GitHub Actions Is Slowly Killing Your Engineering Team - Ian Duncan

mesa@piefed.social · 19 days ago

GitHub Actions Is Slowly Killing Your Engineering Team - Ian Duncan

xia@lemmy.ca · 6 days ago

It’s better than Jenkins, no?

mesa@piefed.social · 6 days ago

Yep. Ill agree to that lol.

jtrek@startrek.website · 19 days ago

Sounds about right.

I’m using GitHub actions at work because this place is extremely dysfunctional, and I can just add GitHub actions without it being a whole “research spike planning meeting impact analysis” six week journey.

I took it from “there are absolutely no checks and Bob broke the environment because he pushed up a change that’s just invalid syntax” to… well, I couldn’t make it block the build on failures but at least now when Bob breaks it again I can point to the big red X and ask why he merged with an error.

hallettj@leminal.space · 19 days ago

Well, I’m in that Nix shop category. For example, I run tests for my OSS project using lots of Python versions. There’s no need to use a Github Actions matrix for that - Nix does it more efficiently. Doesn’t even require containers or VMs. And the whole setup runs exactly the same locally, on Github Actions, or on Garnix. (But Garnix has better Nix caching than other CI runners, so that’s what I use.)

beeng@discuss.tchncs.de · 18 days ago

What’s your solution to handle secrets locally?

hallettj@leminal.space · 17 days ago

There are a few options:

Sops-nix or Agenix store secrets encrypted in the repo. Each local machine needs to be set up with a PGP or an SSH key to decrypt and encrypt as necessary. This is what I do with my NixOS configuration.
Manage secrets externally to repo code. I like to use direnv; sometimes I configure the checked-in .envrc file to source another file with secrets, that is not checked in.
Don’t use secrets locally. If secrets are things like deploy keys, and I want all deploys going through CI, then I don’t want secrets configured locally. Instead running a deploy script locally should be a dry run, which doesn’t need secrets.
Generate secrets at runtime. This is for cases where the project runs a cluster of services which need to authenticate with each other. For tests with locally running test services, authentication is confined to this isolated system. So secrets can be generated at test time, and written to env or config files that are not checked in.

beeng@discuss.tchncs.de · 17 days ago

In your CI which one do you use? I also use SOPS for my own, but it’s overhead… So wondering which you settled on?