►
From YouTube: Hands-on application security with GitHub #DemoDays
Description
GitHub and application security: Learn how to enable GitHub Advanced Security Features and how you might scale your implementation including how to understand the overall health of your org, Dependabot and using GitHub Actions, and know the community sourced vulnerabilities in open source software.
Take a walk with Kevin Alwell through the GitHub Learning Lab to build your first CI workflow in GitHub Actions: https://lab.github.com/githubtraining/github-actions:-continuous-integration
3:10 - Intro
6:27 - Overview
7:32 - Community sourced vulnerabilities in open source software
8:53 - GitHub Advisory Database and Dependabot alerts
13:32 - How do I understand the overall health of my organization from an Application Security perspective?
15:12 - Repository specific Application Security
15:59 - Drilling down to the pull request view
24:34 - Workflow files for GitHub Actions
33:40 - lab.github.com and hands on build of a CI pipeline
GitHub Actions Marketplace for workflows that have already been built by the community: https://github.com/marketplace?type=actions Automate almost anything!
For an even broader perspective on Secure Development and how you can bring DevOps and DevSecOps to your organization register for the Global Infocus Event: https://infocus.github.com
A
Hey
everyone
welcome
to
demo
days
nice
to
see
everyone
in
the
chat
today
lots
of
activity,
lots
of
folks
from
everywhere.
Where
are
you
from?
I
know
india
is
strong
today,
hello
from
kenya,
awesome
good
to
see
you
good
to
see
you
just
a
reminder.
All
of
the
demo
days,
just
like
normal,
will
be
recorded
and
available
immediately
on
linkedin
right
after
the
session.
You
can
watch
the
session
right
here
on
linkedin.
A
A
B
B
A
Yes,
I
definitely
saw
that,
as
you
can
see,
we've
got
folks
from
all
over
the
place.
All
the
way
from
new
jersey
to
cashmere,
so,
like
we've,
got
tons
of
tons
of
folks
ready
to
to
see
what
we're
going
to
talk
about
today,
and
I
know
we're
going
to
talk
about
advanced
security
and
that's
usually
a
pretty
niche
topic
like
if
security
isn't
a
part
of
your
regular
developer.
Job
like
why
is
it
a
topic
that
you
should
care
about?.
B
Yeah,
so
I
think,
a
trend
that
we're
noticing,
across
the
industry,
a
trend
with
most
of
the
folks
we
talk
to
who
own
the
security
from
the
different
organizations
that
we
work
with
the
trending.
The
ongoing
theme
is
that
the
developer
is
becoming
increasingly
a
stakeholder
in
the
operations
of
the
applications,
they're
shipping
in
the
infrastructure
of
the
applications,
they're
shipping
and
naturally
also
now
in
order
to
scale.
The
number
of
you
know.
B
The
number
of
folks
who
are
bought
into
security
developers
are
also
beginning
to
own
the
security
of
the
applications,
they're
they're,
delivering
and
so
devsecops.
If
you
will,
is
something
we
talk
about
really
often,
and
hopefully,
some
of
the
features
that
I
demonstrate
with
you
kind
of
bring
to
light.
You
know
what
our
philosophy
is
github
at
github
is,
and
you
know
how
we
bake
that
into
our
own
features.
B
B
So
go
ahead
drop
in
some
of
those
emotions
on
the
linkedin
page
and
that's
gonna.
Let
me
know
that
you're
interested
this
is
the
direction
you
want
to
go
and
again
the
feedback
that
you
give
us
really
does
drive.
The
contents
of
these
sessions
so
feel
free
to
drop
in
anything
you'd
like
to
see
and
we'll
do
our
best
to
cover
that
for
you,
and
so
I'm
going
to
talk
about
github,
advanced
security,
some
of
our
latest
features
and
then
we're
going
to
get
hands-on
in
the
learning
lab.
B
B
I'm
just
validating
that
you're.
Seeing
my
screen
here,
which
I
believe
that
you
are
great,
which
screen
are
we
saying?
Okay,
so
the
github
advisory
database
is
really
where
we
aggregate
the
various
sources
of
vulnerability
data
that
we
get
from
the
national
vulnerability
database
from
the
open
source
community
themselves,
and
so
there's
a
private
workflow.
If
you're
an
open
source
maintainer,
you
may
have
already
been
exposed
to
it
where
if
somebody
as
the
security
researcher
comes
along
and
says,
hey,
you
have
a
no.
You
have
a
vulnerability
in
a
package
that
you
maintain.
B
B
Include
that
after
curating,
it
back
in
the
advisory
database
and
that's
increasingly
where
we
get
all
of
our
vulnerability
data,
and
so
when
you
start
to
explore
like
what's
so
interesting
about
github
and
your
tools
and
this
and
that
it
really
comes
down
to
the
data
that
powers,
the
platform
and
so
you'll
notice.
That's
a
recurring
theme
from
everything
that
we
talk
about.
It's
always
about
the
data
and
really
trying
to
enable
the
open
source
community
to
do
their
best
work,
and
so
we're
always
trying
to
advocate
for
developers.
B
If
there
was
a
vulnerability
that
one
of
my
applications
happened
to
be
exposed
to,
so
I
think
I'm
going
to
move
myself
to
the
other
side
of
the
screen
here.
So
you
can
see.
I
think
it's
on
this
way
here,
so
here's
the
advisory
database.
What
you'll
notice
is
that
I
have
the
search
bar
here,
and
so,
if
I
want
to
look
for
a
specific
package,
for
instance
like
hello.js,
which
was
being
described
in
that
blog
post,
I
can
do
that.
B
I
can
click
into
that
package
and
notice
that
there's
a
critical
severity
vulnerability
that
was
published
23
days
ago
for
this
npm
package,
and
you
can
see
you
know
the
affected
versions,
the
patched
versions
that
you
should
probably
upgrade
to
and
then
what
I
wanted
to
demonstrate
is
this
new
tab
here.
So
this
is
super
cool
depend
about
alerts
will
now
surface.
B
Basically,
if
you,
if
you
have
a
repo
and
you're
consuming
this
package,
if
it's
listed
in
your
package,
manifest
we're
gonna,
send
you
that
alert
and
service
it
through
this
interface.
So
let
me
tr.
Let
me
trace
this
back
to
the
repository
itself.
Okay,
so
here's
my
organization
called
octodemo
here
is
this
repository
called
the
pen
about
alerts
and
advisory
database
and
you'll
notice
where
I
go,
and
hopefully
this
is
a
familiar
interface
for
you
because
we've
been
demonstrating
it
and
you
know
all
the
previous
twitch
streams,
and
so
I
hope
you've
had
some
exposure.
B
If
not,
this
is
really
how
we
are
enabling
and
empowering
you
as
the
developer,
to
visibility
into
the
security
of
the
applications
that
you're
developing
right.
So
look
on
the
left
side
here,
which
is
dependable
alerts,
there's
one
open
alert
and
it
happens
to
be
for
this
hello.js
package
and
so
we'll
give
you
insight
into
the
version
of
the
package.
That's
vulnerable
right,
so
you
can
see
here
which
package
you
know
what
version
is
vulnerable
and
what
you
should
actually
bump
this
this
package
to
okay
and
so
a
little
bit
more
detail.
B
Actually,
if
you
click
on
this
link
here,
you'll
notice
on
the
bottom
left,
it's
probably
super
small
for
you
so
go
ahead
and
do
that.
But
it's
a
very
circular
experience,
because
now
this
takes
you
back
to
the
advisory
database.
Let
me
go
again
to
the
alerts
to
the
affected
repositories
and
back
to
this
security
tab.
Okay!
So
now
I'm
seeing
that
I'm
exposed
to
this
vulnerability
from
this
package
that
I'm
consuming-
and
this
is
super
cool.
