Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitHub / Demo Days / 30 Sep 2020
GitHub / Demo Days / 30 Sep 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Demo Days - Label an issue, deploy an application

Description

Bryan Cross and James Ha, Solutions Engineers, provide an intro to deployments with GitHub Actions. Learn how to deploy an entire application framework with Terraform, Ansible, and Azure—just by labeling an issue.

Learn more about DevOps here: https://github.com/learn/devops

A

Good morning,.

A

All right, so my name is brian cross. I am a principal solutions. Engineer at github today want to thank everybody for joining us for this iteration of github demo days, uh where we're going to be looking at github actions in a little more depth. So we'll start off with a little review for those of you that may not have been able to make previous sessions or haven't been exposed to uh github actions, yet I'll also introduce my teammate james.

A

ha He- and I are tag teaming this because I am sitting in the parking lot of the great basin national park visitor center in far eastern nevada, basically the absolute middle of nowhere where somehow I have excellent connectivity- and I give you guys a uh scenic backdrop, but the fires in california have cut visibility down to under a mile. So can't really tell where I am all right. So james, you want to say good morning.

B

We'll do hey everyone, it's really great to be here with you, as brian said, I'm his peer here at github. uh Also solutions engineer so I'll be moderating. The chat so feel free to ask your questions and we want to have a really interactive experience with everyone all right. So just let us know anything you're considering and I'll feed that information bright.

A

Yeah, absolutely, let's make this interactive. I've done this demo 100 million times, so uh the more questions and specific uh points of view that we can address. I think, the better off uh we'll all be all right. So uh thanks james for that introduction, and uh can you see my screen.

B

I can yes, sir.

A

Awesome all right, let's go ahead and get started so we're gonna start off, like I said, with kind of a review, uh something that I like to call the five minute demo. That shows just how quickly you can get started, doing real work, uh continuous integration and continuous delivery, slash continuous deployment with github action. So what you're seeing right here is a brand new empty repository. Nothing in here nothing up my sleeve, nothing under my hat.

A

uh What we're going to do is set up actions to package an application and deliver it to npmjs and to the github package registry, all in less than five minutes and at the same time, github dependibot will. Let us know whether or not there are any vulnerabilities in our open source dependencies uh and create pull requests if a patch exists.

A

So real, quick, we'll just jump over to some code that I have already written but have not yet pushed just a typical javascript application. I bumped my version here so that will successfully publish over to npmjs and now I'm just going to go ahead and push this up to github and as soon as that's complete, dependable will do its thing and we'll go over and look at creating some github actions and, of course, connectivity being what it is.

A

This may or may not work, so we'll give it a second here to see if it can actually push its way through there. We go and let's head back over here and see, if we'll be lucky enough to be able to refresh this page and if not there. It is all right. So here we are we're what 20 30 seconds into this demo and already.

A

I know that I have introduced vulnerabilities into uh my enterprise here by virtue of something that I imported into uh into my code uh and it's worth pointing out by the way that 90 or more of the code, that's going into new applications in the enterprise uh is actually open source code that people are pulling in uh through their dependency file, so that works for node. It works for java works for ruby works for go any of these other platforms that we code on today.

A

The vast majority of the actual code that we're using is written by somebody else, which of course, is great because that's work we don't have to do, but it's also potentially an avenue for vulnerabilities to enter our uh repositories into our code bases and cause problems later on. We'll touch back on that here in a sec all right. So, as I said, what I want to do is uh create a github action and get a workflow to package and deliver this application to npmjs and also to get a package registry.

A

So what I'm going to do is click on the actions tab that takes me over here and what I'm going to see at this point are the workflows that are suggested for my repository and it's worth looking at all of these, because github is the home to over 50 million developers and what that means is everybody and anybody who plays in this space whether they provide a tool or a service or particularly, if they're a cloud provider.

A

They want to make it as easy as possible for you to take advantage of their products and or services. So there are tons of templates in here that are partners. Aws google cloud platform azure have created that make it very simple, with one click and a little bit of modification to start delivering your code to uh to their platforms. However, it's also possible for you, as an organization admin on github, to set up template, workflows as well, and that's what I've done here.

A

So I've set up a template workflow for node ci cd, just for my organization and in a second we'll figure out why that is important and how it can help your teams to greatly increase their velocity. So I'm going to click on set up this workflow and that's exactly what happened. So I've got a workflow file here, I'll zoom in a little bit on that, just to make sure everybody can see- and here it is so uh just to review on how github workflow files work.

A

The first section is a trigger and github supports over 100 events that you can use to trigger workflows. So we often think about triggering ci cd when we push code, maybe when we create a pull request, maybe when we do something else with respect to the source code. In this case we are triggering when we create a github release and github release, of course, is just a package of binaries and other files linked to a specific commit that folks can download.

A

But when that event happens, we're going to run this workflow and what are we going to do in this workflow?

A

Let me move this up a little bit here, see if we can get a little more view make this a little bigger all right, so we're going to do two things. The first is we're going to build this code, so this is the build uh step inside of this job. I'm sorry! This is the build job inside of this workflow workflows, of course, can have multiple jobs, so in this case we're going to just do a simple build on the latest version of linux, linux ubuntu linux.

