucco.html https://github.com/PSInclusive https://jakehildreth.com/ https://andrewpla.tech/links https://discord.gg/pdq https://pdq.com/podcast https://youtu.be/w-z2-0ii96Y  

Nesse episódio trouxemos as notícias e novidades do mundo da programação que nos chamaram atenção dos dias 02/08 a 08/08.

Nesse episódio trouxemos as notícias e novidades do mundo da programação que nos chamaram atenção dos dias 02/08 a 08/08.

Bret is joined by Andrew Tunall, the President and Chief Product Officer at Embrace, to discuss his prediction that we'll all start shipping non-QA'd code (buggier code in production) and QA will need to be replaced with better observability.

Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis Breach analysis is one of my favorite topics to dive into and I'm thrilled Dimitri is joining us today to reveal some of the insights he's pulled out of this GitHub Actions incident. It isn't an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments. Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn't get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait. Topic Segment - Should the US Go on the Cyber Offensive? Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to discuss here, and a lot of us have opinions here. We'll see if we can do any of it justice in 15 minutes. News Segment Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-417

Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis Breach analysis is one of my favorite topics to dive into and I'm thrilled Dimitri is joining us today to reveal some of the insights he's pulled out of this GitHub Actions incident. It isn't an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments. Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn't get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait. Topic Segment - Should the US Go on the Cyber Offensive? Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to discuss here, and a lot of us have opinions here. We'll see if we can do any of it justice in 15 minutes. News Segment Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-417

Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis Breach analysis is one of my favorite topics to dive into and I'm thrilled Dimitri is joining us today to reveal some of the insights he's pulled out of this GitHub Actions incident. It isn't an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments. Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn't get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait. Topic Segment - Should the US Go on the Cyber Offensive? Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to discuss here, and a lot of us have opinions here. We'll see if we can do any of it justice in 15 minutes. News Segment Finally, in the enterprise security news, We discuss the latest fundings a few acquisitions a vibe coding campfire story how to hack AI agents zero-days in AI coding apps more AI zero days why Ivanti vulns are still alive and well in Japan how wiper commands made their way into Amazon's AI coding agent it seems like vulnerabilities and AI are pairing up in this week's news stories! All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-417

Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis Breach analysis is one of my favorite topics to dive into and I'm thrilled Dimitri is joining us today to reveal some of the insights he's pulled out of this GitHub Actions incident. It isn't an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments. Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn't get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait. Topic Segment - Should the US Go on the Cyber Offensive? Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to discuss here, and a lot of us have opinions here. We'll see if we can do any of it justice in 15 minutes. News Segment Finally, in the enterprise security news, We discuss the latest fundings a few acquisitions a vibe coding campfire story how to hack AI agents zero-days in AI coding apps more AI zero days why Ivanti vulns are still alive and well in Japan how wiper commands made their way into Amazon's AI coding agent it seems like vulnerabilities and AI are pairing up in this week's news stories! All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-417

Today's episode is with Aayush Shah. Aayush is one of the co-founders of Blacksmith, which is a CI compute platform. Basically, Blacksmith will run your GitHub Actions jobs faster and with more visibility with the standard GitHub Actions CI runners. The founding team has a fun background doing systems work at Cockroach and Faire, and they're taking on a big problem in running this massive CI fleet. The explosion in AI agents has really changed the CI world. CI is more useful than ever, as you want to be sure the changes from your agents aren't breaking your existing functionality. At the same time, there's a huge increase in demand and spikiness of CI workloads as developers can fire off multiple agents to work in parallel, each needing to run the CI suite before merging. Aayush talked about how they're handling this load and facilitating visibility into test failures. We also covered cloud economics. Aayush said the traditional cloud-based storage options don't work for them -- EBS and locally attached SSDs are too expensive for their workloads where they don't need the standard durability guarantees. He walks us through building their own fleet outside the hyperscalers and the plans going forward, along with some of the economics of multi-tenancy that Blacksmith has previously written about.

In this episode of Building Better Developers with AI, Rob Broadhead and Michael Meloche revisit a popular question: What Happens When Software Fails? Originally titled When Coffee Hits the Fan: Developer Disaster Recovery, this AI-enhanced breakdown explores real-world developer mistakes, recovery strategies, and the tools that help turn chaos into control. Whether you're managing your first deployment or juggling enterprise infrastructure, you'll leave this episode better equipped for the moment when software fails. When Software Fails and Everything Goes Down The podcast kicks off with a dramatic (but realistic) scenario: CI passes, coffee is in hand, and then production crashes. While that might sound extreme, it's a situation many developers recognize. Rob and Michael cover some familiar culprits: Dropping a production database Misconfigured cloud infrastructure costing hundreds overnight Accidentally publishing secret keys Over-provisioned “default” environments meant for enterprise use Takeaway: Software will fail. Being prepared is the difference between a disaster and a quick fix. Why Software Fails: Avoiding Costly Dev Mistakes Michael shares an all-too-common situation: connecting to the wrong environment and running production-breaking SQL. The issue wasn't the code—it was the context. Here are some best practices to avoid accidental failure: Color-code terminal environments (green for dev, red for prod) Disable auto-commit in production databases Always preview changes with a SELECT before running DELETE or UPDATE Back up databases or individual tables before making changes These simple habits can save hours—or days—of cleanup. How to Recover When Software Fails Rob and Michael outline a reliable recovery framework that works in any team or tech stack: Monitoring and alerts: Tools like Datadog, Prometheus, and Sentry help detect issues early Rollback plans: Scripts, snapshots, and container rebuilds should be ready to go Runbooks: Documented recovery steps prevent chaos during outages Postmortems: Blameless reviews help teams learn and improve Clear communication: Everyone on the team should know who's doing what during a crisis Pro Tip: Practice disaster scenarios ahead of time. Simulations help ensure you're truly ready. Essential Tools for Recovery Tools can make or break your ability to respond quickly when software fails. Rob and Michael recommend: Docker & Docker Compose for replicable environments Terraform & Ansible for consistent infrastructure GitHub Actions, GitLab CI, Jenkins for automated testing and deployment Chaos Engineering tools like Gremlin and Chaos Monkey Snapshot and backup automation to enable fast data restoration Michael emphasizes: containers are the fastest way to spin up clean environments, test recovery steps, and isolate issues safely. Mindset Matters: Staying Calm When Software Fails Technical preparation is critical—but so is mindset. Rob notes that no one makes smart decisions in panic mode. Having a calm, repeatable process in place reduces pressure when systems go down. Cultural and team-based practices: Use blameless postmortems to normalize failure Avoid root access in production whenever possible Share mistakes in standups so others can learn Make local environments mirror production using containers Reminder: Recovery is a skill—one you should build just like any feature. Think you're ready for a failure scenario? Prove it. This week, simulate a software failure in your development environment: Turn off a service your app depends on Delete (then restore) a local database from backup Use Docker to rebuild your environment from scratch Trigger a mock alert in your monitoring tool Then answer these questions: How fast can you recover? What broke that you didn't expect? What would you do differently in production? Recovery isn't just theory—it's a skill you build through practice. Start now, while the stakes are low. Final Thought Software fails. That's a reality of modern development. But with the right tools, smart workflows, and a calm, prepared team, you can recover quickly—and even improve your system in the process. Learn from failure. Build with resilience. And next time something breaks, you'll know exactly what to do. Stay Connected: Join the Developreneur Community We invite you to join our community and share your coding journey with us. Whether you're a seasoned developer or just starting, there's always room to learn and grow together. Contact us at info@develpreneur.com with your questions, feedback, or suggestions for future episodes. Together, let's continue exploring the exciting world of software development. Additional Resources System Backups – Prepare for the Worst Using Dropbox To Provide A File Store and Reliable Backup Testing Your Backups – Disaster Recovery Requires Verification Virtual Systems On A Budget – Realistic Cloud Pricing Building Better Developers With AI Podcast Videos – With Bonus Content

