Podcasts about github actions

On this episode, Andrew's buried in messy authentication work spread across legacy code, Chris recounts a frustrating GitHub Actions debugging session, and David explains the mental drain of working across both Vue 2 and Vue 3 in the same application. They talk about using workflow run triggers, scheduled builds, and GitHub's new Agentic Copilot workflows such as CI Doctor, Automatic Code Simplifier, and issue/PR management, while lamenting low-quality AI-generated PRs and paid AI code review tools. Andrew makes a special announcement about Blastoff Rails, they compare LazyVim, lazy.nvim, and Kickstart Neovim, we hear about Ruby 3.4.9 and its bug-fix release, and Marco Roth's Herb improvements for ERB tooling. Hit download now to hear more! LinksJudoscale- Remote Ruby listener giftUpload-artifact v7.0.0 (GitHub)Download-artifact v8.0.0 (GitHub)GitHub Agentic WorkflowsBringing Code Review to Claude CodeScott's Pizza ToursBlastoff Rails-June 11-12, 2026, Albuquerque, New MexicoLearn Enough Bridgetown to be Dangerous (Andrew's talk)lazy.nvimLazyVimkickstart.nvimkickstart-modular.nvimTree-sitterHerbMarco Roth X (Herb)HoneybadgerHoneybadger is an application health monitoring tool built by developers for developers.JudoscaleMake your deployments bulletproof with autoscaling that just works.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Chris Oliver X/TwitterAndrew Mason X/TwitterJason Charnes X/Twitter

Bret is joined by the founders of Plakar - Julien Mangeard and Gilles Chehade - to nerd out over backup engineering. The kind where you're building your own file formats and cryptographic layers, not just wiring up cron jobs. We get into how Plakar deduplicates and encrypts at the source so your cloud provider never sees your keys. Also, their snapshot model has no chain dependencies, which means you can delete any backup without breaking the others. We had a fun hour of backup horror stories, ransomware pragmatism, where I'm lobbying hard for a Docker volume integration.Check out the video podcast version here: https://youtu.be/OPRK5osKQHI

Проверяем знания кандидата на позицию Senior DevOps инженера в прямом эфире. В этом выпуске: архитектурные паттерны в AWS, вечный спор Terraform против CloudFormation, глубокое погружение в Kubernetes (Karpenter, скейлинг) и Live-траблшутинг сломанного Helm-чарта. О ЧЁМ ВЫПУСК: • Архитектура и облака: Как выбрать между EKS и ECS/Fargate и настроить безопасное хранение бэкапов в S3.  • IaC войны: Честное сравнение Terraform и CloudFormation — где заканчивается удобство и начинается боль.  • Kubernetes под капотом: Разбираем Control Plane, работу контроллеров и нюансы обновления on-prem кластеров.  • Live Debug: Реальная задача по починке упавшего пода (CrashLoopBackOff) — работа с пробами, портами и Helm.  • CI/CD стратегии: Строим идеальный пайплайн с GitHub Actions и ArgoCD. ГОСТЬ: Максим — DevOps-инженер (5 лет опыта DevOps, 10 лет SysAdmin). Стек: AWS, Terraform, Kubernetes, Ansible, Monitoring. ССЫЛКИ

Strategic Technology Consultation Services This episode of The Modern .NET Show is supported, in part, by RJJ Software's Strategic Technology Consultation Services. If you're an SME (Small to Medium Enterprise) leader wondering why your technology investments aren't delivering, or you're facing critical decisions about AI, modernization, or team productivity, let's talk. Show Notes "So it essentially is a build orchestration framework. So it doesn't replace the .NET CL or MSBuild or whatever you're using today. It doesn't replace GitHub Actions or Azure pipelines. What it does is that it reduces the complexity of those things"— Mattias Karlsson Hey everyone, and welcome back to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. I'm your host Jamie Taylor, bringing you conversations with the brightest minds in the .NET ecosystem. Today, we're joined by Matthas Karlsson to talk about Cake (aka C# Make), the build orchestrator built entirely in .NET. "Like, you need to evaluate and see what works for you. Because, like, if you have an open source project and all you do is dotnet pack, then it might be too complicated."— Mattias Karlsson Along the way, we talked about what a build orchestrator is, why you might consider one (and when it might be too complex to have one), the recent single file application changes to .NET (i.e `dotnet run file.cs`), and talk about why it's important to have multiple tools in your development toolbox. Before we jump in, a quick reminder: if The Modern .NET Show has become part of your learning journey, please consider supporting us through Patreon or Buy Me A Coffee. Every contribution helps us continue bringing you these in-depth conversations with industry experts. You'll find all the links in the show notes. Anyway, without further ado, let's sit back, open up a terminal, type in `dotnet new podcast` and we'll dive into the core of Modern .NET. Full Show Notes The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-8/from-yaml-chaos-to-csharp-clarity-mattias-karlsson-on-cake-build/ Useful Links: Cake Build Mattias' links: Website LinkedIn Bluesky Mastadon Supporting the show: Leave a rating or review Buy the show a coffee Become a patron Getting in Touch: Via the contact page Joining the Discord Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend. And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch. You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast. Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show. Editing and post-production services for this episode were provided by MB Podcast Services.

AI is reshaping both sides of the cybersecurity battlefield — and fast. In this episode, we break down five stories that prove it: the first Chrome zero-day of 2026 (CVE-2026-2441), a near-perfect CVSS 9.9 in Microsoft's Semantic Kernel SDK (CVE-2026-26030), a supply chain attack on AI coding assistant Cline that silently installed autonomous agents on thousands of developer machines, the first-ever Android malware using Google's Gemini AI at runtime (PromptSpy), and a Russian-speaking threat actor who used commercial AI tools to breach over 600 FortiGate firewalls across 55 countries in just five weeks. Whether you're a developer, security professional, or just someone who uses a browser — this one's worth your time.

Container base images (like Official Docker Hub images) are often updated without new tag versions. I call this Silent Rebuilds. There's no way to know this happens without image digest-checking automation like Dependabot and Renovate with specific settings. Failure to keep up-to-date is a prime source of vulnerabilities that can lead to serious security breaches. Automate the updates!Check out the video podcast version here: https://youtu.be/z_ahbsSc4Fo

NTT株式会社とNTTドコモビジネス株式会社は2月24日、早稲田大学と共同でCI/CD基盤として広く利用されている「GitHub Actions」を対象に、公式に推奨されているセキュリティ対策の実施状況と、その実践を妨げる要因についての調査結果を発表した。

Topics covered in this episode: Better Python tests with inline-snapshot jolt Battery intelligence for your laptop Markdown code formatting with ruff act - run your GitHub actions locally Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Better Python tests with inline-snapshot Alex Hall, on Pydantic blog Great for testing complex data structures Allows you to write a test like this: from inline_snapshot import snapshot def test_user_creation(): user = create_user(id=123, name="test_user") assert user.dict() == snapshot({}) Then run pytest --inline-snapshot=fix And the library updates the test source code to look like this: def test_user_creation(): user = create_user(id=123, name="test_user") assert user.dict() == snapshot({ "id": 123, "name": "test_user", "status": "active" }) Now, when you run the code without “fix” the collected data is used for comparison Awesome to be able to visually inspect the test data right there in the test code. Projects mentioned inline-snapshot pytest-examples syrupy dirty-equals executing Michael #2: jolt Battery intelligence for your laptop Support for both macOS and Linux Battery Status — Charge percentage, time remaining, health, and cycle count Power Monitoring — System power draw with CPU/GPU breakdown Process Tracking — Processes sorted by energy impact with color-coded severity Historical Graphs — Track battery and power trends over time Themes — 10+ built-in themes with dark/light auto-detection Background Daemon — Collect historical data even when the TUI isn't running Process Management — Kill energy-hungry processes directly Brian #3: Markdown code formatting with ruff Suggested by Matthias Schoettle ruff can now format code within markdown files Will format valid Python code in code blocks marked with python, py, python3 or py3. Also recognizes pyi as Python type stub files. Includes the ability to turn off formatting with comment [HTML_REMOVED] , [HTML_REMOVED] blocks. Requires preview mode [tool.ruff.lint] preview = true Michael #4: act - run your GitHub actions locally Run your GitHub Actions locally! Why would you want to do this? Two reasons: Fast Feedback - Rather than having to commit/push every time you want to test out the changes you are making to your .github/workflows/ files (or for any changes to embedded GitHub actions), you can use act to run the actions locally. The environment variables and filesystem are all configured to match what GitHub provides. Local Task Runner - I love make. However, I also hate repeating myself. With act, you can use the GitHub Actions defined in your .github/workflows/ to replace your Makefile! When you run act it reads in your GitHub Actions from .github/workflows/ and determines the set of actions that need to be run. Uses the Docker API to either pull or build the necessary images, as defined in your workflow files and finally determines the execution path based on the dependencies that were defined. Once it has the execution path, it then uses the Docker API to run containers for each action based on the images prepared earlier. The environment variables and filesystem are all configured to match what GitHub provides. Extras Michael: Winter is coming: Frozendict accepted Django ORM stand-alone Command Book app announcement post Joke: Plug ‘n Paste

"It's prime time for runtime!"In this episode of the mnemonic security podcast, we're joined by Sergej Epp, Global CISO & Member of the Executive Team of Sysdig, to discuss threats at machine speed and runtime security.Sergej explains how runtime security enables organisations to understand what is really happening inside containers and serverless workloads, and why, without it, they are effectively blind to critical activity within their cloud-native environments. He shares recent examples of supply chain incidents that highlight these risks, including the GitHub Actions compromise, NPM attacks, and the two waves of Shai-Hulud.Robby and Sergej also discuss the most common ways that attackers get access to clusters and containers, and how organisations can stay ahead of attacks using real-time telemetry.Send a text

I'm joined by Nirmal Mehta of AWS and Viktor Farcic from Upbound, to go through our 2025 year in review. We look into the AI tools that consumed us this year, from CLI agents to terminal emulators, IDEs, AI browsers - what worked, what flopped, what's worth your time and money, and what we think isn't!Check out the video podcast version here: https://youtu.be/mnagfUsh5bc