A

But it's worth pointing out that you can build your code on linux, on windows, on mac or any combination of those three at the same time, and we'll take a look at that in a second when we uh talk about matrix builds.

A

So the first thing we're going to do is we're going to use an action to check out the code onto our runner, we're using runners, the github hosts in our cloud and then we're going to set up the node environment on that runner to do what we need to do and in this case we're going to use node version 12.. So these are github actions inside of a workflow and if you look at these right here, those look suspiciously like parts of url or a url slug, and that is exactly what they are.

A

So if you go to github.com forward slash actions forward, slash setup node, uh you can actually browse the source code for uh this action, so what actions are are reusable components, just like the open source modules that we use to extend our uh coding capabilities with our source code. We can now do exactly the same thing with github actions, so.

B

We're.

A

Gonna go ahead and set up our runners and then we're gonna just run some simple npm commands to do some testing and then we're going to move on so the next job in this workflow is publish to node package manager. Now, interestingly, we don't want to do this if our build fails for whatever reason. So we have this needs clause. If the build job succeeds, we will move on and run the next few jobs. If not, uh the workflow will fail and we'll have to take some sort of action.

A

So much the same sort of thing here. We're gonna, run ci again just for good measure, but here we're going js, which is the registry we're set up for right here. You know that you have to authenticate and I'm using a secret. uh Now I have this a brand new repository. I haven't set up any secrets. These are secrets that are set at the organization level, which again means that, as an organization admin, you can not only set up the template.

A

Workflows like we're using right here, but you can store secrets like usernames and passwords for services like npmjs.

A

The folks in your organization that are using these workflow templates will never see those they don't have to interact with them, they're just available for them, so that'll publish to npm and then, at the same time again, if the build job succeeds, we're going to do exactly the same thing, publishing to the github package manager and one of the cool things about to get a package manager is it's designed to work completely seamlessly with the cli tools that you're already using for package management so same npm, toolset, nothing changes!

A

All we have to do is redirect it to the right url for the github package manager uh and, uh in this case, apply the secret, that's provided by this workflow all right. So that's! This simple workflow in a nutshell, takes me longer to tell you about it than it does to create it. Let's go ahead and commit this and bear in mind that workflows are just code files, so they live in the same repository and they are susceptible to the same uh workflows that you would use for anything else.

A

So the code and the workflows and the other objects that are working on uh testing building and delivering that code all live in the same repo, no need to switch over to other tools, no need to contact switch and, most importantly, all of the teams, all the people that are responsible for these uh are working together in the same place and are able to use github to create a true collaborative home. So when we say dev and ops, this is what we mean.

A

Let's put the developers and the ops folks in the same place, working in the same way all right. So here is our workflow file. It lives in the dot github directory and, as we discussed earlier, this is going to trigger when I create a github release. So I'm going to go ahead and do that.

A

I am going to click on, create a new release and the way this works is you give it a get tag, we'll call this version 5.77 and then, in the interest of time, I'm not going to fill anything else out and we'll go ahead and publish this release so under the covers that has fired that event that we talked about which will trigger the action. Here's my release and if I go over to the actions tab, I can see that in fact my basic node ci job is running.

A

So I can click on that and focus my view in a little more click on the actual workflow and we'll see the jobs that are running so right now the build job is running as we discussed the other two jobs that are actually going to deploy. This stuff uh depend on this job completing successfully now. Obviously, these are running on runners, it's going to take a little while for this to actually happen. So, while that's going on, let's go and take a look at what dependabot has done in the meantime.

A

So earlier we talked about how github very quickly scanned uh my dependencies in my package.json file and, in fact, as this big yellow banner, that nobody could possibly deny exists, uh lets me know uh very unequivocally that there are vulnerabilities that I've injected into my enterprise. So let's learn more about them by clicking on the see dependable alerts there, they are the usual suspects. If I click on one of these, for example, lowdash, which often comes up in these situations, I can see that uh I need to bump it to version. 4.17.20 get up.

A

Tells me what I need to do to do this in a couple of different ways, as well as information about why this is a problem right. So I can make a decision myself about whether I agree that this is a low severity bug all right more than that, though, uh in the time it takes really to learn what these alerts are all about.

A

If I click on the pull request, tab github's already created these pull requests, so here's the one to bump low dash. If I click on that.

A

I can see what commits were necessary in order to make this actually happen. I can see the changes that happened in the package.json file. In other words, this is just a normal pull request, so we can run it through the same review process. The difference is github created it for me as a developer and honestly, that's 90 of the battle in terms of improving your team's uh response time around fixing their vulnerabilities. All right, let's go see what's happening over on the actions page, so it looks like the build job has succeeded.

A

We got the little green check mark, that's great. As a result, we have now moved on and we have completed the published job both for npm and gpr, so over here on the right I can see what's going on. So if I want to see what my ci results were, I can open that up in the log.

A

I can see the actual output of those commands. If I want to see that- and I can also see the results of the publish command so if anything had gone wrong, I could figure that out in here all right. Let's hold it over to npm real, quick, we just published 5.77, you can see the 10 days ago, I published 5.75.

A

Let's do a quick refresh see if that actually worked, and this would be the time. Oh there we go. Connectivity is great. uh So actually I published 5.78. uh That was what was in my package.json file, so that worked, let's head back over to github and just validate that the packages actually uh worked as well.