Updating developer tools is essential for developers who want to stay efficient, secure, and competitive. In this episode of Building Better Developers with AI, Rob Broadhead and Michael Meloche explore how maintaining modern toolsets helps individuals and teams deliver better software, faster. With support from AI-generated analysis and real-world experience, they outline the risks of falling behind—and how to move forward. Listen to the full episode of Building Better Developers with AI for practical insights and ideas you can start applying today. Efficiency and Profitability When Updating Developer Tools AI captured the core message well: using outdated tools slows down delivery, creates unnecessary friction, and ultimately reduces profitability. For side hustlers and teams alike, this loss of efficiency can make or break a project. Rob pointed out that many developers begin their careers using only basic tools. Without proper exposure to modern IDEs like IntelliJ, Visual Studio Code, or Eclipse, they miss out on powerful features such as debugging tools, plugin support, container integration, and real-time collaboration. Warning Signs You Should Be Updating Developer Tools How do you know it's time to update your development tools? Rob and Michael discussed key red flags: Frequent crashes or poor performance Lack of support for modern languages or frameworks Weak integration with tools like GitHub Actions or Docker Outdated or unsupported plugins Inconsistent tooling across team members Neglecting to update developer tools can lead to slow onboarding, poor collaboration, and increased bugs—especially in fast-paced or regulated environments. Tool Standardization vs. Flexibility When Updating Tools There's a balance between letting developers choose their tools and ensuring consistency across a team. While personal comfort can boost productivity, it may also cause challenges when teams debug or collaborate. Rob and Michael recommend hosting internal hackathons to explore new toolchains or standardize workflows. These events give teams a structured way to evaluate tools and share findings. The Security Risk of Not Updating Developer Tools Michael highlighted that outdated tooling doesn't just slow developers down—it creates serious security and compliance risks. Being just one or two versions behind can open vulnerabilities that violate standards like HIPPA, OWASP or SOX. Regular updates to SDKs, plugins, and IDEs are essential for staying compliant, especially in sensitive industries like finance or healthcare. How to Evaluate New Tools Before Updating Developer Toolchains Rob offered a practical framework for evaluating new tools: Does it solve a real pain point? Start with a side project or proof of concept. Check for strong community support and documentation. Balance between stable and innovative. Michael added a note of caution: avoid adopting tools with little community activity or long-term support. If a GitHub project has only a couple of contributors and poor maintenance, it's a red flag. Developer Tools to Review and Update Regularly To keep your development environment current, Rob suggested reviewing these tool categories often: IDEs and code editors Version control tools CI/CD systems and build automation Testing and QA frameworks Package managers and dependency systems Containerization and environment management platforms Using AI to convert simple apps into different frameworks can also help evaluate new tools—just make sure not to share proprietary code. Final Thoughts Modern development demands modern tooling. From cleaner code to faster deployment and stronger team collaboration, the benefits of updating developer tools are clear. Whether you're an independent developer or part of a larger organization, regularly reviewing and upgrading your toolset is a habit worth forming. Stay Connected: Join the Developreneur Community We invite you to join our community and share your coding journey with us. Whether you're a seasoned developer or just starting, there's always room to learn and grow together. Contact us at info@develpreneur.com with your questions, feedback, or suggestions for future episodes. Together, let's continue exploring the exciting world of software development. Additional Resources Navigating Communication Tools in Modern Workplaces Building a Portable Development Environment That is OS-agnostic Modern Tools For Monetizing Content Updating Developer Tools: Keeping Your Tools Sharp and Efficient Building Better Developers With AI Podcast Videos – With Bonus Content

Daniel and Manton return for a special episode of Core Intuition. They talk about WWDC 2025, running the bleeding-edge betas, and how Manton finally started using a build server with Xcode Cloud, while Daniel ventures into GitHub Actions. They also can't help talking about AI, considering the progress that has been made in only the five months since they discontinued the podcast. Finally, they close with an optimistic take on Liquid Glass and the future of the Mac. The post Episode 26.1: Mess Everything Up appeared first on Core Intuition.