This is a recap of the top 10 posts on Hacker News on February 06, 2026. This podcast was generated by wondercraft.ai (00:30): I now assume that all ads on Apple news are scamsOriginal post: https://news.ycombinator.com/item?id=46911901&utm_source=wondercraft_ai(01:59): The Waymo World ModelOriginal post: https://news.ycombinator.com/item?id=46914785&utm_source=wondercraft_ai(03:28): TikTok's 'addictive design' found to be illegal in EuropeOriginal post: https://news.ycombinator.com/item?id=46911869&utm_source=wondercraft_ai(04:57): A new bill in New York would require disclaimers on AI-generated news contentOriginal post: https://news.ycombinator.com/item?id=46910963&utm_source=wondercraft_ai(06:27): OpenCiv3: Open-source, cross-platform reimagining of Civilization IIIOriginal post: https://news.ycombinator.com/item?id=46918612&utm_source=wondercraft_ai(07:56): Hackers (1995) Animated ExperienceOriginal post: https://news.ycombinator.com/item?id=46912800&utm_source=wondercraft_ai(09:25): GitHub Actions is slowly killing engineering teamsOriginal post: https://news.ycombinator.com/item?id=46908491&utm_source=wondercraft_ai(10:55): An Update on HerokuOriginal post: https://news.ycombinator.com/item?id=46913903&utm_source=wondercraft_ai(12:24): Microsoft open-sources LiteBox, a security-focused library OSOriginal post: https://news.ycombinator.com/item?id=46913793&utm_source=wondercraft_ai(13:53): Sheldon Brown's Bicycle Technical InfoOriginal post: https://news.ycombinator.com/item?id=46914159&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

I talk with David Flanagan, aka Rawkode, about his new opinionated Tech Matrix that helps you navigate the overwhelming CNCF landscape. https://rawkode.academy/technology/matrix

This episode opens with mic and Nintendo banter before plunging into macOS release pain points: sandboxing, hardened runtime, notarization, Sparkle auto‑updates, and automating releases with GitHub Actions and tags. James and Frank offer practical tips—drag builds into /Applications to test signing—and unpack .NET 10 trimming/reflection pitfalls and CI/CD quirks for anyone shipping native apps outside the App Store. Follow Us Frank: Twitter, Blog, GitHub James: Twitter, Blog, GitHub Merge Conflict: Twitter, Facebook, Website, Chat on Discord Music : Amethyst Seer - Citrine by Adventureface ⭐⭐ Review Us (https://itunes.apple.com/us/podcast/merge-conflict/id1133064277?mt=2&ls=1) ⭐⭐ Machine transcription available on http://mergeconflict.fm

This is a recap of the top 10 posts on Hacker News on January 14, 2026. This podcast was generated by wondercraft.ai (00:30): FBI raids Washington Post reporter's homeOriginal post: https://news.ycombinator.com/item?id=46616745&utm_source=wondercraft_ai(01:58): Claude Cowork exfiltrates filesOriginal post: https://news.ycombinator.com/item?id=46622328&utm_source=wondercraft_ai(03:26): Ford F-150 Lightning outsold the Cybertruck and was then canceled for poor salesOriginal post: https://news.ycombinator.com/item?id=46618901&utm_source=wondercraft_ai(04:55): Ask HN: Share your personal websiteOriginal post: https://news.ycombinator.com/item?id=46618714&utm_source=wondercraft_ai(06:23): I hate GitHub Actions with passionOriginal post: https://news.ycombinator.com/item?id=46614558&utm_source=wondercraft_ai(07:52): SparkFun Officially Dropping AdaFruit due to CoC ViolationOriginal post: https://news.ycombinator.com/item?id=46616488&utm_source=wondercraft_ai(09:20): 1000 Blank White CardsOriginal post: https://news.ycombinator.com/item?id=46611823&utm_source=wondercraft_ai(10:48): ASCII CloudsOriginal post: https://news.ycombinator.com/item?id=46611507&utm_source=wondercraft_ai(12:17): So, you've hit an age gate. What now?Original post: https://news.ycombinator.com/item?id=46619030&utm_source=wondercraft_ai(13:45): I'm leaving Redis for SolidQueueOriginal post: https://news.ycombinator.com/item?id=46614037&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

 This is continual learning, right? Everyone has been talking about continual learning as the next challenge in AI. Actually, it's solved. Just tell it to keep some notes somewhere. Sure, it's not, it's not machine learning, but in some ways it is because when it will load this text file again, it will influence what it does … And it works so well: it's easy to understand. It's easy to inspect, it's easy to evolve and modify!Eleanor Berger and Isaac Flaath, the minds behind Elite AI Assisted Coding, join Hugo to talk about how to redefine software development through effective AI-assisted coding, leveraging “specification-first” approaches and advanced agentic workflows.We Discuss:* Markdown learning loops: Use simple agents.md files for agents to self-update rules and persist context, creating inspectable, low-cost learning;* Intent-first development: As AI commoditizes syntax, defining clear specs and what makes a result “good” becomes the core, durable developer skill;* Effortless documentation: Leverage LLMs to distill messy “brain dumps” or walks-and-talks into structured project specifications, offloading context faster;* Modular agent skills: Transition from MCP servers to simple markdown-based “skills” with YAML and scripts, allowing progressive disclosure of tool details;* Scheduled async agents: Break the chat-based productivity ceiling by using GitHub Actions or Cron jobs for agents to work on issues, shifting humans to reviewers;* Automated tech debt audits: Deploy background agents to identify duplicate code, architectural drift, or missing test coverage, leveraging AI to police AI-induced messiness;* Explicit knowledge culture: AI agents eliminate “cafeteria chat” by forcing explicit, machine-readable documentation, solving the perennial problem of lost institutional knowledge;* Tiered model strategy: Optimize token spend by using high-tier “reasoning” models (e.g., Opus) for planning and low-cost, high-speed models (e.g., Flash) for execution;* Ephemeral software specs: With near-zero generation costs, software shifts from static products to dynamic, regenerated code based on a permanent, underlying specification.You can also find the full episode on Spotify, Apple Podcasts, and YouTube.You can also interact directly with the transcript here in NotebookLM: If you do so, let us know anything you find in the comments!

Speed isn't just a nice-to-have - it affects user experience, cloud costs, and how fast teams can move. In this episode, we chat with Saurabh Misra about making Python performance a continuous habit rather than a last-minute clean-up. He introduces Codeflash, a tool that profiles real code paths, explores optimisation options with LLMs, and only suggests changes that preserve behaviour and deliver measurable speedups.We delve into how this works, from tracing and line-level profiling to coverage-guided inputs and concolic testing. Saurabh shares real examples, including smarter NumPy usage, avoiding unnecessary global sorts, and using Numba to speed up numeric hotspots. We also talk about fitting performance checks into everyday workflows via the CLI, VS Code, and GitHub Actions.The big takeaway: performance doesn't have to slow teams down — with the right tooling, it can be part of shipping well from day one.Connect with Saurabh at https://www.linkedin.com/in/saurabh-misra/ and find out more about Codeflash via the website https://www.codeflash.ai/.___

У свіжому дайджесті DOU News говоримо про стан ІТ-ринку у 2025 році, стрімке зростання української мови в ШІ та податкові зміни для ФОПів. А ще — про нові релізи Google й OpenAI, великі інвестиції в ШІ-стартапи, слово року та інші теми українського ІТ та світового тек-сектору. Таймкоди 00:00 Інтро 00:23 Хто почувається краще на ІТ-ринку у 2025 році 06:29 Українська мова — найшвидше зростає в open-source ШІ 07:49 ПДВ для ФОПів: що пропонує Мінфін 11:15 Скільки користувачів у нового застосунку «Нової пошти» 13:05 Direct to Cell від «Київстар» став доступним для iPhone 13:56 Зміни цін на GitHub Actions 19:43 Google представила Gemini 3 Flash 22:52 OpenAI запустила ChatGPT Images 24:50 OpenAI шукає фінансування до $100 млрд 26:53 Vibe-coding стартап Lovable залучив $330 млн 29:10 Слово року 2025 — slop 31:10 Google припиняє dark web-сповіщення 32:58 Чергове дивне рішення росії 35:56 Starlink втратив супутник через аномалію 38:06 Що цього тижня рекомендує Женя: Стаття: Cloudflare Radar Year Review Книга: «Хроніки Буресвітла», книга 5 — «Вітер і істина» Серіал: «Андор» Фільм: «Ти — космос» Музичний альбом: Arcane S2 OST (honorable mention — «Поле каніфолі») Музичне відкриття: Клер (на вінілі)

This is a recap of the top 10 posts on Hacker News on December 08, 2025. This podcast was generated by wondercraft.ai (00:30): The fuck off contact pageOriginal post: https://news.ycombinator.com/item?id=46189994&utm_source=wondercraft_ai(01:52): GitHub Actions has a package manager, and it might be the worstOriginal post: https://news.ycombinator.com/item?id=46189692&utm_source=wondercraft_ai(03:14): Microsoft has a problem: lack of demand for its AI productsOriginal post: https://news.ycombinator.com/item?id=46194615&utm_source=wondercraft_ai(04:37): IBM to acquire ConfluentOriginal post: https://news.ycombinator.com/item?id=46192130&utm_source=wondercraft_ai(05:59): Icons in Menus Everywhere – Send HelpOriginal post: https://news.ycombinator.com/item?id=46196688&utm_source=wondercraft_ai(07:21): Jepsen: NATS 2.12.1Original post: https://news.ycombinator.com/item?id=46196105&utm_source=wondercraft_ai(08:44): Microsoft increases Office 365 and Microsoft 365 license pricesOriginal post: https://news.ycombinator.com/item?id=46192186&utm_source=wondercraft_ai(10:06): NVIDIA frenemy relation with OpenAI and OracleOriginal post: https://news.ycombinator.com/item?id=46196076&utm_source=wondercraft_ai(11:28): Strong earthquake hits northern Japan, tsunami warning issuedOriginal post: https://news.ycombinator.com/item?id=46192846&utm_source=wondercraft_ai(12:51): Paramount launches hostile bid for Warner BrosOriginal post: https://news.ycombinator.com/item?id=46192459&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

Audio version of video on YouTube. SharePoint Site Creation in Microsoft Graph Microsoft Agent 365: The control plane for AI agents Automatically Signing a Windows EXE with Azure Trusted Signing, dotnet sign, and GitHub Actions tree-me: Because git worktrees shouldn't be a chore Subscribe to all my videos at: https://thoughtstuff.co.uk/video Podcast: https://thoughtstuff.co.uk/itunes, https://thoughtstuff.co.uk/spotify or https://thoughtstuff.co.uk/podcast Blog: https://blog.thoughtstuff.co.uk

Andrew returns from SF Ruby with a lot more than conference swag! He brings a clear snapshot of where Ruby, Rails, and AI are headed right now. In this episode, he and Chris walk through the most impactful talks from SF Ruby, share highlights of engaging discussions with other developers and friends, reminisces about nostalgic tech items, and explores insightful conversations on the future of Rails, startup culture, AI's impact on programming, developer anxiety, and they share product ideas from Chris new SaaS series on GoRails to Andrew's concept for a serious GitHub Actions monitoring tool. Hit download now to hear more! LinksGoRails Black Friday SaleJudoscale- Remote Ruby listener giftAction Cable NextSF Ruby 2025 Ruby ConferenceGitButlerWaymoSimple File UploadCallback HellAction Cable Next Ruby Was Ready From The Start by Obie Fernandez (Medium) FluxGoRails: Markdown MIME Type & RendererSF Ruby Sponsors Chris Oliver X/Twitter Andrew Mason X/Twitter Jason Charnes X/Twitter