A

So I'm gonna refresh this page uh scroll down to the packages section and actually that may take a little bit for that to show up, but it is there 5.78, so there you go took me longer to tell you about it than it did to actually do it uh so getting started with github actions is very, very straightforward.

A

uh Again. Some of the keynotes actions, reusable components that now allow you to compose your workflow. Instead of actually write it, the ability to set up template, workflows that are pre uh configured to work in your organization, so, let's drill down a little bit into how we actually do that.

A

So if I have an organization in this case, it's github.com forward, slash rebelware, I can create a special repository inside of that organization called dot github, and this is where we stash uh various things that we want to apply to the entire organization. So in there I have a directory called workflow templates, and here I've got the actual uh properties file that defines that template workflow, that's going to show up here.

A

So if I click on this, this is the actual workflow file, and then these are the properties that define when this workflow is going to appear in my user interface. So I give it a pretty print name, a description that helps my team figure out. If this is the workflow they want, uh I can select from a palette of options, and here I can also provide filters. So if github examines the code in a repo and using its uh ai machine learning, capabilities determines that that is a node or a javascript repo.

A

Then this template workflow will appear, but if not, then uh it won't and then you've got other patterns down here you can use to match as well. If there is a package.json in the commit that's been modified, then this template will appear as well. So again, what does that mean? What do these templates do for you? What it means is, if I go to the actions, tab and select uh create a new workflow.

A

These appear here so over here on, the right is github's default, uh publish node.js, because again it's detected that this is a node repository, but here's where my template appears so lots of tools for organization administrators to use uh to make it easy for folks to get started and do the right thing with respect to ci cd using github actions all right. So this is a good spot james, any thoughts from your end or any contributions or questions from the channel.

B

Thanks brian, no we're doing excellent here uh we have some good involvement here, no direct questions from the channel, but y'all. If you have anything to add, please feel free to ask that's why we're here and yes, this is the official github channel, so we're presenting to you live and with mr brian cross, our principal solutions, engineer remote.

A

Work is a thing I am 300 miles from the nearest grocery store. That's right! We're.

B

Doing it live.

A

So let's go ahead and switch over and take a little more in-depth look at a slightly more complicated example. So earlier we talked about how github actions can respond to any one of the 100 plus events that github supports, and these events happen all the time, if you create an issue, delete an issue modify and issue comments on an issue. Add a label to an remove a label from an issue or pull request. All of these are things that emit events, that github can use uh to uh start a workflow for example.

A

So this is a uh an example of a simple application. Now, in this case we're using java uh here it is and what it is. Basically, it's just a simple bookstore, so you're going to see something when it's uh deployed, uh that's uh pretty straight forward, just a list of books. So let's say, though, I want to change the title of one of my books, so I'm going to come in here. I've already created a pull request, we'll go ahead and click on that and we'll see what I'm doing here.

A

Click on the files changed tab. All I'm really doing is changing crossing the chasm to bridging the abyss. So a pretty simple check now. This pull request, of course, is open, and currently it is. I can't merge this pull request because it requires at least one approving review, but I still want to know what my code is going to look like when I deploy it somewhere.

A

So how can I do that easily and the way that I can do that easily in this case is to use the actions that my organization admin built into the template for this repo and deploy it, and it's easy as you could possibly imagine, I'm going to go ahead and click on labels, and I want to deploy this to the staging environment, and that, literally, is all I have to do when I add this label right here.

A

That is going to create an event and if I look at the actions tab, what I'll see are actions that have commenced to actually build and deploy this to my staging environment and again, there's all kinds of stuff. That's going in here we are scanning the code with github advanced security. uh Looking for defects that we've introduced into the code, we are building a container that we're going to use to actually deploy that application.

A

We are scanning that container again using github advanced security to ensure that the container itself doesn't contain uh uh security, vulnerabilities or defects. Then we're gonna package up that container and deliver it as a web app over to uh azure in this case uh and what we're gonna get. Let me just move my video window.

A

Out of the way uh is a brand new version of our application and there it is bridging the abyss so that deploy worked uh perfectly now, if at any point in this process, uh either the build or the test or the various security scans that are going on or the deployment itself. If any of those failed, we can use that inside of the pull request to make it impossible to merge that pull request.

A

So what we're doing right now is looking at branch protection branch protection, interacts and integrates very closely with your software development workflow to allow you to set up guard rails to prevent individual developers from committing code. They shouldn't commit, or inadvertently committing code to sensitive branches like maine, my ui hasn't been updated yet, but the master branch is now the main branch we want to encourage and github.

A

The ability of anybody who wants to to browse almost every repo in an enterprise and even to propose changes without relying on forks forking is a real problem inside the enterprise. Sometimes. So, how do we do that, though, without allowing somebody who doesn't have a lot of experience or otherwise shouldn't be committing code to our main branch and potentially affecting our applications in production and the way that we do, that is we set up these card rails so for any pull request to the main branch?

A

In this case, I've set it up to require at least one review, but you can require as many as six and I've also set up that certain uh also have to pass before this pull request can be merged. So in this case we're saying if the build on ubuntu doesn't work uh fails for whatever reason, then this pull request will be unmergeable. Now, let's say for example, though, we wanted to use github advanced securities code scanning, which is detecting novel defects that we've introduced into our code.