Parce que… c'est l'épisode 0x602! Shameless plug 27 et 29 juin 2025 - LeHACK 12 au 17 octobre 2025 - Objective by the sea v8 10 au 12 novembre 2025 - IAQ - Le Rendez-vous IA Québec 17 au 20 novembre 2025 - European Cyber Week 25 et 26 février 2026 - SéQCure 2065 Description Introduction et contexte François Proulx fait son retour pour présenter l'évolution de ses recherches sur la sécurité des chaînes d'approvisionnement (supply chain) depuis sa présentation de l'année précédente. Ses travaux portent sur la détection de vulnérabilités dans les pipelines de construction (build pipelines) des projets open source, un sujet qui avait suscité beaucoup d'intérêt suite à l'incident XZ Utils. Évolution de la méthodologie de recherche Depuis l'année dernière, l'équipe de François a considérablement amélioré ses outils et sa stratégie de détection. Plutôt que de scanner massivement tous les dépôts disponibles, ils ont adopté une approche plus ciblée en se concentrant sur des entités majeures comme Google, Red Hat, Nvidia et Microsoft. Ces organisations sont des contributeurs importants de projets open source critiques et bien maintenus. Cette nouvelle approche leur permet de découvrir des centaines d'organisations GitHub par entité, chacune contenant parfois des milliers de dépôts. L'objectif reste le même : détecter des vulnérabilités zero-day dans les build pipelines qui permettent de compiler, tester et distribuer les projets open source, notamment via GitHub Actions. La problématique fondamentale des CI/CD François présente une analogie frappante pour expliquer la dangerosité des systèmes d'intégration continue : “un CI/CD, c'est juste du RCE as a service” (Remote Code Execution as a Service). Ces systèmes sont des applications web qui attendent de recevoir des déclencheurs sur une interface publique accessible via Internet. Dans le cas de GitHub Actions, il suffit d'ouvrir une pull request pour déclencher automatiquement l'exécution de tests. Cette situation rappelle les vulnérabilités des années 1990-2000 avec les débordements de pointeurs. François utilise une formule percutante : “les build pipelines ressemblent à une application PHP moyenne de 2005 en termes de codage sécurisé”. Cette comparaison souligne que malgré les décennies d'évolution en sécurité informatique, les mêmes erreurs fondamentales se répètent dans de nouveaux contextes. Les mécanismes d'exploitation Les vulnérabilités exploitent principalement les entrées non fiables (untrusted input) provenant des pull requests. Même les brouillons de contributions peuvent déclencher automatiquement l'exécution de tests avant qu'un mainteneur soit notifié. Le problème s'aggrave quand les pipelines nécessitent des secrets pour communiquer avec des systèmes externes (notifications Slack, télémétrie, etc.). Par défaut, GitHub Actions hérite parfois d'anciennes permissions en lecture-écriture, ce qui permet aux tests d'avoir accès à un token avec des droits d'écriture sur le dépôt. Cette configuration peut permettre à un attaquant d'écrire dans le dépôt de manière non visible. Résultats impressionnants des analyses L'équipe a considérablement affiné ses outils de détection. À partir de 200 000 résultats initiaux, ils appliquent des règles plus précises pour identifier environ 10 000 cas intéressants. Ces règles valident non seulement la présence de vulnérabilités, mais aussi les critères d'exploitation et la présence de secrets exploitables. Après validation manuelle, environ 25% de ces 10 000 cas s'avèrent facilement exploitables. Ces chiffres démontrent l'ampleur du problème dans l'écosystème open source, même en reconnaissant l'existence probable de nombreux faux négatifs. Cas concrets : Google et les régressions François rapporte avoir découvert des vulnérabilités dans 22 dépôts appartenant à Google, notamment dans un projet lié à Google Cloud (probablement Data Flow). Après avoir signalé et reçu une récompense pour la correction, une régression est survenue une semaine plus tard dans le même workflow, leur valant une seconde récompense. Cette situation illustre un problème récurrent : même les grandes organisations comme Google peuvent reproduire les mêmes erreurs après correction, souvent par méconnaissance des mécanismes sous-jacents de ces nouvelles techniques d'exploitation. L'affaire Ultralytics : un cas d'école L'incident le plus marquant concerne la bibliothèque Python Ultralytics, très populaire pour la détection d'images par apprentissage automatique. En août, l'équipe avait détecté une vulnérabilité dans ce projet mais s'était concentrée sur les découvertes chez Google, négligeant de signaler cette faille. En décembre, Ultralytics a été compromis par l'injection d'un crypto-mineur, exploitant précisément la vulnérabilité identifiée quatre mois plus tôt. Cette attaque était particulièrement ingénieuse car elle ciblait des environnements avec des GPU puissants (utilisés pour le machine learning), parfaits pour le minage de cryptomonnaies, tout en restant discrète dans un contexte où une forte consommation GPU est normale. Pivot vers la détection proactive Cet incident a motivé un changement stratégique majeur : passer de la simple détection de vulnérabilités à la détection proactive d'exploitations en cours. L'équipe ingère désormais le “firehose” des événements publics GitHub, soit environ 5,5 millions d'événements quotidiens. Après filtrage sur les projets critiques avec des build pipelines, ils analysent environ 500 000 événements intéressants par jour. En appliquant leurs analyses sophistiquées et en croisant avec leurs connaissances des vulnérabilités, ils obtiennent environ 45 événements suspects à investiguer quotidiennement. Validation forensique avec Kong Cette nouvelle approche s'est rapidement avérée efficace. Pendant les vacances de Noël, leur système a continué d'ingérer les données automatiquement. Au retour, l'incident Kong (un contrôleur Ingress pour Kubernetes) leur a permis de créer une timeline forensique détaillée grâce aux données accumulées pendant leur absence. Découverte sur les forums cybercriminels La collaboration avec Flare, spécialisée dans l'analyse du dark web, a révélé des informations troublantes. En recherchant “Ultralytics” sur Breach Forum avec un filtrage temporel précis, François a découvert qu'un utilisateur avait créé un compte 24 heures avant l'attaque, publié exactement la vulnérabilité du pipeline Ultralytics en mentionnant l'utilisation de “Poutine” (leur outil), puis confirmé 24 heures après l'exploitation avoir gagné des Monero grâce à cette attaque. Cette découverte confirme que les cybercriminels utilisent activement les outils de recherche en sécurité pour identifier et exploiter des vulnérabilités, transformant ces outils défensifs en armes offensives. Implications et recommandations Cette situation soulève des questions importantes sur la responsabilité des chercheurs en sécurité. François insiste sur le fait que Poutine, leur outil de détection, devrait devenir le minimum absolu pour tout projet open source. Il compare cette nécessité à l'interdiction d'avoir des dépôts Git pour ceux qui n'implementent pas ces vérifications de base. L'analogie avec PHP 2005 reste pertinente : il a fallu des années pour que la communauté PHP matûrisse ses pratiques de sécurité. Les build pipelines traversent actuellement la même phase d'évolution, avec des erreurs fondamentales répétées massivement dans l'écosystème. Défis techniques et limites François reconnaît honnêtement les limitations de leur approche. Leur système ne détecte que les attaques les moins sophistiquées - des “low hanging fruits”. Des attaques complexes comme celle de XZ Utils ne seraient probablement pas détectées par leurs outils actuels, car elles sont trop bien camouflées. Le défi principal reste de filtrer efficacement le bruit dans les millions d'événements quotidiens pour obtenir un nombre d'alertes gérable par une petite équipe d'analystes. Ils reconnaissent que la majorité des incidents leur échappe probablement encore. Perspective d'avenir François exprime l'espoir que la maturation de l'écosystème des build pipelines sera plus rapide que les 20 ans qu'il a fallu pour sécuriser PHP. Leur travail de pionnier contribue à cette évolution en sensibilisant la communauté et en fournissant des outils concrets. L'angle d'analyse des build pipelines est particulièrement pertinent car il se situe à la croisée des chemins entre le code source et sa distribution, avec des possibilités d'exécution de code qui en font un point critique de la chaîne d'approvisionnement logicielle. Cette présentation illustre parfaitement l'évolution rapide des menaces dans l'écosystème open source moderne et la nécessité d'une vigilance constante pour sécuriser les infrastructures critiques dont dépend l'ensemble de l'industrie logicielle. Notes François Proulx Collaborateurs Nicolas-Loïc Fortin François Proulx Crédits Montage par Intrasecure inc Locaux réels par Northsec

What happens when a real developer uses AI to build something in a language and toolset they've never touched before? In this episode, Matt shares the story of how he created a free, custom-coded Google News sitemap generator using Node.js, GitHub Actions, and the Webflow API—with help from AI. The catch? He had no prior experience with any of those tools. Show Notes: https://www.htmlallthethings.com/podcasts/what-happens-when-a-real-developer-starts-vibe-coding Use our affiliate link (https://scrimba.com/?via=htmlallthethings) for a 20% discount!! Full details in show notes.

Bieda-hosting, czyli miejsce na MVP, Side Projects i inne nasze zabawki – brzmi jak manifest każdego dewelopera z ograniczonym budżetem. Łukasz i Szymon eksplorują świat tanich VPS-ów, free tierów i rozwiązań dla projektów pobocznych. Od Mikrus za 197 zł rocznie po Oracle Cloud z darmową maszyną wirtualną. Prowadzący porównują Docker Compose vs natywne instalacje, omawiają GitHub Actions jako CI/CD i przekonują do Cloudflare jako must-have. Dyskutują o backupach (szczęśliwi ich nie robią), zarządzaniu secretami i reverse proxy z Caddy lub Traefik. Bonus: kalkulacja kosztów prądu dla homelabów może Was zaskoczyć. Jeśli kiedykolwiek commitowaliście sekrety do repo z lenistwa lub zastanawiacie się nad self-hostingiem – ten odcinek rozwikła wasze dylematy. Sprawdźcie, czy biedahosting to Wasza droga do MVP czy może jednak warto zainwestować w coś lepszego.     A teraz nie ma co się obijać!