B
So
let
me
show
you
this
feature
here
which
hopefully
you're
familiar
with,
if
not
it's
great
and
we're
laying
on
additional
functionality
that
you're
going
to
begin
to
see
and
I'm
going
to
share
with
you
today.
So
there
is
a
pull
request
that
depend
about
is
already
open
from
or
for
hellojs
the
bump
from
version
1.18.4
to
1.18.6.
B
I
can
actually
trace
the
commits
that
the
open
source
maintainer
made
in
order
to
patch
this
vulnerability,
and
so
this
is
where
those
are
described
right,
and
so
you
can
see
that
basically
depend
about
saying:
hey
we're
going
to
bump
hello
js
from
1.18.4
to
1.18.6,
and
then
you
can
go
ahead
and
basically
you
can
run
your
checks
on
this
to
make
sure
there's!
No,
you
know
regressions
in
your
code,
so
you'll
run
your
ci
you'll
run
your
sas.
B
B
We
did
ship
a
beta,
I'm
not
going
to
show
it
to
you
now,
but
we
did
ship
a
beta
for
automated
automatically
merging
pull
requests,
and
so
you
can
imagine
a
world
where,
if
there's
a
certain
compatibility
score
I'll,
explain
why
this
is
unknown
in
a
second.
But
if
there's
a
certain
compatibility
score
for
one
of
these
pull
requests,
we
can
automatically
merge
that
pr
for
you.
B
So
that's
the
world
that
we're
kind
of
getting
towards
right,
which
is
that
we're
going
to
have
applications
that
are
automatically
staying
up
to
date,
ensuring
we're
not
introducing
regressions.
Now
this
repo
happens
to
have
only
only
manifest
files
in
it,
and
so
it's
not
a
great
example
of
the
compatibility
score.
But
I
do
want
to
talk
about
this.
Maybe
now
is
not
the
best
time
or
maybe
it
is
since
I've
already
brought
it
up-
and
I
see
folks
still
interacting
in
the
chat
here
so
feel.
B
Free
to
drop
any
emojis
or
any
comments
anything
you'd
like
to
see
as
part
of
the
conversation,
so
this
compatibility
scores.
Basically,
we've
opened
this
poll
request
for
hellojs
across
the
open
source
community
and
what
we
know
from
the
status
checks
that
happen
on
those
repositories
is
how
frequently
there's
the
status
checks
fail
as
a
result
of
this
pr.
B
So
we're
able
to
say
with
a
certain
level
of
of
certainty,
if
you
will
what
the
compatibility
is
for
this
patch
to
your
application
right,
how?
How
probable
is
it
that
this
patch
is
going
to
introduce
a
regression?
So
that's
super
cool.
I
always
like
to
call
it
out
for
any
folks
who
depend
about's
a
little
bit
newer
for,
but,
of
course,
we're
going
to
take
this.
B
I
believe
just
another
level
deeper
and
and
and
look
at
actually
the
security
center
itself,
and
so
what
a
lot
of
folks
ask
us,
I'm
going
to
go
back
to
the
security
tab
here
for
just
a
moment.
What
a
lot
of
folks
ask
us
is:
okay,
this
is
great
at
the
repository
level,
how
can
I
get
like
visibility
across
my
entire
organization?
So
I
can
understand,
maybe,
as
like
an
engineering
leader
or
a
project
manager
or
program
manager.
B
What
the
overall
health
of
my
organization
is
from
an
application
security
perspective
right,
so
I'm
gonna
go
ahead
and
show
you
what
that
experience
is
just
briefly
because
actually
we
shipped
it
in
an
alpha,
so
you
you
would
have
to
have
special
access
to
it
through
github
advanced
security.
In
order
to
to
have
this
feature,
but
I
want
to
share
with
you
quick
sneak
peek
and
you
know-
and
hopefully
this
conveys
the
direction
that
we're
headed
with
our
security
center.
B
So
I'm
going
to
my
organization
interface
here
as
an
admin,
and
I
have
this
similar
security
tab
and
what
you'll
notice
with
this
alpha
again,
it's
just
an
alpha,
but
I
want
to
kind
of
illustrate
something
here.
You
can
actually
see
across
the
domains
for
github
advanced
security,
which
is
your
sas
with
code
scanning.
So
that's
your
native.
You
know
code
scanning
at
the
repo
level.
B
You
have
your
secret
scanning
alerts
here.
So
if
you're
pushing
any
of
your
tokens,
which
we
all
do
all
the
times
it
happens,
like
you
wouldn't
believe
I
mean
every
time
we
enable
advanced
security
for
a
for
a
company.
They
light
up
like
a
christmas
tree,
so
so
we'll
show
you
your
secret
scanning
once
we'll
also
show
you
your
depend
about
alerts
here
and
you
can
filter
on
these
things
right.
B
B
So
what
I'm
gonna
do
is
go
to
actually
a
specific
repository,
so
I
think
it's
called
yes.
I
had
it
on
my
clipboard,
so
that's
my
little
cheat
there.
Let's
see
okay,
so
what
you'll
notice
is
I
filtered
to
a
specific
repository
here
now?
I
can
see
all
these
repos
that
match
these
results.
I
can
see
across
the
domains.
You
know
what
which
alerts
are
open
and
you
can
actually
filter
this
down.
We
just
shipped
I'm
not
going
to
show
it
to
you
yet,
but
we
just
shipped
the
same
interface
at
the
team
level.
B
So
that's
super
cool,
so
I'm
gonna
click
into
this
repo.
Hopefully
this
is
the
one
that
I
intended
to
intend
it
to
share
and
we're
gonna
look
at
the
pull
requests
to
see
how,
with
advanced
security,
there
are
these
new
functionalities
being
baked
in
to
to
our
sca
capabilities
right.
Our
com,
software
composition,
analysis
capabilities.
B
So
if
I
change
the
view
to
the
file
view,
what
I'll
notice
is
this
pull
request?
I
can
see
I'm
pulling
in
my
package
json,
it's
actually
pulling
in
json
logic,
which
is
a
component
that
has
a
known
vulnerability
and
it's
a
high
severity
vulnerability
at
the
version
that
we've
been
pulling
it
in
on.
So,
if
I
click
on
this,
my
expectation
is
that
I
would
go
back
to
what
you've
already
seen,
which
is
that
advisory
database,
I'm
going
to
do
that
and
you'll
notice.
B
Again,
we've
been
taken
to
the
github
advisory
database
here
is
a
vulnerability
with
a
high
severity.
That's
been
published
on
november
12th
and
you
know,
and
we're
kind
of
alerting
you
to
that
now.
None
of
your
repos
are
actually
affected
by
or
none
of
mine
rather
are
really
affected
by
this.
This
specific
package
vulnerability
because
it
hasn't
made
it
back
into
my
source.
B
So
that's
what
I
wanted
to
share
with
you
is
how
this
traces
back
from
the
you
know,
from
the
pull
request:
workflow
back
to
the
advisory
database
and
giving
you
that
insight
and
giving
you
that
insight
directly
inside
the
pr
workflow
and
really,
I
think
the
expectation
is
here
and
just
giving
you
a
little
bit
of
foresight
into
what
we're
working
to
deliver
is
making
this
stuff.
So
you
can
enforce
policies
on
it.
You
know,
as
a
dev
lead
as
a
you
know,
a
project
manager
as
an
engineering
leader.
B
Maybe
you
want
to
say
that
all
of
your
you
know,
maybe
you
want
to
say
that
you
know
every
pull
request
that
your
developers
open
against
your
base
branch.
You
want
to
make
sure
that
you're
not
introducing
any
high
severity
vulnerabilities
through
open
source
components
right,
and
so
that's
the
type
of
policy
that
we
are
seeking
to
ena.