A

Let's say we wanted to use that in the same way, all we have to do is come into the branch protection section of the settings on the repo and click code. Ql. That's it now. If codeql detects anything in our uh in our code, pull requests won't be mergeable either. So you can use any integration doesn't have to be a github action. It could be a jenkins job could be an devops pipelines. Job uh could be anything that's designed to integrate with the github pull request api and that's literally, almost everything all right.

A

So that's how we can use actions in conjunction with branch protection again to provide guard rails around our software development life cycle to encourage the widest possible audience for participation and collaboration, while still safeguarding our production applications all right. So that's that looks like uh the action that I actually kicked off did work. So let's go back over to the code section under the covers, what's happening here, there's a lot going on.

A

Obviously we are deploying to our environment, but we're also creating a github environment and github deployments, so we can, for example, drill down into those deployments to get information about. What's going on there and of course view any of these environments. Now cloud resources aren't free, of course, so I can tear down an environment just as easily by clicking on the pull request and again using what we call issue. Ops just apply a label, so in this case I want to go ahead and tear it down.

A

I'm not seeing that label, but you can use the two ops the same way and when we, uh when we do that, an action is workflow is going to run under the covers to actually de-provision uh that cloud environment, and you can also create an action to run on a schedule to de-provision environments that developers have set up this way that haven't been interacted with over a time period.

A

That seems appropriate to you so very easy to set up housekeeping to avoid unnecessary or excessive resource consumption, but also super simple: to set it up from the beginning for your developers to actually deploy their application directly to your cloud provider without any knowledge necessarily of how to do that. So the next thing we're going to do is drill down into how that actually works. So how do we set up an environment like this for your developers uh to make it this easy all.

B

Right, that's mr.

A

Yes, yes, sir,.

B

I think this is actually a great point before we get into that to see. We have actually great reactions in chat, we're getting a lot of woes and seems good and lulls. We actually have a question here from uh toc fcws. Just asking: um does this all come for free? So would you mind just at a high level just going over kind of that value proposition of this being built for public repositories and some are different paid plans.

A

Yeah, so uh I don't have the actual matrix in front of me, but in a nutshell, github actions are available for kid of enterprise customers for certain customers on team plans and I'm not sure about availability for straight up open source, but I believe they're available for there as well.

A

If you have an organization, uh for example, a github enterprise organization that you're using at work, uh you get 50 000 free action minutes a month which is quite a bit uh and then, after that, it's a very, very uh reasonable pay, as you go uh per minute charge uh for what it's worth github is not making money uh on the uh processor uh runtime for our hosted runners.

A

We are passing those costs through basically at our cost, uh in order to make actions as accessible as possible to everyone bear in mind that uh the linux runners are the cheapest. uh Next would be the windows runners and the mac. Os runners are significantly more expensive. I think 20 25, more expensive get a package registry is also available. uh Github advanced security, the code scanning element that I talked about.

A

Looking for defects in your code, novel defects, that is an additional product available for purchase, the dependabot alerts that I showed you, which are detecting vulnerabilities in the open source dependencies that you're pulling into your projects uh dependable, is available to everyone. uh Does that answer the question? uh Do you think james.

B

Yes, sir, that does thanks so much brian. I include a link everyone in the chat at the bottom to our uh pricing page as well. You can take a look free for open source repos because we love open source and then different paid tiers, as brian mentioned. Thank you, sir.

A

Cool all right, so how did I set up that environment? So we have this bookstore demo uh james and I at uh github are ses. So we do demos like this all the time and and one of the biggest uh consumers of time and effort really is setting up uh demo environments in a predictable state so that we can efficiently uh do a demo of github features uh and it turns out that uh using github actions, github template repositories and the github api.

A

You can actually set this up so that folks, like me, and james, can self-serve. We can create our own uh environments uh quickly and easily, so I'm gonna go ahead and do that and the way I do it again is just by clicking on an issue. So I'm gonna create a new issue.

A

uh The organization administrator has created a template for me to use except to move some things out of the way here. So I can actually see that I'm going to get started on that, and here it is. So all the instructions are in here for the template. What it boils down to is. Basically, I just got to give my template a or my repository, a name which I'll do right here.

A

And then I'm going to go ahead and submit this issue. Now again, we talked earlier about this. Github supports over 100 events, one of which is creating an issue under the covers. The template has automatically added the create demo uh label and if I head over to the actions tab in this repository, I can see that uh under the covers, my environment is actually being created. uh Now this takes a little while actually well. Actually it's already complete. So let's go ahead and take a a look at that new environment.

A

So I'm gonna head up here and we'll go ahead and just enter that url.

A

And our brand new repository with all of that stuff should be set up here and, of course now I forgot what I called it. So, let's head back over to the issue and refresh my memory, what did I call it.

B

And brian, while we're looking around uh for there, we have a question here from derrick bell rose. He asked: are these workflows available to look at these specific ones, derrick, uh probably not out there in our open source? Yet, however, these probably a compilation of several different components from our actions marketplace um that we're probably using trying to reduce that consumption. If you will brian any thoughts there, we don't have these on any open repos. Do we at this point in time.