William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guidance. Fresh off the heels of the tj-actions/changed-files backdoor, this is a great topic with some things everyone can do right away. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-securing-github-actions-william-woodruff/

Kyle is the cofounder of Depot.  Depot accelerates your Docker image builds and GitHub Actions workflows. Kyle shares how Depot were able to grow to $1M ARR and beyond with a very lean team.This episode is brought to you by WorkOS. If you're thinking about selling to enterprise customers, WorkOS can help you add enterprise features like Single Sign On and audit logs. Links:Depot Kyle Galbraith 

Even if you're not "doing DevOps," understanding it can seriously level up your development career. In this episode, Matt and Mike dive into why every web developer should care about DevOps practices, even at a basic level. They explore how deployment pipelines work, how Git supports safe code changes, and how you can prevent and fix production issues faster. You'll hear real-world examples showing how small habits—like writing good commit messages, checking build logs, and knowing when to rollback—can make you a better teammate and a more reliable developer. Whether you're working with GitHub Actions, Vercel, Jenkins, or another CI/CD system, this episode will help you work smarter, troubleshoot faster, and stay calm under pressure. Show Notes: https://www.htmlallthethings.com/podcasts/what-junior-web-developers-need-to-know-about-devops Use our affiliate link (https://scrimba.com/?via=htmlallthethings) for a 20% discount!! Full details in show notes.

I speak with Kyle from Depot.dev, which promise to speed up your your Docker image builds and GitHub Actions workflows. Depot easily integrates with your existing CI provider and dev workflows to save hours of build time.Learn something new with a book or course from ManningStart today with learning something new or up-skilling, get 30% of ANYTHING at manning.com by visiting go.chrischinchilla.com/manning For show notes and an interactive transcript, visit chrischinchilla.com/podcast/To reach out and say hello, visit chrischinchilla.com/contact/To support the show for ad-free listening and extra content, visit chrischinchilla.com/support/

Você já caiu na armadilha da “imagem invulnerável”? Na segunda parte do episódio 164 da sétima temporada do Kubicast, continuamos nosso papo com Alexandre Sieira, fundador da Tenchi Security, entrando de cabeça nos desafios técnicos da segurança prática — aquela do dia a dia, que envolve CVE, GitHub comprometido e decisões que custam caro.Com exemplos reais e reflexões afiadas, Sieira nos mostra por que segurança é mais do que política: é arquitetura, processo e cultura em ação. Problemas enfrentadosImagens de container com base vulnerável sendo tratadas como “seguras”.Falta de visibilidade sobre o que está rodando no pipeline.Risco de dependências excessivas e falta de controle na supply chain.Incidentes reais de comprometimento em ferramentas de CI/CD (como GitHub Actions).Dificuldade em conciliar segurança com performance operacional.Soluções adotadasGestão contínua de vulnerabilidades com foco em redução de superfície de ataque.Uso do SBOM (Software Bill of Materials) como aliado na rastreabilidade.Segregação de ambientes com deploy seguro entre contas e contextos.Otimizações de arquitetura sem abrir mão de práticas seguras.Estreitamento entre times de produto e segurança desde o início da jornada. Ao longo do episódio, ficou claro que segurança eficaz não depende de uma stack perfeita — mas sim de decisões conscientes. Frequentar o mundo real de DevSecOps é entender que agilidade e segurança não só podem coexistir, como se complementam. Releases frequentes, rastreabilidade e cultura de melhoria contínua são fatores que reduzem riscos e aumentam a confiança da operação. Entre as boas práticas discutidas, reforçamos que menos é mais: minimizar dependências, separar ambientes, aplicar princípios como Least Privilege e pensar sempre em blast radius são decisões simples, mas com grande impacto. Além disso, aproximar os times desde a arquitetura ajuda a criar um ambiente de segurança distribuída — e não centralizada como barreira.

Welcome to the TestGuild Automation Podcast! In this episode, host Joe Colantonio sits down with Gaurav Mittal, a cybersecurity, data science, and IT expert with over two decades of experience. Gaurav, recognized for his thought leadership in AI and automation with multiple industry awards, shares his insights on making How To Optimize your Automation CI/CD Pipelines in DevOps more cost-effective. Whether you're a test automation engineer or security professional or work with AI/ML, you'll want to hear Gaurav's take on implementing DevOps pipelines that reduce licensing costs and enhance flexibility without sacrificing your team's productivity. Learn about his experiences with GitHub Actions, Jenkins, and the innovative ways he's optimized CI/CD pipelines to save resources and automate extensive testing processes, all while incorporating strong security measures. Join us as we delve into the innovative strategies and practical advice that can help transform your DevOps practices.

Send us a textGet up to speed with everything that mattered in cybersecurity this month. In this episode of The Cyberman Show, we break down March 2025's top cyber incidents, threat actor tactics, security product launches, and vulnerabilities actively exploited in the wild.Here's what we cover:

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community.On March 24, The Atlantic's editor-in-chief Jeffrey Goldberg reported a significant OPSEC failure involving U.S. Secretary of Defense Pete Hegseth, who allegedly sent him detailed U.S. military plans over Signal—an encrypted messaging app—on March 15.A newly discovered supply chain attack on the npm ecosystem is targeting developers by backdooring local packages through a process known as “manifest confusion.” Unit 42 researchers at Palo Alto Networks have uncovered an ongoing software supply chain attack targeting GitHub repositories via malicious GitHub Actions workflows.

I provide an update on the recent GitHub Actions exploits, information on a recently disclosed vulnerability in Veeam's backup service, the end of support for a OneNote app and much more! Reference Links: https://www.rorymon.com/blog/cloudflare-launches-ai-tricking-feature-google-drive-arm-compatibility-onenote-app-support-to-end/

Steve Yegge's latest rant about the future of "coding", Ethan McCue shares some life altering Postgres patterns, Hillel Wayne makes the case for Verification-First Development, Gerd Zellweger experienced lots of pain setting up GitHub Actions & Cascii is a web-based ASCII diagram builder.

The Docker Bake Build tool just went general availability, and I'm excited about what this means for creating reproducible builds and automation that can run anywhere  CI locally. I love it. Really, and in this video I'm gonna break down some of the features, the benefits and walk through some examples.In this episode I explain why docker buildx bake exists, what it can do, and I walk through multiple examples of Bake files and how it's better than docker build image and docker compose build. I also touch on BuildKit and Docker's GitHub Actions.There's also a video version of this show on YouTube.★Get started with Docker Bake★Walkthough https://docs.docker.com/guides/bake/ Docs: https://docs.docker.com/build/bake/GA Announcement: https://www.docker.com/blog/ga-launch-docker-bake/Creators & Guests Beth Fisher - Producer Bret Fisher - Host (00:00) - Intro (00:04) - / (00:41) - History Lesson (01:29) - Bake Today (02:43) - Ad for... Me! (03:53) - List of Benefits (10:29) - Use Bake Everywhere (12:41) - Leaning into Bake, maybe? You can also support my free material by subscribing to my YouTube channel and my weekly newsletter at bret.news!Grab the best coupons for my Docker and Kubernetes courses.Join my cloud native DevOps community on Discord.Grab some merch at Bret's Loot BoxHomepage bretfisher.com

Steve Yegge's latest rant about the future of "coding", Ethan McCue shares some life altering Postgres patterns, Hillel Wayne makes the case for Verification-First Development, Gerd Zellweger experienced lots of pain setting up GitHub Actions & Cascii is a web-based ASCII diagram builder.