B
You
know
help
you
to
enable
on
your
pr
workflows,
and
so
you
can
do
things
like
that
with
just
branch
protection
rules
when,
if
you
have
code
scanning
enabled
today
and
in
the
near
future,
you'll
be
able
to
do
the
same
thing
with
that
level
of
granularity
in
the
in
the
dependency
review
awesome.
So
I.
B
A
wordpress
developer
on
linkedin
he's
loving
these
new
features.
You're
awesome
great
call
out
okay.
So
where
do
we
want
to
go
next?
I
think
the
place
that
I'd
like
to
go
next,
so
I
really
wanted
to
introduce
some
of
these
gas
capabilities,
so
gas
github
advanced
security,
but
then
I
wanted
to
do
a
code
along
and
so,
if
you're
interested
in
either
just
watching
me
and
not
necessarily
doing
the
work
yourself,
some
folks
are
dialed
in
from
asia.
Some
folks
are
now
they're
really
from
across
the
world.
B
So
if
it's
like
midnight
for
you
or
you're,
just
hanging
out
on
a
friday
afternoon
having
a
beer,
maybe
in
the
uk,
there's
no
reason
why
you
have
to
go
hands-on.
You
can
just
watch
me
if
you
want
to
go
hands-on,
I'm
going
to
give
you
the
ability
to
do
that
and
we're
going
to
implement
a
ci
pipeline
together.
B
So
that's
the
next
step
here,
I'm
going
to
kind
of
transition
away
from
talking
about
get
advanced
security
for
a
moment.
We're
going
to
look
at
a
full
pipeline
that
actually,
my
colleague
james
presented
a
little
while
ago,
so
we're
just
do
a
quick
review
talk
through
some
of
the
steps
in
that
pipeline
and
then
you
know
and
then
get
hands-on
together
through
learning
lab.
So
I
see
jonathan's
actually
having
a
conversation
with
ahmed
in
the
linkedin
chat.
So
that's
awesome.
Eureko
git
is
live,
that's
right
and
nathan.
B
I
see
you
commenting
in
there
what's
going
on
my
friend
cool
okay,
so
let's
see
what
we're
actually
gonna
be
presenting.
Let
me
close
some
tabs
for
you,
so
you
have
a
little
bit
of
a
better
idea.
So
here's
this
really
simple
app
that
my
colleague
james
has
has
built
out
so
that
we
can
demonstrate
some
of
the
new
functionality.
B
B
But
the
idea
for
this
this
project
is,
you
would
type
in
a
github
handle.
It's
gonna
go
hit.
The
github
apis
grab
that
user
and
service
it
back
in
the
interface,
and
so
I'm
not
going
to
wait
for
that
request
to
resolve
it's
just
not
a
good
use
of
your
time,
and
you
know
not
not
a
great
use
of
everyone's
time
here,
so
what
I'd
rather
do,
and
hopefully
what
you'd
rather
see,
I
think
is
this,
and
hopefully
this
looks
familiar.
That
means
you've
been
tuning
in
to
our
other
streams.
B
If
not,
I
encourage
you
to
check
out
the
other
videos.
James
lahar
did
a
great
job.
I
know
brian
cross
very
recently.
I
think
last
friday
was
on
here
with
you
all
talking
about
other
github
functionality.
Since
universe,
which
is
you
know,
event
we
we
did
in
november,
so
this
pipeline
does
a
few
things.
B
So
we
do
all
these
three
three
things
in
parallel.
What
you
notice
through
the
illustration
here,
I'm
gonna,
make
it
a
little
bit
larger
for
you.
If
you're
dialing,
you
know
if
you're
on
mobile,
I
just
wanna,
make
sure
you're
able
to
see
exactly
what
we're
doing.
We
got
some
feedback
from
you
all
in
the
past
that
you
just
want
it
to
be
a
little
bigger
and
I
should
probably
get
out
of
your
way
shouldn't.
B
I
let
me
go
ahead
and
do
that,
no
matter
where
I
go,
I'm
going
to
be
a
little
in
your
way,
so
so
we're
just
going
to
have
to
make
do
and
I'll
jump
side
to
side
as
it
makes
sense
and
feel
free.
To
keep
me
honest,
I
see
daniel
saying
long
live
github
for
sure
my
friend
yeah.
So
let's
see
here's
this
pipeline.
What
are
we
doing?
We
just
talked
through,
I
think,
some
of
the
jobs
here
right,
so
we're
building
and
testing
in
a
matrix,
we're
just
validating
that.
B
That
code
makes
sense
to
deploy
to
some
environment
and-
and
if
we
do
say
it
looks
good.
So
we
make
this
that
deployment
dependent
on
these
three
checks.
Then
we
want
to
deploy
it.
It's
actually
deploying
azure,
and
then
we
validate
that
by
pinging
the
url.
If
we
validate
that
it's
been
successfully
deployed
to
this
sandbox
environment,
then
we
deployed
to
qa,
okay
and
what
you'll
notice
here.
B
B
But
I
think
what
I
wanted
to
do
with
you
was:
I
wanted
to
actually
walk
through.
I
know
it's
kind
of
corny,
so
hopefully
I
know
y'all
are
are
pretty
technical
on
the
line.
I
see
a
lot
of
developers
a
lot
of
folks
just
in
tech
generally,
so
I'm
going
to
walk
through
the
yaml
just
for
a
moment
at
a
high
level,
at
least
to
show
you
how
these
jobs
come
together
to
form
this
pipeline
and
then
again
we're
going
to
get
back
into
into
some
actual
doing
this
stuff
live.
B
B
That's
gonna
allow
us
to
go
hands-on
together,
so,
if
you'd
like
to
as
I'm
talking
through
these
jobs
and
talking
through
how
we
came
to
create
this
pipeline,
you
can
get
started
there
and
I'll,
hopefully
I'll
catch
up
and
we're
gonna
get
as
much
done
together
as
we
can
today.
So
you
can
do
kind
of
both
in
parallel
or
you
can
just
watch
me
again
totally
fine
as
well.
You
know
feel
free
to
do
whatever
you
think
makes
the
most
sense.
B
So
let
me
just
zoom
out
here
and
I
shared
again-
I
just
shared
that
link
in
the
chat
I
see
my
friend
hollywood
jonathan
cardona
is
is
kind
of
working
with
you
all.
So
I'm
going
to
the
top
here
of
this
workflow
and
I'm
going
to
view
the
workflow
file.
So
we
can
talk
through
the
workflow
file,
for
this
run
together
how's
this
how's
this
view.
Hopefully
it's
not
too
small
for
you.
B
So
the
origin
of
this
workflow
is
pretty
interesting,
because
when
you
launch
your
first
github
action,
what
you'll
notice
is
that
you
have
this.
Really
it's
a
marketplace
of
available
workflows
that
have
been
created
by
different
service
providers
who
would
like
you
to
consume
their
services.
In
this
case
this
is
an
azure
workflow,
that's
already
been
mostly
developed
and
scaffolded.
For
me,
I
had
to
layer
in
as
you'll
see
some
custom.
You
know
some
custom
jobs,
but
it
was
really
easy
to
get
up
and
running
with.
B
So
for
the
folks
who
are
less
familiar.
If
you
already
know,
git
of
actions
then
just
bear
with
me
for
a
moment
we're
going
to
talk
about
some
interesting
stuff.
I
promise,
but
if
this
is
new
to
you,
if
this
is
a
new
tool,
I
do
want
to
just
make
you
generally
aware
of
how
it
works.
What
the
syntax
might
look
like,
and
and
specifically
how
this
workflow
came
to
be,
as
we
saw
it
being
executed
before
all
right.