A

We do not, but honestly, I can't think of a reason why they shouldn't be uh the one. The one thing that makes all of this happen, of course, is that we've got our uh we're, deploying azure in this case, but it'll work exactly the same way for aws or google cloud, or for that matter, your internal cloud, the the key here that makes all of this work seamlessly are the secrets. So our api keys, uh passwords things like that are stored as organization secrets which I'll go into here in a bit.

A

But again, I don't see any reason why we couldn't make these public uh and we'll certainly work to uh to see what we can do uh to make that happen here in the near future, because they are, I think, fantastic templates. So I think, obviously you can see I've created a repo here uh inside of this repo are all of those workflows that are going to do what we talked about earlier, deploying this application to various environments, doing that code scanning doing that container scanning. All of these are provided by that template repo.

A

So obviously, I think, if you have a team in your enterprise, that's responsible for setting up pipelines, that's responsible for setting up environments, uh architecture, teams that are responsible for articulating best practices. How do we actually do our work in this organization? This is an incredibly powerful tool. So if somebody wants to create a new java application or a new node module, for example, you can have all of this set up, so they hit the ground running.

A

Their code is building it's being scanned for defects and they have an easy way to deploy this code minutes after they create their uh their initial repository. So those are great as well. Another thing to think about is the github learning lab and what github learning lab is is an interactive tool that anybody can use, but certainly enterprises can use to set up interactive educational sessions.

A

Users can work through the steps in a github learning lab lesson, but instead of interacting with a fake video- or you know, some kind of flash animation, they're actually interacting with actual uh content in your github organization and repos. If they do something right, they get positive feedback. If they do something wrong, they get encouraging feedback to guide them in the right path. The point of that is that you can set up multiple of these environments.

A

Leverage them for your production needs, but also leverage them, along with github learning lab, to help provide an asynchronous way to train up your entire development staff. So just something to think about there all right. So we've gone ahead and created this environment. What else can we actually do with it?

A

So we looked earlier at just the simple idea of adding a an issue to a uh rather a label to an issue or a label to a pull request and having that go ahead and launch a deployment workflow, but in fact you can also trigger actions and workflows to run when a repository is created. So I just created this. You watched it happen uh and what's going on, is that that initial deployment to our production environment in this case is already happening, so we've created the commit.

A

uh We are scanning the uh container at this point and then we're going to go ahead and deploy to production. So obviously this takes a little bit of time to actually happen. So, let's look at an actual workflow around how we might leverage these features in our actual day-to-day lives as real-life developers.

A

How are we doing on the channel out there uh james any reactions.

B

uh I think we're doing great. I think uh people are seeming to really enjoy the content. Y'all, please keep the feedback coming in and uh derrick bell rose here. He actually has experience using some of these terraform actions and he's actually quite curious about the use of labels for this self-service deployment and tear down. So if you can speak to that, maybe we're going through the workflow file, sir. I are gonna, be great information for everyone to understand how we're triggering them and really how that feeds into this issue. Ops, experience.

A

Sure, let me actually head back over to my other window, so I can mess around with that. uh Screwing up my flow, so really the key here is it doesn't matter what you want to do, whether you want to initiate a terraform operation, whether you want to have that terraform operation, create an environment, modify an environment or break an environment down the key really is: when do you want to trigger that?

A

Obviously, you might want to trigger that in response to a deployment to your main branch, but, as we talked about here, sometimes you just want to do that in response to a developer request to see what things look like, regardless of what you want to do, the key is really in the the way that these are actually triggered, so we're going to drill down into these workflows here we're going to find a likely one.

A

Let's see it's probably this one, and this one occurs on a push to any branch instead of the master branch. So not exactly the one that I'm looking for. Oh, where is it? Is it create deployment?

A

Here we go so earlier. You saw that I added a label to that pull request and that made the magic happen. This is what actually causes that the pull request category under the pull request. There are about 25 different subtypes. For that event, for example, opened closed merged modified, you name it, but in this case, if we add a label, this workflow will trigger, and this is all the goodness that makes that happen. So we've got the github token. That's provided by the workflow and then later on.

A

We've got tokens that allow us to interact with our apis and that also allow us to authenticate to and deploy code to, the uh the azure uh environment. Again, this would work exactly the same way whether it was terraform, google cloud heroku, your own data center doesn't matter and by the way, terraform has a fantastic library of both workflow templates uh and actions out there that make it super simple to just plug in a couple of variables, using that secrets repository and then make terraform do stuff as well.

A

So real quick while we're here, I thought I would talk about those uh those secrets, so you see them in action here. This github token, this is actually provided by the github runner environment when you run a workflow but there's others down here as well. uh So, for example, this octodemobot token. So if, like me, uh you would often run into the need to store sensitive information, passwords keys things like that uh in a way that's available to your ci or cd workflows.

A

This can be dicey right. So one way of doing that is the env file, and if you forget to include that in your git ignore now all of your secrets are committed potentially to a public repository on github. We will detect those uh in many cases, but nonetheless that's something you want to try to avoid. So why not just use the secrets repository inside of github and that occurs at two levels: the first we're hearing an individual repo. So let's click on the settings. Tab and uh down here in settings uh would be secrets.

A

So I click on the secrets option in the menu uh and then I can create a new secret and it's the simplest thing in the world. It is just an encrypted key value store. So I can say I want to create a new secret if I could spell correctly.