Steve Yegge's latest rant about the future of "coding", Ethan McCue shares some life altering Postgres patterns, Hillel Wayne makes the case for Verification-First Development, Gerd Zellweger experienced lots of pain setting up GitHub Actions & Cascii is a web-based ASCII diagram builder.

Three Buddy Problem - Episode 39: Luta Security CEO Katie Moussouris joins the buddies to parse news around a coordinated Chinese exposure of Taiwan APT actors, CitizenLab's report on Paragon spyware and WhatsApp exploits, an “official” Russian government exploit-buying operation shopping for Telegram exploits, the fragmentation of exploit markets and the future of CISA in the face of budget cuts and layoffs. Cast: Katie Moussouris (https://lutasecurity.com), Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

On this week's show Patrick Gray and Adam Boileau discuss the week's cybersecurity news: Github Actions supply chain attack loots keys and secrets from 23k projects Why a VC fund now owns a minority stake in Risky Business Media (!?!?) China doxes Taiwanese military hackers Microsoft thinks .lnk file whitespace trick isn't worth patching but APTs sure love it CISA delivers government efficiency by re-hiring fired staff… to put them on paid leave …and Google acquires Wiz for $32bn This week's show is sponsored by Zero Networks, and they have sent along a happy customer to talk about their experience. Aaron Steinke is Head of Infrastructure at La Trobe Financial, an asset management firm in Australia. Aaron talks through bringing modern zero-trust goodness to the reality of a technology environment that's been around 40 years. This episode is also available on Youtube. Show notes Risky Bulletin: GitHub supply chain attack prints everyone's secrets in build logs - Risky Business Media China says Taiwan's military is behind PoisonIvy APT China identifies Taiwanese hackers allegedly behind cyberattacks and espionage | The Record from Recorded Future News Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds | The Record from Recorded Future News Lazarus Group deceives developers with 6 new malicious npm packages | CyberScoop Poisoned Windows shortcuts found to be a favorite of Chinese, Russian, N. Korean state hackers | The Record from Recorded Future News 'Mora_001' ransomware gang exploiting Fortinet bug spotlighted by CISA in January | The Record from Recorded Future News Black Basta uses brute-forcing tool to attack edge devices | Cybersecurity Dive Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court | The Record from Recorded Future News CISA works to contact probationary employees for reinstatement after court order - Nextgov/FCW ‘People Are Scared': Inside CISA as It Reels From Trump's Purge | WIRED The Wiretap: CISA Staff Are Cautiously Optimistic About Trump's Pick For Director White House instructs agencies to avoid firing cybersecurity staff, email says | Reuters Signal no longer cooperating with Ukraine on Russian cyberthreats, official says | The Record from Recorded Future News Telegram CEO Pavel Durov allowed to leave France amid investigation Appellate court upholds sentence for former Uber cyber executive Joe Sullivan | The Record from Recorded Future News Google buys cloud security provider Wiz for $32 billion | The Record from Recorded Future News Pat Gray, Founder of Risky Business, Joins Decibel as Founder Advisor - Decibel

In episode 231 of our SAP on Azure video podcast we talk about GitHub Actions. Diviating little from classic SAP and Microsoft topics, we take a look at GitHub today. Millions of development projects are done on GitHub. In most cases -- when I look at my own projects -- it is just about pushing data to a GitHub repo and that's it. Our SAPonAzurePodcast website is a small exception, where we do some automation. But you can do much, much more. Christian Lechner from SAP is THE expert on this for me. He has not only done some amazing things with Terraform and BTP, but also automated almost everything in his repos on GitHub with GitHub Actions. Find all the links mentioned here: https://www.saponazurepodcast.de/episode231Reach out to us for any feedback / questions:* Robert Boban: https://www.linkedin.com/in/rboban/* Goran Condric: https://www.linkedin.com/in/gorancondric/* Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/ #Microsoft #SAP #Azure #SAPonAzure #GitHub #GitHubAction

Join us for a fascinating episode where we explore the development of SaturnCI—a new and user-friendly Continuous Integration tool that arose from frustrations with existing solutions like CircleCI and GitHub Actions. Our guest, Jason Sweat, shares his passion for creating a platform that not only simplifies the user experience but actively incorporates feedback from early adopters. Through candid conversations, Jason recounts his journey as a content creator in the Ruby community, and how it inspired him to address the shortcomings he observed in CI tools.We delve into the technical challenges faced as SaturnCI grows, particularly those relating to user scalability as it onboarded new customers. Jason offers valuable insights into his tech stack choices while drawing attention to the importance of creating streamlined interfaces that cater to developers' needs. The conversation shifts to the foundation of community through his upcoming Sin City Ruby conference, showcasing the efforts made to facilitate connection among participants and ensure each attendee leaves with new friendships and knowledge.Toward the end of our episode, we touch upon Jason's unique approach to outreach through his snail mail newsletter, where he shares insights and stories beyond technology. This creative endeavor highlights how stepping away from screens can cultivate a deeper connection with the audience. With an inviting conversational tone and enriching discussions, this episode is packed with valuable insights for anyone interested in CI tools, community-building, and finding the courage to innovate within your space. Be sure to subscribe and share your thoughts with us!Send us some love.HoneybadgerHoneybadger is an application health monitoring tool built by developers for developers.HoneybadgerHoneybadger is an application health monitoring tool built by developers for developers.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Support the showReady to start your own podcast?This show is hosted on Buzzsprout and it's awesome, not to mention a Ruby on Rails application. Let Buzzsprout know we sent you and you'll get a $20 Amazon gift card if you sign up for a paid plan, and it helps support our show.

In our miniseries on GitHub Pages, we learn how to create a basic Jekyll site. To do this, we must install a modern version of Ruby, install its Gem Bundler, create a little placeholder site, and then serve Jekyll to view our site locally. We push it to GitHub where the GitHub Actions we learned about last time do their magic and create a real website all for free. But we didn't stop there. One of our goals is to create our own theme, and to build on what we get with Bootstrap. We actually download the source, not compiled version of Bootstrap and pick and choose the files we want to use. While learning about the standard conventions for directory structure in Jekyll sites, we'll also learn about Sass — Syntactically Awesome Style Sheets — and how Jekyll will turn them into standard CSS. It's a bit of a heavy lift in terms of a lot of moving pieces, but no one bit of this was hard to learn. It was great fun, and this is just the beginning of what we're going to learn about using Jekyll as a fully-functional content management system.