In this potluck episode, Wes and Scott answer your questions about paid vs. free SSL, the state of frontend jobs, headless WordPress trade-offs, organizing TypeScript types, and more! Show Notes 00:00 Welcome to Syntax! 00:51 Recapping the GitHub Meetup 05:14 Is there any real benefit to picking a paid SSL over Let's Encrypt? 08:03 Is the pure frontend role disappearing? 11:17 Is the gravy train over for software devs? 20:48 How Scott automates versioning with GitHub Actions changesets Intro to using changesets zero-svelte graffiti 25:16 Brought to you by Sentry.io 25:41 Thoughts on VS Code alternatives and the rise of Zed 33:01 Should I switch to headless WordPress or continue rolling my own PHP templates? 37:33 How do you organize TypeScript types in a frontend project? 40:55 How do I continue to level up as a developer? 45:36 Stay in a comfortable job or embrace new challenges? Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

An airhacks.fm conversation with Gabriel Pop (@vwggolf3) about: transition from individual contributor to engineering management since 2011, managing developer tools and AWS code suite services, discussion of AWS CodeCommit entering maintenance mode but maintaining performance and security standards, benefits of AWS CodeBuild as a serverless build service, using CodeBuild for running JARs and automated testing, proper channels for submitting AWS feature requests through documentation and github repos, CodeArtifact as artifact repository for Java JARs and other packages, using S3 for serverless lambda deployment artifacts, multi-account architecture patterns for build systems, CodeDeploy flexibility for various deployment scenarios including ECS rolling updates, lifecycle hooks in CodeDeploy for Lambda deployments, Code Connections for secure third-party repository integration without storing secrets, CodePipeline as orchestrator for CI/CD workflows, CodePipeline V2 features with tag-based triggers for release automation, event-driven architecture using Amazon EventBridge with CodeBuild and CodePipeline events, comparison with GitHub Actions and Jenkins integrations, philosophy of using AWS-native services for consistency and security, Step Functions as alternative orchestration tool, importance of automation and infrastructure as code with CDK, challenges of prioritization and trade-offs in AWS service development, AWS region expansion and service availability, end-to-end testing strategies with Java interfaces and MicroProfile, security best practices with least privilege and dedicated build accounts, developer experience improvements and console UI updates, community engagement through AWS Hero program and user groups Gabriel Pop on twitter: @vwggolf3

Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits, and working with repo owners to improve their security. Their work highlights the challenges in maintaining good security guidance, figuring out secure defaults, and how so many orgs still struggle with triaging external security reports -- something that's becoming even more challenging when orgs are being flooded with low-quality reports from LLMs. Segment Resources: https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/ https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-355

Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits, and working with repo owners to improve their security. Their work highlights the challenges in maintaining good security guidance, figuring out secure defaults, and how so many orgs still struggle with triaging external security reports -- something that's becoming even more challenging when orgs are being flooded with low-quality reports from LLMs. Segment Resources: https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/ https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/ Show Notes: https://securityweekly.com/asw-355

Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits, and working with repo owners to improve their security. Their work highlights the challenges in maintaining good security guidance, figuring out secure defaults, and how so many orgs still struggle with triaging external security reports -- something that's becoming even more challenging when orgs are being flooded with low-quality reports from LLMs. Segment Resources: https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/ https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-355

Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits, and working with repo owners to improve their security. Their work highlights the challenges in maintaining good security guidance, figuring out secure defaults, and how so many orgs still struggle with triaging external security reports -- something that's becoming even more challenging when orgs are being flooded with low-quality reports from LLMs. Segment Resources: https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/ https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/ Show Notes: https://securityweekly.com/asw-355

Hey everyone—it's Steve Edwards here, and in this episode of JavaScript Jabber, I'm joined by returning guest Feross Aboukhadijeh, founder of Socket.dev, for a deep dive into the dark and fascinating world of open source supply chain security. From phishing campaigns targeting top NPM maintainers to the now-infamous Chalk library compromise, we unpack the latest wave of JavaScript package attacks and what developers can learn from them.Feross explains how some hackers are even using AI tools like Claude and Gemini as part of their payloads—and how defenders like Socket are fighting back with AI-powered analysis of their own. We also dive into GitHub Actions vulnerabilities, the role of two-factor authentication, and the growing need for “phishing-resistant 2FA.” Whether you're an open source maintainer or just someone who runs npm install a little too often, this episode will open your eyes to how much happens behind the scenes to keep your code safe.

Bret is joined by Philip Andrews and Dan Muret of Cast AI to discuss pod live migration between nodes in a Kubernetes cluster.

Fortra flags a critical flaw in its GoAnywhere Managed File Transfer (MFT) solution. Cisco patches a critical vulnerability in its IOS and IOS XE software. Cloudflare thwarts yet another record DDoS attack. Rhysida ransomware gang claims the Maryland Transit cyberattack. The new “Obscura” ransomware strain spreads via domain controllers. Retailers' use of generative AI expands attack surfaces. Researchers expose GitHub Actions misconfigurations with supply chain risk. Mandiant links the new BRICKSTORM backdoor to a China-based espionage campaign. Kansas students push back against an AI monitoring tool. Ben Yelin speaks with Michele Kellerman, Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab, discussing Women's health apps and the legal grey zone that they create with HIPAA. Senators push the FTC to regulate your brainwaves. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ben Yelin, co-host of Caveat, is speaking with Michele Kellerman, Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab, about Women's health apps and the legal grey zone that they create with HIPAA. If you want to hear the full conversation, check it out on Caveat, here. Selected Reading Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems (HackRead) Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability (Cisco) Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack (Bleeping Computer) Ransomware gang known for government attacks claims Maryland transit incident (The Record) Obscura, an obscure new ransomware variant (Bleeping Computer) Threat Labs Report: Retail 2025 (Netskope) pull_request_nightmare Part 1: Exploiting GitHub Actions for RCE and Supply Chain Attacks (Orca) China-linked hackers use ‘BRICKSTORM' backdoor to steal IP (The Record) AI safety tool sparks student backlash after flagging art as porn, deleting emails (The Washington Post) Senators introduce bill directing FTC to establish standards for protecting consumers' neural data (The Record) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog. We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks. Links Website: https://feross.org X: https://x.com/feross GitHub: https://github.com/feross LinkedIn: https://www.linkedin.com/in/feross YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w Resources npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack Chapters 00:00 Intro: NPM supply chain attacks explained 01:10 What is a software supply chain attack? 02:00 NPM phishing campaign: Fake login pages 03:00 Prettier ecosystem compromised 04:00 The “is” package malware incident 05:30 NX package breach (August 27 attack) 06:40 AI-powered supply chain exploit 08:00 GitHub Actions misconfiguration 12:00 Lessons from recent NPM attacks 20:00 How malicious packages get published 25:00 Why install scripts are so risky 30:00 Limitations of banning install scripts 35:00 Open source maintainer challenges 40:00 Smarter approaches to dependency updates 44:00 The future of open source supply chain security 47:00 Closing thoughts and resources We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Fill out our listener survey (https://t.co/oKVAEXipxu)! Let us know by sending an email to our producer, Em, at emily.kochanek@logrocket.com (mailto:emily.kochanek@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we'll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Special Guest: Feross Aboukhadijeh.

Topics covered in this episode: * Mozilla's Lifeline is Safe After Judge's Google Antitrust Ruling* * troml - suggests or fills in trove classifiers for your projects* * pqrs: Command line tool for inspecting Parquet files* * Testing for Python 3.14* Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Mozilla's Lifeline is Safe After Judge's Google Antitrust Ruling A judge lets Google keep paying Mozilla to make Google the default search engine but only if those deals aren't exclusive. More than 85% of Mozilla's revenue comes from Google search payments. The ruling forbids Google from making exclusive contracts for Search, Chrome, Google Assistant, or Gemini, and forces data sharing and search syndication so rivals get a fighting chance. Brian #2: troml - suggests or fills in trove classifiers for your projects Adam Hill This is super cool and so welcome. Trove Classifiers are things like Programming Language :: Python :: 3.14 that allow for some fun stuff to show up in PyPI, like the versions you support, etc. Note that just saying you require 3.9+ doesn't tell the user that you've actually tested stuff on 3.14. I like to keep Trove Classifiers around for this reason. Also, License classifier is deprecated, and if you include it, it shows up in two places, in Meta, and in the Classifiers section. Probably good to only have one place. So I'm going to be removing it from classifiers for my projects. One problem, classifier text has to be an exact match to something in the classifier list, so we usually recommend copy/pasting from that list. But no longer! Just use troml! It just fills it in for you (if you run troml suggest --fix). How totally awesome is that! I tried it on pytest-check, and it was mostly right. It suggested me adding 3.15, which I haven't tested yet, so I'm not ready to add that just yet. :) BTW, I talked with Brett Cannon about classifiers back in ‘23 if you want some more in depth info on trove classifiers. Michael #3: pqrs: Command line tool for inspecting Parquet files pqrs is a command line tool for inspecting Parquet files This is a replacement for the parquet-tools utility written in Rust Built using the Rust implementation of Parquet and Arrow pqrs roughly means "parquet-tools in rust" Why Parquet? Size A 200 MB CSV will usually shrink to somewhere between about 20-100 MB as Parquet depending on the data and compression. Loading a Parquet file is typically several times faster than parsing CSV, often 2x-10x faster for a full-file load and much faster when you only read some columns. Speed Full-file load into pandas: Parquet with pyarrow/fastparquet is usually 2x–10x faster than reading CSV with pandas because CSV parsing is CPU intensive (text tokenizing, dtype inference). Example: if read_csv is 10 seconds, read_parquet might be ~1–5 seconds depending on CPU and codec. Column subset: Parquet is much faster if you only need some columns — often 5x–50x faster because it reads only those column chunks. Predicate pushdown & row groups: When using dataset APIs (pyarrow.dataset) you can push filters to skip row groups, reducing I/O dramatically for selective queries. Memory usage: Parquet avoids temporary string buffers and repeated parsing, so peak memory and temporary allocations are often lower. Brian #4: Testing for Python 3.14 Python 3.14 is just around the corner, with a final release scheduled for October. What's new in Python 3.14 Python 3.14 release schedule Adding 3.14 to your CI tests in GitHub Actions Add “3.14” and optionally “3.14t” for freethreaded Add the line allow-prereleases: true I got stuck on this, and asked folks on Mastdon and Bluesky A couple folks suggested the allow-prereleases: true step. Thank you! Ed Rogers also suggested Hugo's article Free-threaded Python on GitHub Actions, which I had read and forgot about. Thanks Ed! And thanks Hugo! Extras Brian: dj-toml-settings : Load Django settings from a TOML file. - Another cool project from Adam Hill LidAngleSensor for Mac - from Sam Henri Gold, with examples of creaky door and theramin Listener Bryan Weber found a Python version via Changelog, pybooklid, from tcsenpai Grab PyBay Michael: Ready prek go! by Hugo van Kemenade Joke: Console Devs Can't Find a Date