A

That's the name that I'll reference in the code and then I give it some value and that's it that's how we add a new secret. Now these secrets are scoped to the repository.

A

So if we head back over to the code section uh and look at our actual workflow code, we can use these secrets only in the context of workflows that we're creating in this repository, but as we saw there may be keys and secrets that you want to make more widely available to your development teams securely like this one, for example, or your cloud deployment keys and the way you do that is very similar except you do it at the organization level. So I'm going to click on the octodemo org.

A

Let's see if I'm an actual admin here hey. I am that's awesome and again exactly the same thing. So on the organization settings page, if you're an org admin, you also have a secrets repository. So that means you can set up things like your azure api token and your aws api token, uh your google cloud api token. All of these can be here totally secure, managed by organization admins but available to be consumed by anybody who's working in this organization. Does that answer the question.

A

It's kind of a long answer.

B

Yes or no, I think that was great going through that flow brian of the workflow, to how you call secrets and all those different things you can label and put even conditionals in there and I'll. Let you get to your next portion and I'm just going to communicate to our chat. Here we had one of our user gawa bugma, zero, saying that his company still, unfortunately, seems uses uh jenkins tier face, uh and just to that uh we did mention chat. So we've had several really happy.

B

Customers come from jenkins or ci, or other solutions out there to give actions with great results, and I think it's really that context. Switching that you no longer have to worry about it's something that you're able to use out there in your open source projects and then also leverage at work. In addition to this great body of a marketplace of different users and then one thing, brian madhouse, steve asked if we uh aliased labeled with two l's to labeled, with just one l I.e.

B

Is it american english to international english now, and I, I believe, that's correct, because we like to uh make the words fun in america when we can compared to other english speakers in the world so funny little aside, but hey appreciate everyone in the chat and please keep the questions.

A

The uk and the united states two great people separated by a common language.

B

So.

A

Let's look at a real life example of an actual workflow, so I'm in here in my uh uh my demo environment that I magically created in minutes using uh simply by creating an issue and because this is a demo, it comes pre-populated with an actual issue asking for uh us to add a feature. So in this case it looks like the user experience. Team wants to add a rating feature to our bookstore application and they've, hopefully included ui, screenshots and boy. I wish all issues were actually like this.

A

uh So, of course you know moving forward. We can interact with this. uh We can talk uh about what we want to do and really that's. The entire point of github right is to bring the folks that are designing the product, the folks that are responsible for the the economic viability of the product, the folks that are responsible for securing it and, most importantly, the folks that are responsible for documenting and creating it all together here in an issue to talk about this feature that we want to add all right.

A

So it looks like we're going to go ahead and do this so let's go over and take a look at the resulting pull request and if I click on this and drill down, I'm going to see a pull request. We'll take a look at the file changes here in just a second, but it's pretty straightforward.

A

Unfortunately, this pull request uh is uh is broken, which means that uh I can't merge it because in this instance I did set up that branch protection so because there is an error or rather a defect that github advanced security code scanning through codeql actually found can't merge this pull request. What's going on there, let's go ahead and click on details and see what has happened all right. So here's the codeql job and it looks like it- has detected a zip slip vulnerability. Well, that's super interesting.

A

Let's, uh let's drill down and figure out more about, what's going on with that, and so to do that, I'm going to click on the security tab, and I can see that in fact, my code in this case is absolutely riddled with bugs. Potentially so, we've got uh stuff, that's returned from code!

A

Ql and also we've imported results from another tool, so it turns out that in the world of security alerts, there's a format called serif security, alert, interchange, format, s-a-r-I-f any tool that supports serif and mini do including github advanced security can be integrated here on your security view just by clicking on this button right here.

A

So that means, if you're using another tool or as many enterprises do, you want to use multiple tools to ensure that your code is as secure as possible. We make that easy, so we talked earlier about how github brings everyone together in the same place, using the same tools in the same workflow to work on your applications.

A

The security tab that you're seeing here is github's first step along a journey to do the same thing for the security community as well, so long story short, the security tab. Moving forward will be the home for dev secops, the same way that the rest of github historically has been the home for dev and ops. So I've got my vulnerabilities here. I can drill down into those and figure out what's going on, but nonetheless, even though my code is vulnerable, there's no reason that I can't see what this looks like in my environment.

A

So I can go ahead and drill down into this and do the same thing that I did before and uh we'll run the same, uh the same code. So, let's deploy this to qa I've added that label that will fire off that action, and hopefully that'll complete before we run out of time here. uh If not, uh then I'll post, a screenshot of it later on when we finish up.

A

Okay, so really honestly uh deploying this feature uh showing the power of issue, ops and the fact that you can run github workflows in response to just about anything that happens inside of github was kind of the takeaway that we were hoping for here. uh Bear in mind that uh we focused really here on ci cd, but you can use get about.

B

Hey brian, I think we actually lost your audio there. Brian.

A

ah Am I back.

B

Yeah you're back or back no worries so just.

A

Weird was I gone for long.

B

Oh no just about like 20 seconds or so, oh and actually gobble boom. Zero. Just said uh brian 2020 to 2020 uh r.I.p, cross symbol, so people people were scared for a second. We were losing you.