B
Look
at
lines
18
to
23.
First,
it's
a
so.
I
see
that
james.
This
is
again.
This
is
my
my
colleague
james
delivered
this,
even
though
I
forked
it
into
my
own
personal
user
account.
I
think
this
is
public
too,
if
you,
so,
if
you
want
to
actually
check
this
out
yourselves,
let
me
go
ahead
and
drop
this
yeah.
Let
me
go
ahead
and
drop
this
repo
in
that
linkedin
chat
in
case.
You
all
want
to
come
here
and
comment,
make
issues
and
not.
B
Awesome
so
daniel's
working
in
there.
I
see
that
hello
from
brazil,
hello
from
the
us,
I'm
in
new
jersey,
so
hello
from
new
jersey,
okay,
I've
dropped
in
the
link
to
this
repository.
If
you
want
to
check
it
out,
poke
around
a
bit
feel
free
to
do
that
feel,
free
to
to
steal
any
of
the
workflows
that
we've
already
developed
and
pull
them
in
your
own
apps
or
whatever.
Obviously,
you
know
take
a
look
at
what
you're
merging
before
you
do,
that
into
your
own.
B
Apps
goes
without
saying
so:
okay
lines
18
to
23.
These
are
triggers
for
your
workflow
okay,
so
we're
really
going
to
as
github
with
git
of
action
subscribe
to
a
number
of
events
across
the
platform
in
order
to
trigger
your
workflows,
and
so
in
this
case
we're
basically
saying
that,
on
a
pull
request
against
your
run
me
branch,
we
want
to
run
this
workflow
okay,
so
you
can
also
do
that
against
your
main
branch.
You
can
also
do
pushes
against
some
feature
branch
right.
B
You
can
get
really
granular
with
this
and
you
can
also
pass
in
an
array
of
branches
in
terms
of
your
triggers.
Now
what
is
interesting
is
what's
on
line
19
and
I
think
you've
seen
this
in
the
past,
so
I'm
just
going
to
spend
a
moment
line.
19
workflow
dispatch,
yeah,
so
workflow
dispatch
is
a
programmatic
trigger
for
this
workflow.
So
if
maybe
you
had
repo
a
wants
to
trigger
a
workflow
on
repo
b,
like
you
have
some,
I
don't
know
it's
like
some
micro
services
that
are
just
scaffolding
out
some
application.
B
You
can
trigger
your
workflows
from
another
application
using
workflow
dispatch.
So
all
you
have
to
do
is
ping.
This
endpoint
you'll
see
if
you
look
at
the
documentation
for
workflow
dispatch,
what
that
endpoint
is
for
a
given
repository,
but
then
this
workflow
will
actually
trigger
and
obviously
deploy
your
application.
B
So
we
set
up
some
environment
variables
here
that
we
dynamically
inject
at
runtime.
All
the
stuff
was
really
scaffolded
out
for
me
by
azure.
I
didn't
have
to
type
it,
which
was
cool.
All
I
had
to
do
was
really
drop
the
values
of
my
azure
web
app
name
and
all
that
stuff,
and
then
we
have
these
jobs,
okay
and
so,
in
this
case
online
34.
The
name
of
the
job
is
build
and
test
right.
So
that's
pretty
cool
because
we
saw
what
it
looked
like
before.
B
A
B
So
that's
what
we've
done
here
now
there
are
dependencies
for,
for
you
know
these
other
jobs
inside
of
your
workflow,
and
so
what
you'll
notice
is
that
for
the
prettier
job,
we're
dependent
on
building
tests,
and
so
you
saw
that
a
moment
ago
when
I
was
showing
you
what
the
illustration
looked
like
and
so
prettier
is
dependent
on
build
and
test
through
this
needs
keyword.
You
can
see
the
environment
that
it
runs
on
all
that
stuff
kind
of
self-explanatory,
which
is
great.
B
You
can
pass
in
these
secrets
in
this
case
I'm
using
github's
native
key
management
system,
which
is
scope
to
the
repository
here.
You
can
also
scope
it
to
the
organization
if
you're
you
know,
if
you're
an
enterprise
and
looking
to
implement
ci
cd,
here's
this
next
job
called
linter
same
thing,
we're
just
dependent
on
this
specific,
the
build
and
test
job,
and
I'm
just
going
to
scroll
down
for
a
moment.
I
know
it's
hard
to
follow,
but
I
promise
I'll
stop
scrolling
in
a
moment
to
this
build
sorry.
B
This
deployed
a
sandbox
job.
Okay,
so
in
the
sam
deploy
job
we
are
dependent
on
the
build
being
successful,
makes
sense,
the
linter
being
successful,
prettier
being
successful.
Okay,
what
we're
not
dependent
on,
however,
in
this
case,
because
our
app
set
program
has
not
actually
reached
the
maturity
level
that
we
want
to
make
this
deploy
dependent
on
a
successful
pass.
So
we're
not
going
to
block
a
deployment
based
on
the
sas
results
here.
Okay,
so
that's
kind
of
an
opinionated
thing,
but
the
idea
is
since
our
program's,
not
that
mature.
B
B
We
specify
the
azure
publish
profile
all
that
stuff
stored
inside
my
key
management
system.
You
know
inside
of
inside
of
github,
so
this
is
all
good.
This
is
all
great
okay.
So
the
last
thing
I
want
to
show
you,
so
this
is
the
validation
I'm
not
going
to
spend
too
much
time
there.
Really
all
we're
doing
is
actually
pinging
to
the
validate
that
we've
deployed
this
application
scrolling
scrolling.
I
promise
I'm
not
going
to
be
scrolling
forever.
Here
we
go
okay,
so
here's
this
analyze,
job
cool.
Okay.
B
I
see
folks
having
conversations
about
plans
to
integrate
security
features
into
action,
runs
in
the
workflow,
so
mert,
okay.
So
I
didn't
pay
mert
to
say
that
right,
but
that's
exactly
what
I
want
to
demonstrate
here
so
check
this
out.
I
see
you,
mr
mert,
in
linkedin
chat.
Okay.
So
if
you
look
at
line
178,
you
have
this
analyze
job
okay.
So
this
is
where
we
integrate
our
native
appsec
tools
and
you
can
also
integrate
any
third-party
apps
tools
into
your
pipeline.
B
Okay,
so
you
see
that
I
named
this
job
fast
and
that
reflects
here
in
the
in
the
jobs
that
have
been
executed.
You
can
see
the
strategy,
so
I
actually
run
this
sat
this
scan
across
all
these
different
versions
of
node
before
I
deploy
it
debatable
in
utility,
but
that's
what
we
do
to
demonstrate
to
demonstrate
it,
and
so
in
this
case,
because
it's
an
interpreted
language,
this
is
a
javascript
application.
We
don't
need
to
necessarily
build
the
application,
but
we
are
able
to
initialize
code
ql,
and
so
we
initialize
that
code
ql
environment.
B
You
can
also
expand
on
that
through
a
custom
configuration
file
that
I
think
you
might
have
seen
in
the
past.
So
there's
a
configuration
file
that
you
can
include.
That
also
will
allow
you
to
drop
in
zero-day
vulnerabilities
that
have
been
modeled
in
code
ql.
So,
if
you
want
to
say,
hey
are
any
of
my
apps
exposed
to
zero
day.
You
know
this
new
zero
day
and
there's
a
code
ql
query
for
that
in
the
open
source
world,
pull
that
in
and
run
it
across
your
repos
and
you'll
be
able
to
see
so
mert.
B
I
I
hear
you
saying
awesome,
that's
great!
So
let's
go
ahead
and
I'm
just
going
to
do
some
celebrations
there
in
the
linkedin
chat,
give
myself
applause
there
cool
so
yeah.