Josh Goldberg joins Amy and Brad to unpack the recent ESLint V9 release and its impact on the TypeScript ecosystem. From explaining the nuances of flat config migration to debating the proper separation between Prettier and ESLint, Josh offers practical advice for improving developer workflows. The conversation covers Josh's journey as a full-time open source maintainer, the Open Source Pledge initiative, and best practices for implementing linting in CI/CD pipelines. Plus, Josh shares behind-the-scenes details from the inaugural SquiggleConf event.Chapter Marks00:00 - Intro00:48 - Welcome Josh Goldberg01:06 - Working in open source and getting paid03:10 - The Open Source Pledge04:49 - ESLint V9 and flat config changes07:25 - Migration challenges with flat config09:52 - Understanding ESLint config format11:50 - How most people use ESLint16:20 - Prettier vs ESLint responsibilities18:47 - Conflict between Prettier and ESLint21:26 - TypeScript's role in ESLint25:01 - TypeScript ESLint packages explained27:43 - Linters for other languages29:31 - ESLint in CI/CD pipelines32:03 - Auto-fixing in different environments37:14 - AI's role in linting and formatting41:45 - SquiggleConf discussion44:15 - Conference tooling and Q&A system46:33 - Future SquiggleConf plans47:13 - Picks and PlugsBrad GarropyPick: Philips Hue smart lighting system - Set up Christmas lights with Hue smart outlets for easy control via phone or voice commandsPlug: Brad's BlueSky account - @bradgarropy.comJosh GoldbergPick: BlueSky social network - Appreciates how it feels like early Twitter without spam bots and complicated server setupsPlug: SquiggleConf - Web development tooling conference returning in September 2025Amy DuttonPick: The Inheritance Games (book) - Describes it as an easy-to-read young adult fiction with puzzles, similar to Knives OutPlug: Amy's BlueSky account - @selfteachmeLinksMentioned in the EpisodeTypeScript ESLintESLint v9 migration docsESLint Config InspectorSentry Grave $750k to Open Source MaintainersOpen Source Pledge initiativeSquiggle Conf websitePrisma PulsePhilips Hue smart lightingThe Inheritance Games (book mentioned by Amy)Social Media AccountsBrad's BlueSky account: @bradgarropy.comAmy's BlueSky account: @selfteachmeJosh Goldberg's BlueSky Account: @joshuakgoldberg.comRelated ResourcesESLint Stylistic projectESLint Config PrettierESLint Plugin Prettier"Create TypeScript Apps" project (Josh's tooling package)Awesome ESLint repo (collection of ESLint plugins)Manual to Magical: AI in Developer Tooling: Tobbe's talk on using AI to write code modsNicholas Zakas discussing the ESLint config system on Syntax podcastTools MentionedHuskyLint-stagedCursorBiome and OXLint (Rust-based linters)GitHub Actions

Send us a textTechnology is evolving at a rapid pace along with the tools, methods, and education practices. Today, Derek Morgan joins the show to discuss the intersection of automation, DevOps, and Infrastructure-as-Code. Derek is the Founder of More Than Certified, an e-learning platform hosting courses on DevOps, Terraform, Docker, and more. We discuss the importance of foundational knowledge in modern tech, the role of tools like Terraform in enterprise environments, and the future of DevOps education. Derek also provides valuable insights into content creation and the philosophy behind effective technical teaching methodologies.Where to Find DerekLinkedIn: https://linkedin.com/in/derekm1215Twitter: https://x.com/mtcderekCompany: https://morethancertified.comShow LinksLinux Academy (Now part of Pluralsight): https://www.pluralsight.com/Terraform: https://www.terraform.io/OpenTOFU: https://opentofu.org/Jenkins: https://www.jenkins.io/GitHub Actions: https://github.com/features/actionsAnsible: https://www.ansible.com/Follow, Like, and Subscribe!Podcast: https://www.thecloudgambit.com/YouTube: https://www.youtube.com/@TheCloudGambitLinkedIn: https://www.linkedin.com/company/thecloudgambitTwitter: https://twitter.com/TheCloudGambitTikTok: https://www.tiktok.com/@thecloudgambit

Way back in September of 2022, Bart finished off the Webpack miniseries by leaving it as an exercise for the student to deploy their web apps to GitHub Pages. Bart closes that circle in this installment while teaching us how to use GitHub Actions. We learn about workflows, jobs, steps, events, and runners. Bart includes great tables in the shownotes of the terminology, so we now have a handy reference guide for making our own YAML files to run GitHub actions. You can find Bart's fabulous tutorial shownotes at pbs.bartificer.net. Read an unedited, auto-generated transcript with chapter marks: PBS_2025_02_15 Join our Slack at podfeet.com/slack and check out the Programming By Stealth channel under #pbs. Support Bart by going to lets-talk.ie and pushing one of the big blue support buttons. Referral Links: Parallels Toolbox - 3 months free for you and me Learn through MacSparky Field Guides - 15% off for you and me Backblaze - One free month for me and you Eufy - $40 for me if you spend $200. Sadly nothing in it for you. PIA VPN - One month added to Paid Accounts for both of us CleanShot X - Earns me $25%, sorry nothing in it for you but my gratitude

Send me a Text Message hereFULL SHOW NOTES https://www.microsoftinnovationpodcast.com/652   Join Parvez Ghumra as he explores his journey as a Microsoft MVP from Leicester, UK. His passion for the Power Platform and Dynamics 365 CE development is shaped by strong family values, a love for travel—especially his mini pilgrimage to Mecca—and a spicy hobby of chili growing. Parvez reflects on the evolution of CRM deployment tools, from manual XML to modern no-code solutions like Azure DevOps and GitHub Actions, while acknowledging challenges with tools like Package Deployer. Alongside his insights, Mark also shares his own path to MVP recognition, emphasizing the power of community support in driving personal and professional growth. TAKEAWAYS• The role of family in professional development • Travel experiences influencing personal and professional growth • Transition from bespoke development to Dynamics 365 • Importance of Application Lifecycle Management in software delivery • Shift from SDK to low-code solutions in modern development • The value of community support in achieving the MVP statusThis year we're adding a new show to our line up - The AI Advantage. We'll discuss the skills you need to thrive in an AI-enabled world. DynamicsMinds is a world-class event in Slovenia that brings together Microsoft product managers, industry leaders, and dedicated users to explore the latest in Microsoft Dynamics 365, the Power Platform, and Copilot.Early bird tickets are on sale now and listeners of the Microsoft Innovation Podcast get 10% off with the code MIPVIP144bff https://www.dynamicsminds.com/register/?voucher=MIPVIP144bff Accelerate your Microsoft career with the 90 Day Mentoring Challenge We've helped 1,300+ people across 70+ countries establish successful careers in the Microsoft Power Platform and Dynamics 365 ecosystem.Benefit from expert guidance, a supportive community, and a clear career roadmap. A lot can change in 90 days, get started today!Support the showIf you want to get in touch with me, you can message me here on Linkedin.Thanks for listening

In this episode: Martin runs GitHub Actions on his development workstations using act. Alan likes to help people and has upped his people-helping skills by making little tools to solve their problems. keyshield - A simple utility to protect your game inputs from GNOME keyboard shortcuts. archive-vbulletin-thread - A Python script to archive threads from vBulletin-based forums. Mark has been flexing his grey matter with challenging mathematical/computer programming problems at Project Euler. You can send your feedback via show@linuxmatters.sh or the Contact Form. If you’d like to hang out with other listeners and share your feedback with the community you can join: The Linux Matters Chatters on Telegram. The #linux-matters channel on the Late Night Linux Discord server. If you enjoy the show, please consider supporting us using Patreon or PayPal. For $5 a month on Patreon, you can enjoy an ad-free feed of Linux Matters, or for $10, get access to all the Late Night Linux family of podcasts ad-free.