Katia, Emmanuel et Guillaume discutent Java, Kotlin, Quarkus, Hibernate, Spring Boot 4, intelligence artificielle (modèles Nano Banana, VO3, frameworks agentiques, embedding). On discute les vulnerabilités OWASP pour les LLMs, les personalités de codage des différents modèles, Podman vs Docker, comment moderniser des projets legacy. Mais surtout on a passé du temps sur les présentations de Luc Julia et les différents contre points qui ont fait le buzz sur les réseaux. Enregistré le 12 septembre 2025 Téléchargement de l'épisode LesCastCodeurs-Episode-330.mp3 ou en vidéo sur YouTube. News Langages Dans cette vidéo, José détaille les nouveautés de Java entre Java 21 et 25 https://inside.java/2025/08/31/roadto25-java-language/ Aperçu des nouveautés du JDK 25 : Introduction des nouvelles fonctionnalités du langage Java et des changements à venir [00:02]. Programmation orientée données et Pattern Matching [00:43] : Évolution du “pattern matching” pour la déconstruction des “records” [01:22]. Utilisation des “sealed types” dans les expressions switch pour améliorer la lisibilité et la robustesse du code [01:47]. Introduction des “unnamed patterns” (_) pour indiquer qu'une variable n'est pas utilisée [04:47]. Support des types primitifs dans instanceof et switch (en preview) [14:02]. Conception d'applications Java [00:52] : Simplification de la méthode main [21:31]. Exécution directe des fichiers .java sans compilation explicite [22:46]. Amélioration des mécanismes d'importation [23:41]. Utilisation de la syntaxe Markdown dans la Javadoc [27:46]. Immuabilité et valeurs nulles [01:08] : Problème d'observation de champs final à null pendant la construction d'un objet [28:44]. JEP 513 pour contrôler l'appel à super() et restreindre l'usage de this dans les constructeurs [33:29]. JDK 25 sort le 16 septembre https://openjdk.org/projects/jdk/25/ Scoped Values (JEP 505) - alternative plus efficace aux ThreadLocal pour partager des données immutables entre threads Structured Concurrency (JEP 506) - traiter des groupes de tâches concurrentes comme une seule unité de travail, simplifiant la gestion des threads Compact Object Headers (JEP 519) - Fonctionnalité finale qui réduit de 50% la taille des en-têtes d'objets (de 128 à 64 bits), économisant jusqu'à 22% de mémoire heap Flexible Constructor Bodies (JEP 513) - Relaxation des restrictions sur les constructeurs, permettant du code avant l'appel super() ou this() Module Import Declarations (JEP 511) - Import simplifié permettant d'importer tous les éléments publics d'un module en une seule déclaration Compact Source Files (JEP 512) - Simplification des programmes Java basiques avec des méthodes main d'instance sans classe wrapper obligatoire Primitive Types in Patterns (JEP 455) - Troisième preview étendant le pattern matching et instanceof aux types primitifs dans switch et instanceof Generational Shenandoah (JEP 521) - Le garbage collector Shenandoah passe en mode générationnel pour de meilleures performances JFR Method Timing & Tracing (JEP 520) - Nouvel outillage de profilage pour mesurer le temps d'exécution et tracer les appels de méthodes Key Derivation API (JEP 510) - API finale pour les fonctions de dérivation de clés cryptographiques, remplaçant les implémentations tierces Améliorations du traitement des annotations dans Kotlin 2.2 https://blog.jetbrains.com/idea/2025/09/improved-annotation-handling-in-kotlin-2-2-less-boilerplate-fewer-surprises/ Avant Kotlin 2.2, les annotations sur les paramètres de constructeur n'étaient appliquées qu'au paramètre, pas à la propriété ou au champ Cela causait des bugs subtils avec Spring et JPA où la validation ne fonctionnait qu'à la création d'objet, pas lors des mises à jour La solution précédente nécessitait d'utiliser explicitement @field: pour chaque annotation, créant du code verbeux Kotlin 2.2 introduit un nouveau comportement par défaut qui applique les annotations aux paramètres ET aux propriétés/champs automatiquement Le code devient plus propre sans avoir besoin de syntaxe @field: répétitive Pour l'activer, ajouter -Xannotation-default-target=param-property dans les options du compilateur Gradle IntelliJ IDEA propose un quick-fix pour activer ce comportement à l'échelle du projet Cette amélioration rend l'intégration Kotlin plus fluide avec les frameworks majeurs comme Spring et JPA Le comportement peut être configuré pour garder l'ancien mode ou activer un mode transitoire avec avertissements Cette mise à jour fait partie d'une initiative plus large pour améliorer l'expérience Kotlin + Spring Librairies Sortie de Quarkus 3.26 avec mises à jour d'Hibernate et autres fonctionnalités - https://quarkus.io/blog/quarkus-3-26-released/ mettez à jour vers la 3.26.x car il y a eu une regression vert.x Jalon important vers la version LTS 3.27 prévue fin septembre, basée sur cette version Mise à jour vers Hibernate ORM 7.1, Hibernate Search 8.1 et Hibernate Reactive 3.1 Support des unités de persistance nommées et sources de données dans Hibernate Reactive Démarrage hors ligne et configuration de dialecte pour Hibernate ORM même si la base n'est pas accessible Refonte de la console HQL dans Dev UI avec fonctionnalité Hibernate Assistant intégrée Exposition des capacités Dev UI comme fonctions MCP pour pilotage via outils IA Rafraîchissement automatique des tokens OIDC en cas de réponse 401 des clients REST Extension JFR pour capturer les données runtime (nom app, version, extensions actives) Bump de Gradle vers la version 9.0 par défaut, suppression du support des classes config legacy Guide de démarrage avec Quarkus et A2A Java SDK 0.3.0 (pour faire discuter des agents IA avec la dernière version du protocole A2A) https://quarkus.io/blog/quarkus-a2a-java-0-3-0-alpha-release/ Sortie de l'A2A Java SDK 0.3.0.Alpha1, aligné avec la spécification A2A v0.3.0. Protocole A2A : standard ouvert (Linux Foundation), permet la communication inter-agents IA polyglottes. Version 0.3.0 plus stable, introduit le support gRPC. Mises à jour générales : changements significatifs, expérience utilisateur améliorée (côté client et serveur). Agents serveur A2A : Support gRPC ajouté (en plus de JSON-RPC). HTTP+JSON/REST à venir. Implémentations basées sur Quarkus (alternatives Jakarta existent). Dépendances spécifiques pour chaque transport (ex: a2a-java-sdk-reference-jsonrpc, a2a-java-sdk-reference-grpc). AgentCard : décrit les capacités de l'agent. Doit spécifier le point d'accès primaire et tous les transports supportés (additionalInterfaces). Clients A2A : Dépendance principale : a2a-java-sdk-client. Support gRPC ajouté (en plus de JSON-RPC). HTTP+JSON/REST à venir. Dépendance spécifique pour gRPC : a2a-java-sdk-client-transport-grpc. Création de client : via ClientBuilder. Sélectionne automatiquement le transport selon l'AgentCard et la configuration client. Permet de spécifier les transports supportés par le client (withTransport). Comment générer et éditer des images en Java avec Nano Banana, le “photoshop killer” de Google https://glaforge.dev/posts/2025/09/09/calling-nano-banana-from-java/ Objectif : Intégrer le modèle Nano Banana (Gemini 2.5 Flash Image preview) dans des applications Java. SDK utilisé : GenAI Java SDK de Google. Compatibilité : Supporté par ADK for Java ; pas encore par LangChain4j (limitation de multimodalité de sortie). Capacités de Nano Banana : Créer de nouvelles images. Modifier des images existantes. Assembler plusieurs images. Mise en œuvre Java : Quelle dépendance utiliser Comment s'authentifier Comment configurer le modèle Nature du modèle : Nano Banana est un modèle de chat qui peut retourner du texte et une image (pas simplement juste un modèle générateur d'image) Exemples d'utilisation : Création : Via un simple prompt textuel. Modification : En passant l'image existante (tableau de bytes) et les instructions de modification (prompt). Assemblage : En passant plusieurs images (en bytes) et les instructions d'intégration (prompt). Message clé : Toutes ces fonctionnalités sont accessibles en Java, sans nécessiter Python. Générer des vidéos IA avec le modèle Veo 3, mais en Java ! https://glaforge.dev/posts/2025/09/10/generating-videos-in-java-with-veo3/ Génération de vidéos en Java avec Veo 3 (via le GenAI Java SDK de Google). Veo 3: Annoncé comme GA, prix réduits, support du format 9:16, résolution jusqu'à 1080p. Création de vidéos : À partir d'une invite textuelle (prompt). À partir d'une image existante. Deux versions différentes du modèle : veo-3.0-generate-001 (qualité supérieure, plus coûteux, plus lent). veo-3.0-fast-generate-001 (qualité inférieure, moins coûteux, mais plus rapide). Rod Johnson sur ecrire des aplication agentic en Java plus facilement qu'en python avec Embabel https://medium.com/@springrod/you-can-build-better-ai-agents-in-java-than-python-868eaf008493 Rod the papa de Spring réécrit un exemple CrewAI (Python) qui génère un livre en utilisant Embabel (Java) pour démontrer la supériorité de Java L'application utilise plusieurs agents AI spécialisés : un chercheur, un planificateur de livre et des rédacteurs de chapitres Le processus suit trois étapes : recherche du sujet, création du plan, rédaction parallèle des chapitres puis assemblage CrewAI souffre de plusieurs problèmes : configuration lourde, manque de type safety, utilisation de clés magiques dans les prompts La version Embabel nécessite moins de code Java que l'original Python et moins de fichiers de configuration YAML Embabel apporte la type safety complète, éliminant les erreurs de frappe dans les prompts et améliorant l'outillage IDE La gestion de la concurrence est mieux contrôlée en Java pour éviter les limites de débit des APIs LLM L'intégration avec Spring permet une configuration externe simple des modèles LLM et hyperparamètres Le planificateur Embabel détermine automatiquement l'ordre d'exécution des actions basé sur leurs types requis L'argument principal : l'écosystème JVM offre un meilleur modèle de programmation et accès à la logique métier existante que Python Il y a pas mal de nouveaux framework agentic en Java, notamment le dernier LAngchain4j Agentic Spring lance un serie de blog posts sur les nouveautés de Spring Boot 4 https://spring.io/blog/2025/09/02/road_to_ga_introduction baseline JDK 17 mais rebase sur Jakarta 11 Kotlin 2, Jackson 3 et JUnit 6 Fonctionnalités de résilience principales de Spring : @ConcurrencyLimit, @Retryable, RetryTemplate Versioning d'API dans Spring Améliorations du client de service HTTP L'état des clients HTTP dans Spring Introduction du support Jackson 3 dans Spring Consommateur partagé - les queues Kafka dans Spring Kafka Modularisation de Spring Boot Autorisation progressive dans Spring Security Spring gRPC - un nouveau module Spring Boot Applications null-safe avec Spring Boot 4 OpenTelemetry avec Spring Boot Repos Ahead of Time (Partie 2) Web Faire de la recherche sémantique directement dans le navigateur en local, avec EmbeddingGemma et Transformers.js https://glaforge.dev/posts/2025/09/08/in-browser-semantic-search-with-embeddinggemma/ EmbeddingGemma: Nouveau modèle d'embedding (308M paramètres) de Google DeepMind. Objectif: Permettre la recherche sémantique directement dans le navigateur. Avantages clés de l'IA côté client: Confidentialité: Aucune donnée envoyée à un serveur. Coûts réduits: Pas besoin de serveurs coûteux (GPU), hébergement statique. Faible latence: Traitement instantané sans allers-retours réseau. Fonctionnement hors ligne: Possible après le chargement initial du modèle. Technologie principale: Modèle: EmbeddingGemma (petit, performant, multilingue, support MRL pour réduire la taille des vecteurs). Moteur d'inférence: Transformers.js de HuggingFace (exécute les modèles AI en JavaScript dans le navigateur). Déploiement: Site statique avec Vite/React/Tailwind CSS, déployé sur Firebase Hosting via GitHub Actions. Gestion du modèle: Fichiers du modèle trop lourds pour Git; téléchargés depuis HuggingFace Hub pendant le CI/CD. Fonctionnement de l'app: Charge le modèle, génère des embeddings pour requêtes/documents, calcule la similarité sémantique. Conclusion: Démonstration d'une recherche sémantique privée, économique et sans serveur, soulignant le potentiel de l'IA embarquée dans le navigateur. Data et Intelligence Artificielle Docker lance Cagent, une sorte de framework multi-agent IA utilisant des LLMs externes, des modèles de Docker Model Runner, avec le Docker MCP Tookit. Il propose un format YAML pour décrire les agents d'un système multi-agents. https://github.com/docker/cagent des agents “prompt driven” (pas de code) et une structure pour decrire comment ils sont deployés pas clair comment ils sont appelés a part dans la ligne de commande de cagent fait par david gageot L'owasp décrit l'independance excessive des LLM comme une vulnerabilité https://genai.owasp.org/llmrisk2023-24/llm08-excessive-agency/ L'agence excessive désigne la vulnérabilité qui permet aux systèmes LLM d'effectuer des actions dommageables via des sorties inattendues ou ambiguës. Elle résulte de trois causes principales : fonctionnalités excessives, permissions excessives ou autonomie excessive des agents LLM. Les fonctionnalités excessives incluent l'accès à des plugins qui offrent plus de capacités que nécessaire, comme un plugin de lecture qui peut aussi modifier ou supprimer. Les permissions excessives se manifestent quand un plugin accède aux systèmes avec des droits trop élevés, par exemple un accès en lecture qui inclut aussi l'écriture. L'autonomie excessive survient quand le système effectue des actions critiques sans validation humaine préalable. Un scénario d'attaque typique : un assistant personnel avec accès email peut être manipulé par injection de prompt pour envoyer du spam via la boîte de l'utilisateur. La prévention implique de limiter strictement les plugins aux fonctions minimales nécessaires pour l'opération prévue. Il faut éviter les fonctions ouvertes comme “exécuter une commande shell” au profit d'outils plus granulaires et spécifiques. L'application du principe de moindre privilège est cruciale : chaque plugin doit avoir uniquement les permissions minimales requises. Le contrôle humain dans la boucle reste essentiel pour valider les actions à fort impact avant leur exécution. Lancement du MCP registry, une sorte de méta-annuaire officiel pour référencer les serveurs MCP https://www.marktechpost.com/2025/09/09/mcp-team-launches-the-preview-version-of-the-mcp-registry-a-federated-discovery-layer-for-enterprise-ai/ MCP Registry : Couche de découverte fédérée pour l'IA d'entreprise. Fonctionne comme le DNS pour le contexte de l'IA, permettant la découverte de serveurs MCP publics ou privés. Modèle fédéré : Évite les risques de sécurité et de conformité d'un registre monolithique. Permet des sous-registres privés tout en conservant une source de vérité “upstream”. Avantages entreprises : Découverte interne sécurisée. Gouvernance centralisée des serveurs externes. Réduction de la prolifération des contextes. Support pour les agents IA hybrides (données privées/publiques). Projet open source, actuellement en version preview. Blog post officiel : https://blog.modelcontextprotocol.io/posts/2025-09-08-mcp-registry-preview/ Exploration des internals du transaction log SQL Server https://debezium.io/blog/2025/09/08/sqlserver-tx-log/ C'est un article pour les rugeux qui veulent savoir comment SQLServer marche à l'interieur Debezium utilise actuellement les change tables de SQL Server CDC en polling périodique L'article explore la possibilité de parser directement le transaction log pour améliorer les performances Le transaction log est divisé en Virtual Log Files (VLFs) utilisés de manière circulaire Chaque VLF contient des blocs (512B à 60KB) qui contiennent les records de transactions Chaque record a un Log Sequence Number (LSN) unique pour l'identifier précisément Les données sont stockées dans des pages de 8KB avec header de 96 bytes et offset array Les tables sont organisées en partitions et allocation units pour gérer l'espace disque L'utilitaire DBCC permet d'explorer la structure interne des pages et leur contenu Cette compréhension pose les bases pour parser programmatiquement le