A

Yeah, I got eaten by a bear all right, so what I was basically saying is we focused in this session on uh cicd right, because that's a very important aspect of uh automation in general, and certainly our efforts to automate the sdlc, but because github actions are a universal workflow automation platform. You can use them for just about anything. You can think of right. So in the past, uh if we wanted to extend github or automate whatever really do anything, we had to set up a web hook.

A

That webhook would send a payload to code that we wrote uh that we deploy and that we have to maintain, uh which would do whatever in response to that web hook and then interact with github. Those days are over 99 of the time you can take all of your bot code, all the things that you've written to interact with github and move them into a get a back I'll show you an example here.

A

So we have a customer who is using another platform and wants to switch over to github, but they had this weird quirk in their workflow and basically, what they wanted to do was be able to automatically create a pull request. Whenever somebody created an issue, uh this particular legacy platform that they were using actually had a button in the ui to do that.

A

Github doesn't have that and probably never will so whether you think this particular workflow is a good idea or not doesn't really matter. The bottom line is, if you have a workflow that you want to extend, you can probably use an action to do that. Let me show you what I mean here. So here's an issue br test one and over here is the pull request that actually corresponds to that.

A

If I click on that, first of all, it's a draft pull request, and it includes a link back to that issue that actually started this uh whole thing off. So if I want to do that again, I can just create a new issue again use the template that my admins have set up, uh give it a branch name. Let's call it branch hello.

A

Twitch whoa- and I just want to demo and we're going to submit this issue and under the cover, is, what's going to happen again, it's going to trap the fact that this issue was created. It's going to look at that label and see that we want to create a pull request and then it's going to do what it needs to do so. This has absolutely nothing really to do with code. What this has to do with is extending enhancing and changing the github user experience uh to accommodate whatever workflows uh you might have.

A

So this job is completed. We uh passed the trigger section and we are now creating the pull request inside of github, so this will take a little bit longer to complete. I can, of course, check my status, but at the end of the day, when I head back over to the pull request, tab.

A

It should be there so there's my pull request.

B

So again, whether.

A

You think this particular workflow is a good idea or not opinions will vary, but if you have something in your workflow that you want to accommodate that you've designed and that you're used to but get up doesn't support it out of the box. You can use github actions uh to replicate that workflow. So here we are, we didn't have to wait for github to fix it. Nor did we have to make changes to our sdlc uh in order to enjoy the benefits of switching to github. So it's about ten of that's about all.

A

I have in terms of demo material, that's uh uh ready to go, uh but of course james and I are willing and able to answer any questions uh or go along any path that you guys would like to see.

B

Yeah great yeah thanks so much for that brian, and that was a great example of really extending out um to get a platform in order to do whatever you need to get of itself. So really a big benefit like that. Let's go through some of these questions and chat. I see we had one from uh deekterneby1.

B

What is the advantage of using github secrets over, for example, azure, kiva or hashicorp? So let me take a first stab of this, so those actually have, as I noted some great integrations in our marketplace.

B

But the great thing about github secrets is that, as brian showed, you can scope those to just a repository to be consumed by your gift of actions or you could scope those an organization level and define which repositories have access to said secrets and they're only accessible by github actions or get give action workflows and that's a really great way to just moderate and delegate uh responsibility into deploying to your test or qa or pre-prod or prod environments right and making sure that whoever has that has at the right moment the right time and you can even take that to the organization level to manage it with even more granular detail there.

B

So I'd say those are, I wouldn't say the advantage, but just for this use case, it's really important right for your devops workflows for your ci cd. That's just kind of my take on brian. You have anything to add there for actions and and secrets.

A

Yeah so uh great points james, and I think the fact that you can scope these to repos and organizations allows developers to be self-serve at the repo level potentially uh and also allows organization admins to create secrets that are useful, broadly across an entire organization. Now, having said that, uh github always has been github is today and github always will be first and foremost a platform, and what that means is that it is our intention and our goal to play nicely with the the broadest possible array of tools.

A

So, if you're using azure key vault, if you're using something from hashi, if you're using anything, github almost certainly will plug into that, and you can leverage that in your runner environments, we have no strong opinion about which secret solution is the best. uh In my experience, I generally find that the best solution doesn't really exist, that there may be solutions that are better suited for one use case in one environment and solutions that are better uh suited again in other environments. So it's up to you, which one you want to use.

A

The advantage of github secrets, of course, is it's integrated. Don't have to switch to another tool, don't have to call or email or try to get on someone's calendar to get my secret added to another system.

B

Awesome, oh great, for that. Thanks for that input- and hopefully it answers your question there in the chat. uh But if you have anything else to follow up, let us know all right. We got a great explanation thanks from uh d3b1, so no worries appreciate that question. We have one here from uh savrat marici is: can we get access to that private repo that was shown in the demo? I took a note here that we'll check internally that's something possible, as we know before.

B

I think there's some great examples of just using these different components there. So I want let's take that back brian and see if that's something we could make a open and one more way or another sound good yeah.

A

No, that sounds good, uh I'm all in favor of that yeah we're all about transparency and openness here at github. So we'll do our best on that.

B

I love it awesome and with that brian, I know we do have some time left, there's no rush y'all as well, and I actually want to keep riding this train a little bit longer so brian. How would you feel if I take over the wheel for a little bit and show them another example of that kind of issue: ops, workflow that we were speaking about? How does that work? For you.