In this episode: Martin runs GitHub Actions on his development workstations using act. Alan likes to help people and has upped his people-helping skills by making little tools to solve their problems. keyshield - A simple utility to protect your game inputs from GNOME keyboard shortcuts. archive-vbulletin-thread - A Python script to archive threads from vBulletin-based forums. Mark has been flexing his grey matter with challenging mathematical/computer programming problems at Project Euler. You can send your feedback via show@linuxmatters.sh or the Contact Form. If you’d like to hang out with other listeners and share your feedback with the community you can join: The Linux Matters Chatters on Telegram. The #linux-matters channel on the Late Night Linux Discord server. If you enjoy the show, please consider supporting us using Patreon or PayPal. For $5 a month on Patreon, you can enjoy an ad-free feed of Linux Matters, or for $10, get access to all the Late Night Linux family of podcasts ad-free.

In this episode: Martin runs GitHub Actions on his development workstations using act. Alan likes to help people and has upped his people-helping skills by making little tools to solve their problems. keyshield – A simple utility to protect your game inputs from GNOME keyboard shortcuts. archive-vbulletin-thread – A Python script to archive threads from... Read More

Welcome to the New Year and the first episode of the year: We are excited to be talking with Developer Advocate Jessican Deen about GitHub Actions and how you can use them to automate your workflows! 00:00 - Intro 05:49 - What are we going to talk about? 08:23 - Reusable Workflows 14:21 - Job Summaries 18:45 - Matrix Jobs 34:58 - Artifact Attestations 41:47 - OIDC 50:47 - Additional Resources How to find Jessica: Twitter: @jldeen Bluesky: @jldeen.dev Website: jessicadeen.com GitHub: github.com/jldeen Show Resources: Keylight CLI: github.com/jldeen/keylight-cli Excalidraw: https://excalidraw.com/ Learn GitHub Actions: https://github.com/features/actions Actions Marketplace: https://github.com/marketplace?type=actions GitHub Actions Docs: https://docs.github.com/en/actions

Or watch the video version on YouTube. Bret is joined by Willem Delbare and Roeland Delrue to discuss Aikido, a security tool consolidation platform designed specifically for smaller teams and solo DevOps practitioners. The discussion explores how Aikido addresses the growing challenges of software supply chain security by bringing together various security tools - from CVE scanning to cloud API analysis - under a single, manageable portal. Unlike enterprise-focused solutions, Aikido targets the needs of smaller teams and individual DevOps engineers who often juggle multiple responsibilities. During the episode, they demonstrate Aikido's capabilities using Bret's sample GitHub organization, and show how teams can implement comprehensive security measures without managing multiple separate tools.Be sure to check out video version of the complete show for demos, from our December 5, 2024 YouTube Live stream.★Topics★Aikido websiteAikido on BlueskyAikido on LinkedInCreators & Guests Cristi Cotovan - Editor Beth Fisher - Producer Bret Fisher - Host Willem Delbare - Guest Roeland Delrue - Guest (00:00) - Intro (06:20) - Aikido Origin Story (10:32) - What Does AutoFix Mean? (13:18) - Security Automation and Developers (21:32) - Lessons from Onboarding Customers (23:10) - Reducing Noise and Alert Fatigue with Aikido (27:30) - Aikido in the CI/CD Process (31:26) - AI Security Integration (32:24) - GitHub Actions and Dependencies as Attack Vector (39:20) - Dependencies in Programming Languages (41:30) - Infrastructure as Code and Cloud Security (48:17) - Runtime Protection with Aikido Zen (54:25) - Agent Involvement in Scanning (57:54) - Tools to Use Alongside Aikido (01:01:16) - Getting Started with Aikido You can also support my free material by subscribing to my YouTube channel and my weekly newsletter at bret.news!Grab the best coupons for my Docker and Kubernetes courses.Join my cloud native DevOps community on Discord.Grab some merch at Bret's Loot BoxHomepage bretfisher.com

In this holiday repeat episode, Evan You, creator of Vue and Vite, discusses his new venture, void(0). He discusses the motivations behind founding void(0), the inefficiencies in JavaScript tooling, and the future of unified tooling stacks. Links https://evanyou.me https://x.com/youyuxi https://github.com/yyx990803 https://sg.linkedin.com/in/evanyou https://voidzero.dev We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Let us know by sending an email to our producer, Emily, at emily.kochanekketner@logrocket.com (mailto:emily.kochanekketner@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we'll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understand where your users are struggling by trying it for free at [LogRocket.com]. Try LogRocket for free today.(https://logrocket.com/signup/?pdr) Special Guest: Evan You.

In this episode, we dive deep into the dynamics of working solo versus being part of a development team. From the ideal team composition at large companies to the challenges of maintaining open source projects, our hosts share their experiences and insights. Learn about the crucial roles of designers and product managers, the importance of documentation, and why even senior developers still Google Git commands. Whether you're a solo developer looking to collaborate or a team player wanting to improve your workflow, this episode has something for everyone. Chapter Marks00:00 - Introduction01:16 - The Perfect Team Composition02:44 - Different Approaches to Team Building04:37 - Working Without Designers: The FedEx Experience08:10 - Documentation and Project Requirements12:30 - The Role of Documentation in Team Success14:47 - Documentation's Impact on Career Growth15:14 - Onboarding and Documentation Connection16:51 - Open Source Project Management19:45 - Automation in Open Source22:34 - Deals for Devs: Managing Contributors25:29 - Branch Management and PR Workflows29:59 - Solo Development Practices31:21 - Git Commands and Team Workflows35:14 - Open Source Knowledge Barriers38:02 - The Importance of Admitting What You Don't Know39:15 - Episode Wrap-up LinksNick Taylor's Blog Post about GitHub Code Owners - https://dev.to/opensauced/supercharge-your-repository-with-code-owners-4clgB Dougie's GitHub Action for the "Take" command - https://github.com/bdougie/take-action/blob/main/action.ymlChantastic's Git Course on Epic Web - https://www.epicweb.dev/tutorials/git-fundamentalsGitHub Documentation on Squash Merging vs Rebase Merging - https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-mergesMerge vs Rebase vs Squash - https://gist.github.com/mitchellh/319019b1b8aac9110fcfb1862e0c97fbGitHub Issue Forms Documentation - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-formsGitHub Pull Request Templates Guide - https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/creating-a-pull-request-template-for-your-repositoryGitHub Code Owners Documentation - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-ownersVirtual Coffee's Hacktoberfest Resources - https://hacktoberfest.virtualcoffee.io/OpenSauce - https://opensauced.pizza/The "Working Genius" Assessment - https://www.workinggenius.com/Gun.io Work Personality Quiz - https://gun.io/workstyle/Deals for Devs Project - https://www.dealsfordevs.com/GitHub Actions Documentation on Release Management - https://docs.github.com/en/actions/sharing-automations/creating-actions/releasing-and-maintaining-actionsConventional Commits Documentation - https://www.conventionalcommits.org/en/v1.0.0/