transaction log dans un prochain article Outillage Les personalités des codeurs des différents LLMs https://www.sonarsource.com/blog/the-coding-personalities-of-leading-llms-gpt-5-update/ GPT-5 minimal ne détrône pas Claude Sonnet 4 comme leader en performance fonctionnelle malgré ses 75% de réussite GPT-5 génère un code extrêmement verbeux avec 490 000 lignes contre 370 000 pour Claude Sonnet 4 sur les mêmes tâches La complexité cyclomatique et cognitive du code GPT-5 est dramatiquement plus élevée que tous les autres modèles GPT-5 introduit 3,90 problèmes par tâche réussie contre seulement 2,11 pour Claude Sonnet 4 Point fort de GPT-5 : sécurité exceptionnelle avec seulement 0,12 vulnérabilité par 1000 lignes de code Faiblesse majeure : densité très élevée de “code smells” (25,28 par 1000 lignes) nuisant à la maintenabilité GPT-5 produit 12% de problèmes liés à la complexité cognitive, le taux le plus élevé de tous les modèles Tendance aux erreurs logiques fondamentales avec 24% de bugs de type “Control-flow mistake” Réapparition de vulnérabilités classiques comme les failles d'injection et de traversée de chemin Nécessité d'une gouvernance renforcée avec analyse statique obligatoire pour gérer la complexité du code généré Pourquoi j'ai abandonné Docker pour Podman https://codesmash.dev/why-i-ditched-docker-for-podman-and-you-should-too Problème Docker : Le daemon dockerd persistant s'exécute avec des privilèges root, posant des risques de sécurité (nombreuses CVEs citées) et consommant des ressources inutilement. Solution Podman : Sans Daemon : Pas de processus d'arrière-plan persistant. Les conteneurs s'exécutent comme des processus enfants de la commande Podman, sous les privilèges de l'utilisateur. Sécurité Renforcée : Réduction de la surface d'attaque. Une évasion de conteneur compromet un utilisateur non privilégié sur l'hôte, pas le système entier. Mode rootless. Fiabilité Accrue : Pas de point de défaillance unique ; le crash d'un conteneur n'affecte pas les autres. Moins de Ressources : Pas de daemon constamment actif, donc moins de mémoire et de CPU. Fonctionnalités Clés de Podman : Intégration Systemd : Génération automatique de fichiers d'unité systemd pour gérer les conteneurs comme des services Linux standards. Alignement Kubernetes : Support natif des pods et capacité à générer des fichiers Kubernetes YAML directement (podman generate kube), facilitant le développement local pour K8s. Philosophie Unix : Se concentre sur l'exécution des conteneurs, délègue les tâches spécialisées à des outils dédiés (ex: Buildah pour la construction d'images, Skopeo pour leur gestion). Migration Facile : CLI compatible Docker : podman utilise les mêmes commandes que docker (alias docker=podman fonctionne). Les Dockerfiles existants sont directement utilisables. Améliorations incluses : Sécurité par défaut (ports privilégiés en mode rootless), meilleure gestion des permissions de volume, API Docker compatible optionnelle. Option de convertir Docker Compose en Kubernetes YAML. Bénéfices en Production : Sécurité améliorée, utilisation plus propre des ressources. Podman représente une évolution plus sécurisée et mieux alignée avec les pratiques modernes de gestion Linux et de déploiement de conteneurs. Guide Pratique (Exemple FastAPI) : Le Dockerfile ne change pas. podman build et podman run remplacent directement les commandes Docker. Déploiement en production via Systemd. Gestion d'applications multi-services avec les “pods” Podman. Compatibilité Docker Compose via podman-compose ou kompose. Détection améliorée des APIs vulnérables dans les IDEs JetBrains et Qodana - https://blog.jetbrains.com/idea/2025/09/enhanced-vulnerable-api-detection-in-jetbrains-ides-and-qodana/ JetBrains s'associe avec Mend.io pour renforcer la sécurité du code dans leurs outils Le plugin Package Checker bénéficie de nouvelles données enrichies sur les APIs vulnérables Analyse des graphes d'appels pour couvrir plus de méthodes publiques des bibliothèques open-source Support de Java, Kotlin, C#, JavaScript, TypeScript et Python pour la détection de vulnérabilités Activation des inspections via Paramètres > Editor > Inspections en recherchant “Vulnerable API” Surlignage automatique des méthodes vulnérables avec détails des failles au survol Action contextuelle pour naviguer directement vers la déclaration de dépendance problématique Mise à jour automatique vers une version non affectée via Alt+Enter sur la dépendance Fenêtre dédiée “Vulnerable Dependencies” pour voir l'état global des vulnérabilités du projet Méthodologies Le retour de du sondage de Stack Overflow sur l'usage de l'IA dans le code https://medium.com/@amareshadak/stack-overflow-just-exposed-the-ugly-truth-about-ai-coding-tools-b4f7b5992191 84% des développeurs utilisent l'IA quotidiennement, mais 46% ne font pas confiance aux résultats. Seulement 3,1% font “hautement confiance” au code généré. 66% sont frustrés par les solutions IA “presque correctes”. 45% disent que déboguer le code IA prend plus de temps que l'écrire soi-même. Les développeurs seniors (10+ ans) font moins confiance à l'IA (2,6%) que les débutants (6,1%), créant un écart de connaissances dangereux. Les pays occidentaux montrent moins de confiance - Allemagne (22%), UK (23%), USA (28%) - que l'Inde (56%). Les créateurs d'outils IA leur font moins confiance. 77% des développeurs professionnels rejettent la programmation en langage naturel, seuls 12% l'utilisent réellement. Quand l'IA échoue, 75% se tournent vers les humains. 35% des visites Stack Overflow concernent maintenant des problèmes liés à l'IA. 69% rapportent des gains de productivité personnels, mais seulement 17% voient une amélioration de la collaboration d'équipe. Coûts cachés : temps de vérification, explication du code IA aux équipes, refactorisation et charge cognitive constante. Les plateformes humaines dominent encore : Stack Overflow (84%), GitHub (67%), YouTube (61%) pour résoudre les problèmes IA. L'avenir suggère un “développement augmenté” où l'IA devient un outil parmi d'autres, nécessitant transparence et gestion de l'incertitude. Mentorat open source et défis communautaires par les gens de Microcks https://microcks.io/blog/beyond-code-open-source-mentorship/ Microcks souffre du syndrome des “utilisateurs silencieux” qui bénéficient du projet sans contribuer Malgré des milliers de téléchargements et une adoption croissante, l'engagement communautaire reste faible Ce manque d'interaction crée des défis de durabilité et limite l'innovation du projet Les mainteneurs développent dans le vide sans feedback des vrais utilisateurs Contribuer ne nécessite pas de coder : documentation, partage d'expérience, signalement de bugs suffisent Parler du project qu'on aime autour de soi est aussi super utile Microcks a aussi des questions specifiques qu'ils ont posé dans le blog, donc si vous l'utilisez, aller voir Le succès de l'open source dépend de la transformation des utilisateurs en véritables partenaires communautaires c'est un point assez commun je trouve, le ratio parlant / silencieux est tres petit et cela encourage les quelques grandes gueules La modernisation du systemes legacy, c'est pas que de la tech https://blog.scottlogic.com/2025/08/27/holistic-approach-successful-legacy-modernisation.html Un artcile qui prend du recul sur la modernisation de systemes legacy Les projets de modernisation legacy nécessitent une vision holistique au-delà du simple focus technologique Les drivers business diffèrent des projets greenfield : réduction des coûts et mitigation des risques plutôt que génération de revenus L'état actuel est plus complexe à cartographier avec de nombreuses dépendances et risques de rupture Collaboration essentielle entre Architectes, Analystes Business et Designers UX dès la phase de découverte Approche tridimensionnelle obligatoire : Personnes, Processus et Technologie (comme un jeu d'échecs 3D) Le leadership doit créer l'espace nécessaire pour la découverte et la planification plutôt que presser l'équipe Communication en termes business plutôt que techniques vers tous les niveaux de l'organisation Planification préalable essentielle contrairement aux idées reçues sur l'agilité Séquencement optimal souvent non-évident et nécessitant une analyse approfondie des interdépendances Phases projet alignées sur les résultats business permettent l'agilité au sein de chaque phase Sécurité Cyber Attaque su Musée Histoire Naturelle https://www.franceinfo.fr/internet/securite-sur-internet/cyberattaques/le-museum-nati[…]e-d-une-cyberattaque-severe-une-plainte-deposee_7430356.html Compromission massive de packages npm populaires par un malware crypto https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised 18 packages npm très populaires compromis le 8 septembre 2025, incluant chalk, debug, ansi-styles avec plus de 2 milliards de téléchargements hebdomadaires combinés duckdb s'est rajouté à la liste Code malveillant injecté qui intercepte silencieusement l'activité crypto et web3 dans les navigateurs des utilisateurs Le malware manipule les interactions de wallet et redirige les paiements vers des comptes contrôlés par l'attaquant sans signes évidents Injection dans les fonctions critiques comme fetch, XMLHttpRequest et APIs de wallets (window.ethereum, Solana) pour intercepter le trafic Détection et remplacement automatique des adresses crypto sur multiple blockchains (Ethereum, Bitcoin, Solana, Tron, Litecoin, Bitcoin Cash) Les transactions sont modifiées en arrière-plan même si l'interface utilisateur semble correcte et légitime Utilise des adresses “sosies” via correspondance de chaînes pour rendre les échanges moins évidents à détecter Le mainteneur compromis par email de phishing provenant du faux domaine “mailto:support@npmjs.help|support@npmjs.help” enregistré 3 jours avant l'attaque sur une demande de mise a jour de son autheotnfication a deux facteurs après un an Aikido a alerté le mainteneur via Bluesky qui a confirmé la compromission et commencé le nettoyage des packages Attaque sophistiquée opérant à plusieurs niveaux: contenu web, appels API et manipulation des signatures de transactions Les anti-cheats de jeux vidéo : une faille de sécurité majeure ? - https://tferdinand.net/jeux-video-et-si-votre-anti-cheat-etait-la-plus-grosse-faille/ Les anti-cheats modernes s'installent au Ring 0 (noyau système) avec privilèges maximaux Ils obtiennent le même niveau d'accès que les antivirus professionnels mais sans audit ni certification Certains exploitent Secure Boot pour se charger avant le système d'exploitation Risque de supply chain : le groupe APT41 a déjà compromis des jeux comme League of Legends Un attaquant infiltré pourrait désactiver les solutions de sécurité et rester invisible Menace de stabilité : une erreur peut empêcher le démarrage du système (référence CrowdStrike) Conflits possibles entre différents anti-cheats qui se bloquent mutuellement Surveillance en temps réel des données d'utilisation sous prétexte anti-triche Dérive dangereuse selon l'auteur : des entreprises de jeux accèdent au niveau EDR Alternatives limitées : cloud gaming ou sandboxing avec impact sur performances donc faites gaffe aux jeux que vos gamins installent ! Loi, société et organisation Luc Julia au Sénat - Monsieur Phi réagi et publie la vidéo Luc Julia au Sénat : autopsie d'un grand N'IMPORTE QUOI https://www.youtube.com/watch?v=e5kDHL-nnh4 En format podcast de 20 minutes, sorti au même moment et à propos de sa conf à Devoxx https://www.youtube.com/watch?v=Q0gvaIZz1dM Le lab IA - Jérôme Fortias - Et si Luc Julia avait raison https://www.youtube.com/watch?v=KScI5PkCIaE Luc Julia au Senat https://www.youtube.com/watch?v=UjBZaKcTeIY Luc Julia se défend https://www.youtube.com/watch?v=DZmxa7jJ8sI Intelligence artificielle : catastrophe imminente ? - Luc Julia vs Maxime Fournes https://www.youtube.com/watch?v=sCNqGt7yIjo Tech and Co Monsieur Phi vs Luc Julia (put a click) https://www.youtube.com/watch?v=xKeFsOceT44 La tronche en biais https://www.youtube.com/live/zFwLAOgY0Wc Conférences La liste des conférences provenant de Developers Conferences Agenda/List par Aurélie Vache et contributeurs : 12 septembre 2025 : Agile Pays Basque 2025 - Bidart (France) 15 septembre 2025 : Agile Tour Montpellier - Montpellier (France) 18-19 septembre 2025 : API Platform Conference - Lille (France) & Online 22-24 septembre 2025 : Kernel Recipes - Paris (France) 22-27 septembre 2025 : La Mélée Numérique - Toulouse (France) 23 septembre 2025 : OWASP AppSec France 2025 - Paris (France) 23-24 septembre 2025 : AI Engineer Paris - Paris (France) 25 septembre 2025 : Agile Game Toulouse - Toulouse (France) 25-26 septembre 2025 : Paris Web 2025 - Paris (France) 30 septembre 2025-1 octobre 2025 : PyData Paris 2025 - Paris (France) 2 octobre 2025 : Nantes Craft - Nantes (France) 2-3 octobre 2025 : Volcamp - Clermont-Ferrand (France) 3 octobre 2025 : DevFest Perros-Guirec 2025 - Perros-Guirec (France) 6-7 octobre 2025 : Swift Connection 2025 - Paris (France) 6-10 octobre 2025 : Devoxx Belgium - Antwerp (Belgium) 7 octobre 2025 : BSides Mulhouse - Mulhouse (France) 7-8 octobre 2025 : Agile en Seine - Issy-les-Moulineaux (France) 8-10 octobre 2025 : SIG 2025 - Paris (France) & Online 9 octobre 2025 : DevCon #25 : informatique quantique - Paris (France) 9-10 octobre 2025 : Forum PHP 2025 - Marne-la-Vallée (France) 9-10 octobre 2025 : EuroRust 2025 - Paris (France) 16 octobre 2025 : PlatformCon25 Live Day Paris - Paris (France) 16 octobre 2025 : Power 365 - 2025 - Lille (France) 16-17 octobre 2025 : DevFest Nantes - Nantes (France) 17 octobre 2025 : Sylius Con 2025 - Lyon (France) 17 octobre 2025 : ScalaIO 2025 - Paris (France) 17-19 octobre 2025 : OpenInfra Summit Europe - Paris (France) 20 octobre 2025 : Codeurs en Seine - Rouen (France) 23 octobre 2025 : Cloud Nord - Lille (France) 30-31 octobre 2025 : Agile Tour Bordeaux 2025 - Bordeaux (France) 30-31 octobre 2025 : Agile Tour Nantais 2025 - Nantes (France) 30 octobre 2025-2 novembre 2025 : PyConFR 2025 - Lyon (France) 4-7 novembre 2025 : NewCrafts 2025 - Paris (France) 5-6 novembre 2025 : Tech Show Paris - Paris (France) 5-6 novembre 2025 : Red Hat Summit: Connect Paris 2025 - Paris (France) 6 novembre 2025 : dotAI 2025 - Paris (France) 6 novembre 2025 : Agile Tour Aix-Marseille 2025 - Gardanne (France) 7 novembre 2025 : BDX I/O - Bordeaux (France) 12-14 novembre 2025 : Devoxx Morocco - Marrakech (Morocco) 13 novembre 2025 : DevFest Toulouse - Toulouse (France) 15-16 novembre 2025 : Capitole du Libre - Toulouse (France) 19 novembre 2025 : SREday Paris 2025 Q4 - Paris (France) 19-21 novembre 2025 : Agile Grenoble - Grenoble (France) 20 novembre 2025 : OVHcloud Summit - Paris (France) 21 novembre 2025 : DevFest Paris 2025 - Paris (France) 27 novembre 2025 : DevFest Strasbourg 2025 - Strasbourg (France) 28 novembre 2025 : DevFest Lyon - Lyon (France) 1-2 décembre 2025 : Tech Rocks Summit 2025 - Paris (France) 4-5 décembre 2025 : Agile Tour Rennes - Rennes (France) 5 décembre 2025 : DevFest Dijon 2025 - Dijon (France) 9-11 décembre 2025 : APIdays Paris - Paris (France) 9-11 décembre 2025 : Green IO Paris - Paris (France) 10-11 décembre 2025 : Devops REX - Paris (France) 10-11 décembre 2025 : Open Source Experience - Paris (France) 11 décembre 2025 : Normandie.ai 2025 - Rouen (France) 14-17 janvier 2026 : SnowCamp 2026 - Grenoble (France) 2-6 février 2026 : Web Days Convention - Aix-en-Provence (France) 3 février 2026 : Cloud Native Days France 2026 - Paris (France) 12-13 février 2026 : Touraine Tech #26 - Tours (France) 22-24 avril 2026 : Devoxx France 2026 - Paris (France) 23-25 avril 2026 : Devoxx Greece - Athens (Greece) 17 juin 2026 : Devoxx Poland - Krakow (Poland) 4 septembre 2026 : JUG SUmmer Camp 2026 - La Rochelle (France) Nous contacter Pour réagir à cet épisode, venez discuter sur le groupe Google https://groups.google.com/group/lescastcodeurs Contactez-nous via X/twitter https://twitter.com/lescastcodeurs ou Bluesky https://bsky.app/profile/lescastcodeurs.com Faire un crowdcast ou une crowdquestion Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Tous les épisodes et toutes les infos sur https://lescastcodeurs.com/