So
we
run
the
analysis.
We
have
the
baseline
libraries.
We
have
in
the
configuration
file
itself
to
include
additional
scans
for
quality
and
for
other
types
of
vulnerabilities,
and
I
see
hollywood.
Jonathan
cardona
is
also
in
there,
interacting
with
you
all.
B
So
this
was
the
sas
part
of
this
workflow,
so
I'm
going
to
scroll
all
the
way
to
the
top
and
actually
back
out
of
so
hopefully
that
was
interesting
for
you.
I
did
I
just
wanted
to
illustrate.
You
know
what
that
experience
was
like
and
and
show
you
kind
of
what
the
end
state
will
be
before
we
actually
go
in
and
build
some
of
this
stuff
together
and
so
again.
This
is
where
I'm
going
to
actually
get
hands-on
and
implement
a
ci
pipeline
using
git
of
actions
and
and
learning
labs
publicly
available.
B
It's
free,
it's
a
great
way
to
learn
about
new
features.
So
dan,
I
see
so,
if
you're
tuning
in
after
the
fact
and
not
live
with
us,
we
are
having
chats
in
the
linkedin
chat
here,
but
I
see
who
was
it.
I
think
it
was
mr
daniel
in
there
he's
saying
that
he
might
have
signed
up
for
the
wrong
course.
No
problem
just
go
to
click.
This
top
link
here
to
go
to
lab.github.com.
B
You
can
search
for
continuous
integration
and
you
can
start
the
course
from
there
and
so
there's
a
lot
of
different
topics.
You
can
look
for
codeql
there
and
actually
write
your
own
queries
against
a
c-sharp
application.
I
debated
doing
that
with
you
all,
but
I'm
not
a
c-sharp
expert,
so
I
didn't
want
to
get
out
of
my
depth,
and
so
I
hope
you'll
forgive
me
for
that.
Maybe
in
the
future,
that's
something
that
we'll
do
live
with
you
all.
B
Free
to
just
watch
me
do
it
feel
free
to
do
it
alongside.
I
see
nakati
commenting
in
there
on
the
linkedin
chat.
I'm
gonna
drop
in
that
link
one
last
time
so
feel
free
to
grab
it
out
of
there
and
and
do
your
development
alongside
us.
So
let's
go
ahead
and
start
this
course
and
the
great
thing
about
learning
lab
is
you're
using
github
to
learn
about
github.
It's
not
perfect
in
terms
of
the
automation.
Sometimes
it
gets
hung
up.
B
Sometimes
it
takes
a
little
while
and
you
might
actually
have
to
restart
the
course,
but
it's
really
great
to
learn
and
generally
like.
If
we
come
on
site
with
your
org,
because
you're
a
customer
or
like
you
know,
we're
doing
some
hackathon
and
we
want
to
teach
you
some
new
functionality
inside
the
platform.
This
is
what
we'll
use,
because
it
just
scaffolds
out
so
well,
and
the
experience
is
really
good,
so
feel
free
to
yeah
feel
free
to
explore
lab.github.com
on
your
own
time.
B
So
we
are
just
cloning,
the
course
materials
to
my
my
environment.
I
think
we've
we've
gone
there
now,
so
it's
been
cloned
yeah.
So,
look
if
you
see
on
the
right
side,
you
should
have
this
for
yourself.
You
can
see
that
this
new
repo
github
actions
for
ci
now
lives
in
my
user
space,
and
so
there
it
is,
and
we
have
these
steps
that
we're
gonna
go
through
in
the
course
we're
gonna
set
up
a
use,
a
templated
workflow
validate
that
workflow
can
run
successfully.
B
I
think
it
actually
fails
at
some
point
here
when
we
try
to
reuse
artifacts
in
different
jobs,
and
so
that's
that'll
be
interesting
for
us
to
hack
on
together.
Hopefully
I
get
stumped,
because
I
know
what
you're
really
all
here
for
is
blood,
and
you
want
to
see
me
see
me,
get
tripped
up
right
so
so.
B
Go
ahead
and
get
started
and
use
a
templated
workflow
all
right,
so
again,
super
cool!
You
can
see
that
github
learning
lab
is
a
bot
that
actually
comments
in
this
repo
that
it
created
for
me
and
really
the
comments
kind
of
walk
you
through
the
lesson,
so
I'm
going
to
get
out
of
the
way
here.
I
can
see
that
I'm
totally
blocking
what
you're
looking
at
so
so
I
see
basil's
looking
for
some
advanced
functionality
and
get
a
project.
B
We
hear
you
loud
and
clear,
my
friend
and
we're
working
on
some
awesome
stuff
that
we'll
talk
about
soon,
so
I'm
gonna
move
over
onto
this
side.
Hopefully
that's
a
little
easier
for
you
to
see
and
yeah
how's
that
actually
you
know
if
you're
looking
over
my
shoulder,
you're
not
going
to
be
reading
this
stuff.
B
It
teaches
us
a
little
bit
about
ci,
and
so,
if
you
want
to
learn
about
ci,
if
you
want
people
in
your
org
to
learn
about
ci,
this
is
a
great
way
to
do
that
because
it
really
walks
them
through
the
core,
so
feel
free.
If
you're
doing
this
on
your
own,
you
know
to
do
that
yourself
or
just
to
watch
over
my
shoulders
totally
cool
as
well.
B
B
Always
an
activity
associated
with
each
of
these
issues.
You
can
see
that
the
the
learning
lab
bot
has
opened
this
issue
and
it's
asking
me
to
create
a
pull
request
with
the
templated
work.
Templated
workflow,
so
it
makes
it
super
easy
kind
of
cross
links
across
my
repo.
I'm
gonna
go
to
the
actions.
B
Tab,
choose
the
templated,
node
workflow
and
and
commit
the
workflow
to
a
new
branch
with
a
poll
request:
titled
ci
for
node,
so
my
task
is
to
create
a
new
ci
workflow
through
the
actions
tab
now
what's
good
about
this
is
I've
already
hinted
to
if
you're
listening
a
little
bit
earlier?
I
was
talking
about
what
that
experience
is,
if
you're,
a
new
repository
and
you're
getting
actions
for
the
first
time.
So
this
is
the
experience.
B
B
So
this
is
the
experience
when
you're
landing
in
a
new
and
a
new
workflow
page,
these
pretty
much
scaffold
out
ci
for
your
workflow,
and
you
also
have
these
services
so
check
out.
Like
there's
an
azure
deployment,
workflow
pre-baked,
you
got
aws
workflows
all
types
of
workflows
that
you
can
just
click
to
set
them
up
and
it'll
scaffold
it
out
for
you
now
you
can
set
it
up
yourself
if
you
choose
to
or
just
commit
one
of
those
workflow
files
to
your
github
directory.
You
can
do
that
as
well.
B
B
So
it's
up
to
all
experts
now
on
github
actions,
workflows
because
we
talked
through
the
other
one
I'll
just
breeze
through
this,
and
we
can
merge
it
and
hopefully
get
a
pet
on
the
back
from
the
automation.
So
the
name
of
this
workflow
is
node.jsci.
We
can
see
lines.
Six
to
ten
here
are
triggers.
We
want
to
trigger
on
a
push
to
our
main
branch
or
a
pull
request
against
our
main
branch,
we're
going
to
run
this
job
in
a
linux
machine
on
git
of
actions
or
so
github
infrastructure.
B
You
can
also
run
this
stuff
on-prem.
You
might
already
be
familiar
with
how
to
do
that,
if
not
our
documentation,
you
know,
I
think,
describes
the
process
to
get
that
stood
up
pretty
pretty
well
so
check
that
out,
so
we're
going
to
do
a
ci
matrix
strategy
across
all
these
different
versions
of
node
we're
going
to
check
out
the
latest
version.