Topics covered in this episode: Talk Python rewritten in Quart PyPI now supports digital attestations Django Rusty Templates PEP 639 is now supported by PYPI Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Talk Python rewritten in Quart Rewrote all of talkpython.fm in Quart (10k lines of code total, 4k changed) Considered FastAPI Litestar Django Hugo Static Site + Python Flask Discussed the multistage upgrade / conversion process Automating tests for all 1,000 pages Brian #2: PyPI now supports digital attestations Dustin Ingram “Attestations provide a verifiable link to an upstream source repository: By signing with the identity of the upstream source repository, such as in the case of an upload of a project built with GitHub Actions, PyPI's support for digital attestations defines a strong and verifiable association between a file on PyPI and the source repository, workflow, and even the commit hash that produced and uploaded the file. Additionally, publishing attestations to a transparency log helps mitigate against both compromise of PyPI and compromise of the projects themselves.” For maintainers If using GH Actions and Trusted Publishing make sure you use pypa/gh-action-pypi-publish, version v1.11.0 or newer that's it If not “Support for automatic attestation generation and publication from other Trusted Publisher environments is planned.” “While not recommended, maintainers can also manually generate and publish attestations.” See also PyPI Introduces Digital Attestations to Strengthen Python Package Security by Sarah Gooding Are we PEP 740 yet? Michael #3: Django Rusty Templates by Lily Foote An experimental reimplementation of Django's templating language in Rust. Goals 100% compatibility of rendered output. Error reporting that is at least as useful as Django's errors. Improved performance over Django's pure Python implementation. Brian #4: PEP 639 is now supported by PYPI from Brett Cannon PEP 639 – Improving License Clarity with Better Package Metadata For project metadata, use these fields: license and license-files: Examples license field [project] license = "MIT" [project] license = "MIT AND (Apache-2.0 OR BSD-2-clause)" [project] license = "MIT OR GPL-2.0-or-later OR (FSFUL AND BSD-2-Clause)" [project] license = "LicenseRef-Proprietary" Examples of license-files: [project] license-files = ["LICEN[CS]E*", "AUTHORS*"] [project] license-files = ["licenses/LICENSE.MIT", "licenses/LICENSE.CC0"] [project] license-files = ["LICENSE.txt", "licenses/*"] [project] license-files = [] Extras Brian: Playground Wisdom: Threads Beat Async/Await - interesting read from Armin Ronacher about different language abstractions around concurrency. PythonTest.com Discord community is now live Launched last week, as of this morning we've got 89 members Anyone already a pythontest community member has received an invite Anyone can join through courses.pythontest.com Everything at pythontest.com is 20% off through Dec 2 with code turkeysale2024 “Python Testing with pytest” eBook 40% off through Dec 2, use code turkeysale2024 Michael: Python 3.14.0a2 released Starter packs: Michael's Python people: https://bsky.app/starter-pack/mkennedy.codes/3lbdnupl26e2x Directory: https://blueskydirectory.com/starter-packs/all Joke: curl - heavy metal style!

Evan You, creator of Vue and Vite, discusses his new venture, voidI0). He discusses the motivations behind founding void(0), the inefficiencies in JavaScript tooling, and the future of unified tooling stacks. Links https://evanyou.me https://x.com/youyuxi https://github.com/yyx990803 https://sg.linkedin.com/in/evanyou https://voidzero.dev We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Let us know by sending an email to our producer, Emily, at emily.kochanekketner@logrocket.com (mailto:emily.kochanekketner@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we'll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understand where your users are struggling by trying it for free at [LogRocket.com]. Try LogRocket for free today.(https://logrocket.com/signup/?pdr) Special Guest: Evan You.

Topics covered in this episode: Briefer: Dashboards and notebooks in a single place Introduction to programming with Python setup-uv HTML for people Extras Joke Watch on YouTube About the show Sponsored by ScoutAPM: pythonbytes.fm/scout Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Briefer: Dashboards and notebooks in a single place Notebooks and dashboards with Python, SQL, scheduling, native visualizations, code generation, and more. In Briefer, you can: Create notebooks and dashboards using Markdown, Python, SQL, and native visualizations. Build interactive data apps using inputs, dropdowns, and date pickers. Generate code and queries using an AI that understands your database schema and your notebook's context. Schedule notebooks and dashboards to run and update periodically. Create and test ad-hoc pipelines using writebacks. Briefer vs. Traditional BI Tools: Briefer is better than traditional BI tools because it's faster and more flexible, thanks to Python. Briefer vs. Traditional Notebooks: In Briefer, you can run SQL queries against connected data sources directly in your notebook. Then, Briefer will automatically turn your query into a data frame and store it in a variable that you can use in your Python blocks. Brian #2: Introduction to programming with Python Jose Blanca “Python intro aimed at students with no prior programming experience.” “Relies mainly on examples and exercises.” “Does not try to cover every detail of the Python language, but just what a beginner might need to start the journey.” Tech: “… built with the quarto publishing system complemented by the quarto live extension that allows Python to run in the web browser by using pyodide.” Runs on anything, since it doesn't require a local install of Python Running 3.12.1, looks like. Although that's a bit hidden. Seems like it should be more visible. Michael #3: setup-uv Set up your GitHub Actions workflow with a specific version of uv Install a version of uv and add it to PATH Cache the installed version of uv to speed up consecutive runs on self-hosted runners Register problem matchers for error output (Optional) Persist the uv's cache in the GitHub Actions Cache (Optional) Verify the checksum of the downloaded uv executable Brian #4: HTML for people Teaching HTML in a rather fun way. Includes basic CSS Extras Michael: A new article: We Must Replace uWSGI With Something Else Django unique email login Joke: So much O'Really

Why does Cloud Security Research matter in 2024? At fwd:cloudsec EU in Brussels, we sat down with Scott Piper, a renowned cloud security researcher at Wiz, to discuss the growing importance of cloud security research and its real-world impact. Scott spoke to us about the critical differences between traditional security testing and cloud security research, explaining how his team investigates cloud providers to find out vulnerabilities, improve detection tools, and safeguard data. Guest Socials:⁠ ⁠⁠⁠⁠⁠⁠Scott's Linkedin + Scott's Twitter Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp Questions asked: (00:00) Introduction (02:07) A bit about Scott Piper (02:48) What is a Cloud Security Research Team? (04:30) Difference between traditional and Cloud Security Research (07:21) Cloud Pentesting vs Cloud Security Research (08:10) What is request collapsing? (10:26) GitHub Actions and OIDC Research (13:47) How has cloud security evolved? (17:02) Tactical things for Cloud Security Program (18:41) Impact of Kubernetes and AI on Cloud (20:37) How to become a Cloud Security Researcher (22:46) AWS Cloud Security Best Practices (26:35) Trends in AWS Cloud Security Research (28:11) Fun Questions (30:22) A bit about fwd:cloudsec Resources mentioned during the interview: Wiz.io - Cloud Security Podcast listeners can also get a free cloud security health scan PEACH framework Wiz Research Blog Avoiding security incidents due to request collapsing A security community success story of mitigating a misconfiguration Cloudmapper flaws.cloud fwd:cloudsec CTFs The Big IAM Challenge Prompt Airlines , AI Security Challenge Kubernetes LAN Party