Разбираем Thoughtworks Technology Radar Vol.32: где Adopt/Trial/Hold и что реально полезно DevOps-командам в 2025. AI-ассистенты (Cursor, QCLI, Claude), Observability (OpenTelemetry, Alloy/Loki), безопасность (SBOM) и практичные инструменты. О ЧЁМ ВЫПУСК • Как читать Tech Radar и зачем он инженерам/архитекторам. • AI-ассистенты для кодинга: опыт Copilot, Cursor, QCLI (Claude Sonnet), цены и риски. • Observability сейчас: OpenTelemetry, Grafana Alloy, Loki v3, зачем это бизнесу. • Безопасность: почему SBOM в Adopt и как это помогает на проектах. • Архитектурные решения без бюрократии: ADR, ответственность команд. • Инструменты из «Тулов»: UV (Python), Renovate, Vite, D2/JSON Crack, и где они заходят. ССЫЛКИ

Microsoft MVP Emanuel Palm joins The PowerShell Podcast to share his journey from managing printers in Sweden to being a Microsoft MVP who is automating the cloud with PowerShell and Azure. He talks about building the AZAuth module for OAuth authentication, using GitHub Actions for CI/CD, and the importance of blogging and community involvement. Plus, Emanuel reveals his unique side hobby... roasting coffee!   Key Takeaways From printers to the cloud: Emanuel's career shows how PowerShell can open doors, from automating IT tasks to driving cloud automation and DevOps practices. Community and sharing matter: Blogging, presenting, and contributing help you grow your own understanding while creating opportunities for others. Automation and authentication: With tools like GitHub Actions and his AZAuth module, Emanuel demonstrates how to simplify workflows and securely interact with APIs. Guest Bio Emanuel Palm is a Microsoft MVP based in Sweden, where he is a consultant focused on Microsoft technologies and is active in the PowerShell community. Emanuel is the creator of the AZAuth module, a lightweight solution for handling OAuth authentication in PowerShell, and a frequent speaker at events like PowerShell Conference Europe. Beyond tech, Emanuel is a coffee enthusiast who even roasts his own beans as a side hobby.   Resource Links Emanuel's Blog: https://pipe.how GitHub – Emanuel Palm: https://github.com/palmemanuel X / BlueSky: @palmemanuel AZAuth Module on GitHub: https://github.com/PalmEmanuel/AzAuth Emanuel's PS Wednesday: https://www.youtube.com/watch?v=trP2LLDynA0 Arkanum Coffee (Emanuel's hobby project): https://arkanum.coffee PDQ Discord: https://discord.gg/pdq Connect with Andrew: https://andrewpla.tech/links The PowerShell Podcast on YouTube: https://youtu.be/-uHHGVH1Kcc The PowerShell Podcast hub: https://pdq.com/the-powershell-podcast 