So
I
pointed
to
this
before
right
now.
You
notice
it
again.
B
B
So
I
see
folks
are
yeah
cool,
okay,
okay,
good,
so
I
see
folks
are
still
active
in
the
in
the
linkedin
chat,
maybe
making
fun
of
me
a
little
bit
for
trying
to
hold
those
icons.
But
you
know
that's
okay,
so
I'm
gonna
go
ahead
and
I'm
gonna
start
this
commit
here.
Let
me
I'm
just
going
to
make
it
a
little
smaller
because
I
think
it
kind
of
distorted
my
my
interface.
So
you
know
it's
start
a
commit
and
I
cannot
push
it
directly
to
the
main
branch
I'm
going
to
commit
it
here.
B
B
So
check
it
out,
I
created
that
pull
request
ci
for
node.
It
says
there
was
a
success,
great
job,
adding
a
templated
workflow.
Thank
you
and
we're
gonna
run
a
templated
workflow
okay.
So
now
the
learning
lab
bot
is
doing
what
I've
already
done.
Automation
is
also
replacing
my
job,
so
so
that's
a
reality
we
all
have
to
reckon
with.
B
So
the
github
learning
lab
bot
is
commenting
on
and
teaching
you
about,
each
of
the
steps
of
all
the
jobs
within
your
workflow,
and
so
you
see
here
it's
going
to
talk
about
the
triggers
and
all
this
good
stuff,
I'm
going
to
scroll
through
that.
We've
already
talked
about
it.
If
it's
interesting-
and
maybe
I
spoke
too
quickly-
feel
free
to
you
know
feel
free
to
you
know,
spend
your
time
there
as
well
cool
okay.
So
I'm
just
gonna
scroll
down
to
the
next
activity,
or
did
I
already
scroll
past
the
activity?
B
Let's
see
I'm
going
back
to
the
original
issue,
I
don't
know
maybe
you've
seen
where
I
haven't
seen.
Okay,
this
is
interesting,
so
it
looks
like
our
ci
actually
failed.
It
failed
after
33
seconds,
so
this
is
actually
kind
of
cool
anyway,
even
though
it
kind
of
illustrates
you
know
that
I
have
not
successfully
set
up
ci.
B
This
is
cool
because
it
shows
you
that
some
checks
were
not
successful
and
what
that
experience
is,
and
so
once
it
fails,
we
cancel
out
the
rest
of
the
matrix
bill,
the
matrix,
builds
and
and
report
that
back
to
your
checks,
service
and
so
okay.
So
here's
so
it
looks
like
the
bot
was
just
the
label
moment,
but
here's
our
new
activity.
So
it
wants
us
to
navigate
to
the
open,
pull
request
to
add
our
chest
tests
and
merge
the
pr
so
okay,
so
it
actually
tells
us
why
it
fails.
B
B
No
tests
were
found.
So
basically
I
could
see
that
no
tests
were
found
here
and
that
you
know
the
process
completed
and
it
exited.
So,
basically,
I'm
out
of
luck.
No
tests
are
actually
even
integrated
here.
So
let
me
go
back
to
the
conversation
in
this
pr,
I'm
going
to
scroll
down
for
a
moment.
Sorry
I'm
scrolling
fast,
but
that's
just
to
get
to
the
meat
and
potatoes.
So,
okay.
B
The
activity
here
it
says,
navigate
to
the
open,
pull
request,
titled
adjust
test
and
merge
the
pr
so
we're
going
to
add
some
tests,
keep
our
tabs
kind
of
light
here.
So
here
is
the
I'm
going
to
pull
request
number
three
that
was
open
for
me,
so
it
says
great
job.
Thank
you.
This
pull
request
introduces
jest
a
popular
testing
framework.
B
We
see
some
commits
here
from
the
rest
of
the
team.
I
see
gabenga
commenting
in
there.
This
is
awesome.
Thank
you
for
that.
Thanks
for
the
feedback,
if
there's
anything
you'd
like
to
see
feel
free
to
share
that
back
with
me
and
with
us
at
github
and
we'll
you
know
we're
going
to
show
you
anything,
that's
interesting
for
you!
So
that's
the
idea
I
see
jose
is
working
with
hollywood.
That's
awesome.
Hollywood's
awesome
super
technical
used
to
work
at
nasa
bright
guy.
I
always
like
to
learn
from
him.
B
So
that's
why
he
is
the
the
moderator
here.
Okay,
so
it
says
great
job
go
ahead
and
merge
this
pr,
so
we've
now
we
have
just
test
so
hopefully
now,
when
we
run
ci
it'll
actually
see
our
tests
we'll
see
whether
or
not
they
actually
pass,
but
we'll
actually
go
ahead
and
just
merge
this
pr
hollywood
grimacing
in
the
chat
there
blushing,
I'm
sure.
B
B
See
these
yellow
dots
here,
that's
just
illustrating
that
our
checks
are
in
progress
right
and
so
we're
running
these
workflows
we're
trying
to
determine
whether
or
not
our
ci
pass.
So
I
want
I'm
scrolling
the
top
of
the
pull
request.
I
want
to
go
back
to
the
checks
tab
without
clicking
on
it
directly
from
that
details,
link
that
was
in
at
the
bottom
of
the
pr,
and
so
we
can
see.
B
Okay,
here
are
these
steps
that
comprises
build
10.x
job
because
we
have
this
matrix
ci
and
now
it's
running
npm
test,
we'll
see
what
the
results
of
that
are
in
a
moment.
Okay,
so
I
noticed
that
this
this
keeps
running
faster,
which
is
kind
of
funny.
I
wonder
if
there
are
any
performance
implications
for
node,
12
versus
other
node
versions,
I'm
sure
somebody
with
deeper
knowledge
than
I
would
have
that.
So
I
see
daniel
lost
connection.
B
B
B
Don't
ask
me
why,
so
you
cannot
ssh
into
my
vms,
but
you
can't
ssh
into
your
own
vms
if
you're
hosting
them
on-prem,
of
course,
and
so
you'd
want
to
set
up
in
your
own
on-prem
machines
in
order
in
order
to
do
that,
and
so
you
can
do
that.
Go
to
the
docs.
Hollywood
will
probably
share
those
with
you.
Mr
kamal,
I
see
your
thumbs
up.
Thank
you
for
that
and
you'll
see
it
there
cool
okay
back
to
the
content
that
I
was
sharing
with
you
all
and.
B
You're
doing
this
on
your
own,
because
this
is
something
that
the
origin
of
this
again
was
that
learning
lab
module.
So
you
can
do
this
on
your
own
time
or
you
can
just
watch
along.
So
this
failed,
my
ci
failed
and
the
reason
it
failed.
It
looks
like
it's
not
because
there
were
no
tests,
but
because
my
tests
just
failed
okay,
and
so
they
just
were
no
good.
So
initialized
with
two
players
failed.
B
Some
of
these
tests
just
failed,
so
they
expected
some
value
and
that's
not
the
value
that
they
got
so
that's
okay,
scrolling
through
here
see
it
says
that
they
expected
the
name
nate
and
said
they
got
bananas
and
that's
bananas.
So
let's
go
back
to
our
our
pr
here,
or
this
was
not
there.
That's
the
issue
from
earlier.
Sorry:
let's
go
back
to
the
to
the
pr
conversation
and
see
what
our
bot
says
we'll
see
where
our
bot
says
and
and
take
it
from
there.
B
So
again
we
noticed
that
this
is
failing.
All
these
other
checks
stopped
executing
once
we
exited.
So
let
me
scroll,
I'm
sorry,
I'm
just
going
fast.