Bret discusses exciting news about Swarm being maintained until 2030.

Bret and Nirmal are joined by Michael Irwin to discuss Docker's comprehensive AI toolkit, covering everything from local model deployment to cloud-based container orchestration across multiple interconnected tools and services.

Episode Summary:AWS Morning Brief for the week of August 11th, 2025, with Corey Quinn.Links: AWS Cloud Visibility Best PracticesThis Ars articleAWS European Sovereign Cloud to be operated by EU citizensAmazon killing a user's accountMountpoint for Amazon S3 CSI driver v2: Accelerated performance and improved resource usage for Kubernetes workloadsStreamlining outbound emails with Amazon SES Mail ManagerAWS Lambda now supports GitHub Actions to simplify function deploymentAnthropic's Claude Opus 4.1 now in Amazon BedrockAmazon CloudWatch introduces organization-wide VPC flow logs enablementUnderstanding and Remediating Cold Starts: An AWS Lambda PerspectiveAmazon SQS increases maximum message payload size to 1 MiBOpenAI open weight models now available on AWS Best practices for analyzing AWS Config recording frequenciesAmazon EKS adds safety control to prevent accidental cluster deletionAWS Console Mobile App now offers access to AWS SupportAmazon EC2 now supports force terminate for EC2 instances Amazon DynamoDB adds support for Console-to-CodeUsing generative AI for building AWS networksSimplify network connectivity using Tailscale with Amazon EKS Hybrid NodesCost tracking multi-tenant model inference on Amazon Bedrock

In this high-energy episode, returning guests Gilbert Sanchez and Jake Hildreth join Andrew for a deep dive into: Module templating with PSStucco Building for accessibility in PowerShell Creating open source GitHub orgs like PSInclusive How PowerShell can lead to learning modern dev workflows like GitHub Actions and CI/CD What begins with a conversation about a live demo gone hilariously sideways turns into an insightful exploration of how PowerShell acts as a launchpad into bigger ecosystems like GitHub, YAML, JSON, and continuous integration pipelines.Bios &   Bios: Gilbert Sanchez is a Staff Software Development Engineer at Tesla, specifically working on PowerShell. Formerly known as "Señor Systems Engineer" at Meta. A loud advocate for DEI, DevEx, DevOps, and TDD.   Jake Hildreth is a Principal Security Consultant at Semperis, Microsoft MVP, and longtime builder of tools that make identity security suck a little less. With nearly 25 years in IT (and the battle scars to prove it), he specializes in helping orgs secure Active Directory and survive the baroque disaster that is Active Directory Certificate Services. He's the creator of Locksmith, BlueTuxedo, and PowerPUG!, open-source tools built to make life easier for overworked identity admins. When he's not untangling Kerberos or wrangling DNS, he's usually hanging out with his favorite people and most grounding reality check: his wife and daughter.   Links https://gilbertsanchez.com/posts/stucco-create-powershell-module/ https://jakehildreth.github.io/blog/2025/07/02/PowerShell-Module-Scaffolding-with-PSStucco.html https://github.com/PSInclusive https://jakehildreth.com/ https://andrewpla.tech/links https://discord.gg/pdq https://pdq.com/podcast https://youtu.be/w-z2-0ii96Y  

Bret is joined by Andrew Tunall, the President and Chief Product Officer at Embrace, to discuss his prediction that we'll all start shipping non-QA'd code (buggier code in production) and QA will need to be replaced with better observability.

Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis Breach analysis is one of my favorite topics to dive into and I'm thrilled Dimitri is joining us today to reveal some of the insights he's pulled out of this GitHub Actions incident. It isn't an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments. Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn't get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait. Topic Segment - Should the US Go on the Cyber Offensive? Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to discuss here, and a lot of us have opinions here. We'll see if we can do any of it justice in 15 minutes. News Segment Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-417

Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis Breach analysis is one of my favorite topics to dive into and I'm thrilled Dimitri is joining us today to reveal some of the insights he's pulled out of this GitHub Actions incident. It isn't an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments. Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn't get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait. Topic Segment - Should the US Go on the Cyber Offensive? Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to discuss here, and a lot of us have opinions here. We'll see if we can do any of it justice in 15 minutes. News Segment Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-417

Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis Breach analysis is one of my favorite topics to dive into and I'm thrilled Dimitri is joining us today to reveal some of the insights he's pulled out of this GitHub Actions incident. It isn't an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments. Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn't get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait. Topic Segment - Should the US Go on the Cyber Offensive? Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to discuss here, and a lot of us have opinions here. We'll see if we can do any of it justice in 15 minutes. News Segment Finally, in the enterprise security news, We discuss the latest fundings a few acquisitions a vibe coding campfire story how to hack AI agents zero-days in AI coding apps more AI zero days why Ivanti vulns are still alive and well in Japan how wiper commands made their way into Amazon's AI coding agent it seems like vulnerabilities and AI are pairing up in this week's news stories! All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-417

Today's episode is with Aayush Shah. Aayush is one of the co-founders of Blacksmith, which is a CI compute platform. Basically, Blacksmith will run your GitHub Actions jobs faster and with more visibility with the standard GitHub Actions CI runners. The founding team has a fun background doing systems work at Cockroach and Faire, and they're taking on a big problem in running this massive CI fleet. The explosion in AI agents has really changed the CI world. CI is more useful than ever, as you want to be sure the changes from your agents aren't breaking your existing functionality. At the same time, there's a huge increase in demand and spikiness of CI workloads as developers can fire off multiple agents to work in parallel, each needing to run the CI suite before merging. Aayush talked about how they're handling this load and facilitating visibility into test failures. We also covered cloud economics. Aayush said the traditional cloud-based storage options don't work for them -- EBS and locally attached SSDs are too expensive for their workloads where they don't need the standard durability guarantees. He walks us through building their own fleet outside the hyperscalers and the plans going forward, along with some of the economics of multi-tenancy that Blacksmith has previously written about.