I
just
try
to
whip
through
this
stuff,
so
we
get
to
the
to
the
to
the
parts
that
are
really
interesting.
So
it
looks
like
the
testing
framework
is
configured.
We
should
get
a
response
from
it
soon.
We
did
get
that
response,
so
hopefully,
hopefully
this
bot
picks
up
on
that.
So
we
read
the
actions
log
we
identify
which
tests
failed.
B
We
saw
that
together,
nate
bananas,
that
test
raphael
hello.
I
see
you
in
the
chat
as
well.
My
friend
cool,
okay,
so
activity
tell
the
bot
which
test
is
failing,
so
we
can
fix
it.
Now
we
get
to
log
output,
identify
a
name
of
a
failing
test
comment:
the
name
of
the
failing
test.
Okay,
so
I'm
gonna
go
ahead
back
into
the
details
here
for
a
moment
and
look
for
one
of
the
names
of
the
tests
and
comment
them
and
let's
see
what
happens
cool
actually,
so
it
auto
scrolled
me.
B
B
What
do
you
all
think
starts
the
game
with
a
random
player?
I
think
that's
probably
the
name
of
a
test.
Let's
go
ahead
and
drop
that
in
there
and
see
if
it
likes
that.
So
it
wants
me
to
comment
the
name
of
the
failing
test
here
here,
but
here
maybe
just
means
in
this
pr.
So
I'm
just
going
to
go
ahead
and
comment
and
we'll
see
what
happens.
B
B
Failed
logs,
okay,
so
here
was
my
comments.
That
starts
the
game.
With
a
random
player.
Reading
the
failed
logs,
one
of
the
failing
tests
is
initialized
with
two
players.
Okay,
I
think
we
saw
that
before
when
we
were
looking
through
the
logs,
so
no
worries
that
that's
not
the
one
I
reported.
We
also
saw
this.
That
was
not
right
me
and
bananas.
B
B
If
you
dig
deeper
into
the
logs,
you
notice
these
results
in
particular.
So
this
is
again
it's
really
nice.
It's
kind
of
walking
me
through
why
my
ci
filled,
and
so
hopefully
it's
it
teaches
you
exactly
that
which
is
how
to
debug
your
ci,
and
so
it's
going
to
ask
me
okay,
so
the
automation
wants
me
to
make
the
changes
suggested
below
and
then
it's
going
to
respond
when
the
workflow
runs,
and
so
it
looks
like
these
changes
are
to
add
bananas
and
swap
that
out
with
p2
here
that
variable.
B
B
I'm
going
to
defer
to
you
all
what
you
think
I
should
do.
My
preference
is
always
whatever
is
easiest
and
it's
right.
So
I'm
going
to
call
myself
a
typical
developer
here
and
give
myself
some
celebrations,
because
it's
easy
to
do
so.
So
let's
go
ahead
and
commit
here
and
again
feel
free
to
drop
in
that
linkedin
chat
there.
Whatever
you,
whatever
direction,
you'd
like
to
go
here.
B
Okay
and
so
hollywood,
I
think
so
hollywood.
I
just
want
to
call
your
attention
to
what
mert's
asking
for
in
the
linkedin
chat
there.
I'm
sure
we
can
send
him
some
documentation
to
how
to
actually
print
the
directory
that
the
runner's
in
or
print
the
directory,
that
you're
in
on
the
runner
at
runtime.
B
B
D
B
See
one
of
the
filling
tests,
if
you
dig
deeper
in
the
logs,
you
may
notice
these
results
in
particular
initialized
with
two
players
expected
game.p2
to
be
nate.
This
tells
us
that
the
unit
test
has
been
written
with
names
to
find
it
to
find
out.
It
may
help
to
know
it's
common
practice
to
name
test
files,
the
same
as
the
code
file
they're
testing
in
make
the
changes
suggested
below.
Okay,
let's
see.
B
So
so
it
just
took
a
minute
to
update.
So
that's
good,
there's
no
debugging
necessary,
which
kind
of
lets
me
off
the
hook.
Lets
you
off
the
hook.
So
that's
great.
It
says
great
job.
Thank
you
for
that.
It
did
all
the
work
for
us,
which
is
awesome,
but
it
also
just
illustrates
how
to
how
to
debug
live.
B
So
it's
going
to
respond
when
we
merge
the
pr
go
ahead
and
merge
the
pr
again,
you
see
the
experience
here
so
something
I'll
tell
from
the
folks
on
the
appsx
side,
like
merc
check
this
out
and
some
of
the
other
folks
I
saw
commenting.
I
saw
john
coming
to
me
in
here
early
to
toss
in
as
well,
so
this
interface
is
what
you
might
have
already
experienced
with,
like
all
your
third-party
plug-ins.
B
B
I
think
we
saw
that,
maybe
before
in
our
demo,
when
we're
looking
at
dependent
code
scanning
being
here
as
a
required
status
check
and
so
again
the
idea
is
we're
going
to
enable
you
to
enforce
policies
or
honor
policies
if
you're,
if
you're,
just
on
the
dev
side,
that,
if
you're
introducing
some
pull
request
with
a
certain
vulnerability
or
a
regression,
you
can
block
that
pr
from
getting
merged
like
you
do
with
ci
today.
So
let
me
go
into
merchant
pr.
B
Awesome
and
it
says
see
that
kashab's
asking
about
internship
opportunities.
Yes,
there
are
definitely
internship
opportunities,
open
positions
at
github,
we're
looking
for
awesome
developers,
folks
are
passionate
about
developers.
So
if
you,
if
you
enjoy
working
with
github,
if
you're
a
developer,
please
please
check
out
the
opportunities
we'd
love
to
meet
you.
B
What
else
is
going
on
there?
Mr
jose
whatever's
easier,
is
right,
new
mantra.
That's
right,
mr
jose
we're
just
taking
the
easy
way
out,
but
you
know
what,
if
it's
easy,
and
it's
right,
I
don't
know
what
to
tell
you.
I
don't
know
how
to
argue
with
like
how
do
you
argue
against
that
and
mr
ozan
cool,
not
enough
stack
overflow,
tabs,
open,
good
observation
by
max.
That's
true,
there's
yeah!
That's
true,
because
it's
doing
it
all
for
me,
it's
making
it
so
easy.
B
So,
let's
look
at
the
next
task
here
I
know
we
have
like
10
minutes
left
together,
give
or
take
a
few,
so
I'd
encourage
you.
Please
continue
to
follow
along
if
you're
interested
in
just
going
to
learning
lab
doing
this
on
your
own
time.
That's
okay
as
well
feel
free
to
ask
any
questions
if
you're
blocked
on
you
know
some
feature:
implementation
you're
on
org
on
your
own
project.
B
If
there's
a
specific
interest
to
you
drop
it
in
the
chat
here
and
we'd
love
to
hear
from
you,
we'd
love
to
build
future
content
based
on
your
interests.
That's
what
we're
here
for
right.
It's
really
to
to
kind
of
enable
you
to
use
the
platform
as
best
as
you
can
so
so
here
is
an
issue,
a
workflow
for
the
entire
team.
It
says
now
that
we
learned
to
set
up
ci.
Let's
try
a
more
realistic
use
case.
I
would
argue
that
was
fairly
realistic,
but
you
know
it's
it's
okay.
So,
let's.
B
The
existing
workflow
with
new
build
targets
so
edit,
your
your
existing
workflow
file
in
a
new
branch
in
the
file
target
versions,
12
and
14
of
node
only
open
pr,
titled
improve
ci
for
your
change;
okay,
so
it
just
doesn't
want
us
to
consume
all
of
its
compute
and
use
a
ton
of
a
ton
of
cycles
on
these
different
versions
of
node,
understandable-
and
I
I
understand
the
point
here
so
you'll
notice.