In this episode of Building Better Developers with AI, Rob Broadhead and Michael Meloche revisit a popular question: What Happens When Software Fails? Originally titled When Coffee Hits the Fan: Developer Disaster Recovery, this AI-enhanced breakdown explores real-world developer mistakes, recovery strategies, and the tools that help turn chaos into control. Whether you're managing your first deployment or juggling enterprise infrastructure, you'll leave this episode better equipped for the moment when software fails. When Software Fails and Everything Goes Down The podcast kicks off with a dramatic (but realistic) scenario: CI passes, coffee is in hand, and then production crashes. While that might sound extreme, it's a situation many developers recognize. Rob and Michael cover some familiar culprits: Dropping a production database Misconfigured cloud infrastructure costing hundreds overnight Accidentally publishing secret keys Over-provisioned “default” environments meant for enterprise use Takeaway: Software will fail. Being prepared is the difference between a disaster and a quick fix. Why Software Fails: Avoiding Costly Dev Mistakes Michael shares an all-too-common situation: connecting to the wrong environment and running production-breaking SQL. The issue wasn't the code—it was the context. Here are some best practices to avoid accidental failure: Color-code terminal environments (green for dev, red for prod) Disable auto-commit in production databases Always preview changes with a SELECT before running DELETE or UPDATE Back up databases or individual tables before making changes These simple habits can save hours—or days—of cleanup. How to Recover When Software Fails Rob and Michael outline a reliable recovery framework that works in any team or tech stack: Monitoring and alerts: Tools like Datadog, Prometheus, and Sentry help detect issues early Rollback plans: Scripts, snapshots, and container rebuilds should be ready to go Runbooks: Documented recovery steps prevent chaos during outages Postmortems: Blameless reviews help teams learn and improve Clear communication: Everyone on the team should know who's doing what during a crisis Pro Tip: Practice disaster scenarios ahead of time. Simulations help ensure you're truly ready. Essential Tools for Recovery Tools can make or break your ability to respond quickly when software fails. Rob and Michael recommend: Docker & Docker Compose for replicable environments Terraform & Ansible for consistent infrastructure GitHub Actions, GitLab CI, Jenkins for automated testing and deployment Chaos Engineering tools like Gremlin and Chaos Monkey Snapshot and backup automation to enable fast data restoration Michael emphasizes: containers are the fastest way to spin up clean environments, test recovery steps, and isolate issues safely. Mindset Matters: Staying Calm When Software Fails Technical preparation is critical—but so is mindset. Rob notes that no one makes smart decisions in panic mode. Having a calm, repeatable process in place reduces pressure when systems go down. Cultural and team-based practices: Use blameless postmortems to normalize failure Avoid root access in production whenever possible Share mistakes in standups so others can learn Make local environments mirror production using containers Reminder: Recovery is a skill—one you should build just like any feature. Think you're ready for a failure scenario? Prove it. This week, simulate a software failure in your development environment: Turn off a service your app depends on Delete (then restore) a local database from backup Use Docker to rebuild your environment from scratch Trigger a mock alert in your monitoring tool Then answer these questions: How fast can you recover? What broke that you didn't expect? What would you do differently in production? Recovery isn't just theory—it's a skill you build through practice. Start now, while the stakes are low. Final Thought Software fails. That's a reality of modern development. But with the right tools, smart workflows, and a calm, prepared team, you can recover quickly—and even improve your system in the process. Learn from failure. Build with resilience. And next time something breaks, you'll know exactly what to do. Stay Connected: Join the Developreneur Community We invite you to join our community and share your coding journey with us. Whether you're a seasoned developer or just starting, there's always room to learn and grow together. Contact us at info@develpreneur.com with your questions, feedback, or suggestions for future episodes. Together, let's continue exploring the exciting world of software development. Additional Resources System Backups – Prepare for the Worst Using Dropbox To Provide A File Store and Reliable Backup Testing Your Backups – Disaster Recovery Requires Verification Virtual Systems On A Budget – Realistic Cloud Pricing Building Better Developers With AI Podcast Videos – With Bonus Content

Updating developer tools is essential for developers who want to stay efficient, secure, and competitive. In this episode of Building Better Developers with AI, Rob Broadhead and Michael Meloche explore how maintaining modern toolsets helps individuals and teams deliver better software, faster. With support from AI-generated analysis and real-world experience, they outline the risks of falling behind—and how to move forward. Listen to the full episode of Building Better Developers with AI for practical insights and ideas you can start applying today. Efficiency and Profitability When Updating Developer Tools AI captured the core message well: using outdated tools slows down delivery, creates unnecessary friction, and ultimately reduces profitability. For side hustlers and teams alike, this loss of efficiency can make or break a project. Rob pointed out that many developers begin their careers using only basic tools. Without proper exposure to modern IDEs like IntelliJ, Visual Studio Code, or Eclipse, they miss out on powerful features such as debugging tools, plugin support, container integration, and real-time collaboration. Warning Signs You Should Be Updating Developer Tools How do you know it's time to update your development tools? Rob and Michael discussed key red flags: Frequent crashes or poor performance Lack of support for modern languages or frameworks Weak integration with tools like GitHub Actions or Docker Outdated or unsupported plugins Inconsistent tooling across team members Neglecting to update developer tools can lead to slow onboarding, poor collaboration, and increased bugs—especially in fast-paced or regulated environments. Tool Standardization vs. Flexibility When Updating Tools There's a balance between letting developers choose their tools and ensuring consistency across a team. While personal comfort can boost productivity, it may also cause challenges when teams debug or collaborate. Rob and Michael recommend hosting internal hackathons to explore new toolchains or standardize workflows. These events give teams a structured way to evaluate tools and share findings. The Security Risk of Not Updating Developer Tools Michael highlighted that outdated tooling doesn't just slow developers down—it creates serious security and compliance risks. Being just one or two versions behind can open vulnerabilities that violate standards like HIPPA, OWASP or SOX. Regular updates to SDKs, plugins, and IDEs are essential for staying compliant, especially in sensitive industries like finance or healthcare. How to Evaluate New Tools Before Updating Developer Toolchains Rob offered a practical framework for evaluating new tools: Does it solve a real pain point? Start with a side project or proof of concept. Check for strong community support and documentation. Balance between stable and innovative. Michael added a note of caution: avoid adopting tools with little community activity or long-term support. If a GitHub project has only a couple of contributors and poor maintenance, it's a red flag. Developer Tools to Review and Update Regularly To keep your development environment current, Rob suggested reviewing these tool categories often: IDEs and code editors Version control tools CI/CD systems and build automation Testing and QA frameworks Package managers and dependency systems Containerization and environment management platforms Using AI to convert simple apps into different frameworks can also help evaluate new tools—just make sure not to share proprietary code. Final Thoughts Modern development demands modern tooling. From cleaner code to faster deployment and stronger team collaboration, the benefits of updating developer tools are clear. Whether you're an independent developer or part of a larger organization, regularly reviewing and upgrading your toolset is a habit worth forming. Stay Connected: Join the Developreneur Community We invite you to join our community and share your coding journey with us. Whether you're a seasoned developer or just starting, there's always room to learn and grow together. Contact us at info@develpreneur.com with your questions, feedback, or suggestions for future episodes. Together, let's continue exploring the exciting world of software development. Additional Resources Navigating Communication Tools in Modern Workplaces Building a Portable Development Environment That is OS-agnostic Modern Tools For Monetizing Content Updating Developer Tools: Keeping Your Tools Sharp and Efficient Building Better Developers With AI Podcast Videos – With Bonus Content

Daniel and Manton return for a special episode of Core Intuition. They talk about WWDC 2025, running the bleeding-edge betas, and how Manton finally started using a build server with Xcode Cloud, while Daniel ventures into GitHub Actions. They also can't help talking about AI, considering the progress that has been made in only the five months since they discontinued the podcast. Finally, they close with an optimistic take on Liquid Glass and the future of the Mac. The post Episode 26.1: Mess Everything Up appeared first on Core Intuition.

What happens when a real developer uses AI to build something in a language and toolset they've never touched before? In this episode, Matt shares the story of how he created a free, custom-coded Google News sitemap generator using Node.js, GitHub Actions, and the Webflow API—with help from AI. The catch? He had no prior experience with any of those tools. Show Notes: https://www.htmlallthethings.com/podcasts/what-happens-when-a-real-developer-starts-vibe-coding Use our affiliate link (https://scrimba.com/?via=htmlallthethings) for a 20% discount!! Full details in show notes.

Welcome to the TestGuild Automation Podcast! In this episode, host Joe Colantonio sits down with Gaurav Mittal, a cybersecurity, data science, and IT expert with over two decades of experience. Gaurav, recognized for his thought leadership in AI and automation with multiple industry awards, shares his insights on making How To Optimize your Automation CI/CD Pipelines in DevOps more cost-effective. Whether you're a test automation engineer or security professional or work with AI/ML, you'll want to hear Gaurav's take on implementing DevOps pipelines that reduce licensing costs and enhance flexibility without sacrificing your team's productivity. Learn about his experiences with GitHub Actions, Jenkins, and the innovative ways he's optimized CI/CD pipelines to save resources and automate extensive testing processes, all while incorporating strong security measures. Join us as we delve into the innovative strategies and practical advice that can help transform your DevOps practices.

Steve Yegge's latest rant about the future of "coding", Ethan McCue shares some life altering Postgres patterns, Hillel Wayne makes the case for Verification-First Development, Gerd Zellweger experienced lots of pain setting up GitHub Actions & Cascii is a web-based ASCII diagram builder.

On this week's show Patrick Gray and Adam Boileau discuss the week's cybersecurity news: Github Actions supply chain attack loots keys and secrets from 23k projects Why a VC fund now owns a minority stake in Risky Business Media (!?!?) China doxes Taiwanese military hackers Microsoft thinks .lnk file whitespace trick isn't worth patching but APTs sure love it CISA delivers government efficiency by re-hiring fired staff… to put them on paid leave …and Google acquires Wiz for $32bn This week's show is sponsored by Zero Networks, and they have sent along a happy customer to talk about their experience. Aaron Steinke is Head of Infrastructure at La Trobe Financial, an asset management firm in Australia. Aaron talks through bringing modern zero-trust goodness to the reality of a technology environment that's been around 40 years. This episode is also available on Youtube. Show notes Risky Bulletin: GitHub supply chain attack prints everyone's secrets in build logs - Risky Business Media China says Taiwan's military is behind PoisonIvy APT China identifies Taiwanese hackers allegedly behind cyberattacks and espionage | The Record from Recorded Future News Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds | The Record from Recorded Future News Lazarus Group deceives developers with 6 new malicious npm packages | CyberScoop Poisoned Windows shortcuts found to be a favorite of Chinese, Russian, N. Korean state hackers | The Record from Recorded Future News 'Mora_001' ransomware gang exploiting Fortinet bug spotlighted by CISA in January | The Record from Recorded Future News Black Basta uses brute-forcing tool to attack edge devices | Cybersecurity Dive Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court | The Record from Recorded Future News CISA works to contact probationary employees for reinstatement after court order - Nextgov/FCW ‘People Are Scared': Inside CISA as It Reels From Trump's Purge | WIRED The Wiretap: CISA Staff Are Cautiously Optimistic About Trump's Pick For Director White House instructs agencies to avoid firing cybersecurity staff, email says | Reuters Signal no longer cooperating with Ukraine on Russian cyberthreats, official says | The Record from Recorded Future News Telegram CEO Pavel Durov allowed to leave France amid investigation Appellate court upholds sentence for former Uber cyber executive Joe Sullivan | The Record from Recorded Future News Google buys cloud security provider Wiz for $32 billion | The Record from Recorded Future News Pat Gray, Founder of Risky Business, Joins Decibel as Founder Advisor - Decibel