It
takes
me
right
to
the
edit
and
so
something
I'll
share
with
you.
B
If
you
haven't
already
noticed
this
this
this
standard,
your
workflows,
your
infrastructure,
your
application,
security
as
code
all
that
stuff,
all
that
operational
stuff,
that
is
kind
of
scoped.
Your
repository
on
github
we'd
encourage
you
to
consider
putting
that
in
your
github
directory
of
your
repository.
So
in
this
case
we're
github
actions,
workflow
we're
in
the
dot
github
directory.
Under
our
actions,
workflows,
we've
created
this
node.js
ci
file,
and
so
maybe
one
one
level
up
from
here
or
maybe
at
the
same
level.
B
You
can
argue
you
might
have
your
sas
scans
with
github
code
scanning,
where
you're
running
your
code
to
all
and
and
maybe
like
other
other.
You
know
security
tools-
maybe
you're
running
varicode
there,
maybe
you're
running
check
marks
any
of
the
other
tools
that
you
kind
of
know
and
love
to
use.
You
can
do
that,
so
I
totally
forgot
the
task
at
hand.
I
went
on
that
little
tangent
there,
but
it
says
open
a
pull.
Request
drop
this
from
to
just
12
and
14..
B
Up
those
versions
and
we're
just
going
to
go
ahead
and
start
that
commit
and
commit
this,
did
it
want
a
specific
name
for
my
commit,
no
just
the
pr
name,
so
I'm
flipping
back
and
forth
between
tabs.
Yes,
I
recognize
they're,
not
stack
overflow
tabs,
but
but
they
are
github
tabs,
so
we'll
go
ahead
and
create
this
pr
to
improve
ci
and-
and
our
automation
will
probably
comment
here-
I
would
assume
okay,
so
it
has
let's,
let's
close
the
other
tab,
so
it's
not
cause
any
confusion.
B
Okay,
that's
interesting,
because
I
already
made
this
change.
What's
it
want
us?
What's
it
want
us
to
do
edit
your
work
profile
to
build
for
windows?
Okay,
so
it
wants
us
to
build
for
windows.
I
think
we're
building
on
linux
before
yeah,
so
you
can
see
where
okay,
so
it
wants
us
to
build
across
ubuntu
and
windows,
and
you
can
see
actually
the
versions
here
of
each
of
these
operating
systems.
B
B
It
may
have
been
it's
on:
oh
myrt,
it
was
merc
yeah,
so
mert
was
talking
about
creating
on-prem
runners.
If
you
need
access
to
on-prem
resources,
your
artifacts
on-prem
or
some
deploying
some
on-prem
infrastructure
and
some
networking
integrations,
you
can
use
on-prem
runners
and
obviously
you
have
greater
control
over
those
machines
than
leveraging
errors.
But
the
nice
thing
about
using
our
infrastructure
is,
you
can
define
everything
as
code
and
just
leverage.
B
You
know
just
so
much
easier
because
your
infrastructure
comes
out
of
the
box
and
will
dynamically
scale
awesome,
and
I
see
mr
jose
yeah
jose,
saying
great
job,
guys
so
great
job,
everyone,
great
job,
all
the
folks
who
worked
on
the
on
the
actions
team,
great
job
to
you
all
for
continuing
to
just
kind
of
validate
it
and
give
your
feedback.
So
that's
really
what
this
this
feature
is
driven
by
git
of
actions
is
determined
by
your
feedback,
so
all
right
cool.
B
So
let
me
stop
monologuing
and
actually
get
back
to
work
before
this
automation
replaces
me
so
step.
Eight
target,
a
windows
environment,
and
it
wants
me
to
commit
the
suggestion.
I'm
going
to
take
the
lazy
way
out
again
easy
way.
I
saw
mr
jose
earlier,
take
the
easy
way
out
and
in
the
right
way.
So
it's
easy,
but
it's
right.
My
wife
hears
me
say
that
it's
that's!
It's
not
gonna
go
well.
Okay,.
D
B
Github
learning
learning
lab
says:
okay
great
if
you're
looking
at
the
logs
you'll
notice
that
multiple
builds
will
exist,
four
builds
to
be
exact,
two
versions
of
node,
but
it's
two
times
two,
because
it's
two
versions
across
each
of
our
each
of
our
operating
systems.
Right,
so
I'm
going
to
scroll
the
bottom:
let's
actually
go
there
and
and
see
what's
going
on
here.
I
think
that's
what
we
did
didn't
we
keep
that
matrix
build.
B
Okay,
so
okay
just
took
a
moment
to
update
yeah,
so
that's
yeah.
So
this
is
what
I
expected
to
see.
I
guess
it's
pointing
on
this
side.
So
let
me
go
over
here
for
you
yeah,
so
it
was
just
taking
a
moment
to
load,
but
the
idea
is
that
we're
running
ubuntu
across
these
different
node
versions,
we're
running
windows
across
these
new
versions,
looks
like
all
the
ci
passed,
which
is
awesome
that
should
report
back
in
our
pr
workflow,
just
exactly
where
at
the
bottom
here,
while
our
checks
are
so
all.
B
D
B
B
Going
to
be
we're
going
to
stay
on
this
linkedin
chat
for
a
few
moments.
So
if
you
want
to
give
us
feedback,
if
you
don't
want
any
ask
any
questions,
feel
free
to
do
that
on
that
thread,
and
we
can
answer
any
questions
that
you
have
there
yeah
and
it's
been
a
pleasure
working
with
you
all.
It's
been
a
lot
of
fun.
Just
sharing
some
of
these
new
features
on
gas.
It's
been
a
lot
of
fun,
just
walking
you
through
learning
lab.
B
Hopefully
that's
useful
for
you
to
learn
some
of
our
new
features
in
a
hands-on
way.
If
you're,
a
hands-on
kind
of
kinetic
learner,
that'll
be
a
good
opportunity
to
do
that,
and
my
friend
jonathan
cardona
there
is
is
going
to
answer
some
questions.
I
see
aj
monitoring
the
chat
as
well,
for
you
also,
okay,
so
wants
us
to
edit
the
workflow
file,
create
a
new
job
called
tests
and
then
and
then
build
so
the
build
job.
A
good
following
okay.
D
B
B
So
friends,
this
isn't
necessarily
the
whiz
bang
we
like
to
leave
you
with,
and
so
so
I'd
encourage
you
again.
If
you
have
any
comments,
questions
feel
free
to
drop
those
in
the
linkedin
chat.
We're
still
here
hanging
out
moderating
that
for
you
hopefully,
this
was
both
interesting
kind
of.
Hopefully
you
learned
something
new,
if
not,
hopefully
reinforce
some
concepts.
You're
already
familiar
with.
You
know,.
B
A
C
A
Thanks
for
all
the
hands-on
resources,
I
mean
like
that's
a
lot
for
someone
to
go
through,
even
if
they're,
just
starting
with
actions
getting
into
the
learning
lab,
seeing
actual
examples
trying
to
find
things.
But
you
know
what,
if
you're,
looking
for
kind
of
broader
content
like
what,
if
this
kind
of
thing
isn't
what
what's
available
at
your
your
company
or
organization
right
now
like?
Is
there
anything
that
folks
should
look
out
for
to
help
them
bring
these
kind
of
capabilities
to
their
companies
and
organizations?.
B
A
A
Things
up
a
little
bit
yeah,
it's
a
new
series
called
in
focus
and
it's
a
global
event
for
software
enterprise.
Software
talking
about
devops,
talking
about
advanced
security,
talking
about
developer
experience
and
it'll,
be
available
in
all
three
well
at
least
three
regions
globally,
and
you
can
sign
up
I'll
drop
the
link
into
the
chat.
It's
called
infocus.github.com.