A

I'm all for it, I'm gonna go ahead and stop sharing and we'll watch. The james show.

B

All right, let's go give my friend brian time to breathe a little bit hope everyone's doing very well and uh go ahead and share my.

B

Screen all right, I should be live okay, so everyone brian, did a really great rundown of how easy it is to use actions. uh Things such as deploying the packages uh ci cd issue. Ops integrations stuff, like that, so let's kind of stay on that trend just with another scenario, to see really just the incredible flexibility we have with this platform as a whole.

B

So I have another mock repository here that we use for demos all the time and we've made some modifications to it and to really streamline how we can show this feature to you. So I'm actually going to go into my github issues. Let's go in and create a new issue and we have an issue template here called demo and issue templates are a great great way to uh specify.

B

Oh here's, an issue for a bug, and you have fields that users need to fill out or request for feature like we saw brian did earlier, so this issue, I'm gonna, go and give a name. So today's our demo for twitch, let's go and update our source.

B

I'm gonna put that in there I'm gonna go ahead and submit this issue, and by doing that, we should actually see all right. My github action just triggered, so we go over here to the action you can see it triggered. Let's see why that happened, while it's running so as brian stayed there's, probably over a hundred or so gig of events that you can monitor and react to via web hooks integrative actions which really make it great to extend the platform in all these different ways.

B

So what we're doing is we'll get issues whenever a new one is opened and then we're going to continue through these different jobs and steps here. A lot of these are things we saw off brian. So, for example, here we can do another parameter if our issue event that triggered this, the title is demo or has the title in there for reset this or clause. We have go ahead and continue with the following steps that we have. So these are just additional steps here.

B

We're doing a github action for checkout actions is actually to get a repository. That github manages- and we include a bunch of these kind of starter actions out of the box- that we feel really valuable to our users, such as checking out your repository for usage in ci cd. What I'm actually doing here is I'm actually uh checking this out. I'm actually going to make some modifications to my code itself in my repository and then I want to go ahead and update my issue and create actually a branch right from the issue.

B

Kind of we saw brian do earlier and we can see we're using our github token and then we're also using different pieces of information from the actual github event that triggered this. For example, here we're actually looking at the repository owner and their login, which is myself look at the name of the repo from where this occurred, so so much useful information from our api. That's fed to you right from your actions, experience all right.

B

So if that worked to stall for our time, we can go over here and we see that our steps have completed.

B

It went and created a custom branch for us today, so we go over to my issues, my demo for twitch, and we also can use our whenever we use our gig of actions to maybe create a pull request or a new issue or a comment. It's going to reference this github actions bot right here which can help power a lot of different experiences for users. So here we can see a new feature. Branch was created for twitch. If I click that I can verify that's true awesome: let's go back one level and from right here.

B

Actually I'm just putting links to let's go ahead and create a new pull request from our branch. So I'm going to click this button and then we're going to go ahead and create a pull request.

B

And then from here let's actually look at the different uh files that were changed in this, so I didn't actually touch any code. If you all recall that all I did was create an issue, it created me a new branch and actually I ran a script that went ahead and went through and actually replaced some text in my code base. So in my index html file, it's replacing the customer value with that value from our issue, which was twitch okay.

B

So let's go back here to our conversation tab and we can see that nothing has been deployed yet so how about I go here and use one of my labels as well: let's go ahead and click deploy.

B

Once we do that, we should see some activity occur.

B

It's actually going to. Let us know there. We go like that. Just from another label uh assignment, like brian did earlier, we can see a good action just triggered on this. So while this goes ahead and runs, we'll see some of the different pieces of functionality that we're touching here.

B

So, firstly, we have our pr deployment so I'll show you this workflow file, because there isn't a couple of additional steps in here. That gives some really useful information to the experience.

B

So, for example, for this one, our on event trigger we're using the pull request, as you can imagine, we're using the type called label and down here, I'm actually doing something called a permission check and just a simple uh job in this file that I defined and all it does y'all is it's just looking seeing hey is the getup actor, the person that actually ended up, causing this event to happen?

B

Is that actually, the uh owner of this repository, I always want to make sure whatever is triggering this deployment to azure, is actually a owner of the repo. So we don't incur any costs without knowing and we go down here once the permission check works, it's going to go ahead and just echo out this line into our console. Let us know that it passed also another step.

B

You call debug this one's going to skip because the if condition was not uh actually met, as you can see here, if condition we're saying hey if the label debug occurs, go ahead and run this step, but it's not going to in our situation and then after that, we're going to be running some of these different deployment steps here.

B

So we can see we have a deployment step, we call it deployment via label and basically with that label that we had just happened called deploy, occurs, we're going to go ahead and run through some of our different steps here for our github action. So you can see right from my script. We can actually use this github actions called github dash script, and this is great because um I highly suggest you'll look into this, especially if you're wanting to create some automation inside your github processes, because you can use this to just run.

B

Direct scripts inside this action, just feeding it, the script parameter and I can use, for example, some of our apis to just easily create a new comment, for example, and just give it these following uh components in it, so without even having to write custom, javascript or another file or spin up a docker container. For example, I can do that all from an action which is really once again the power of this platform.

B

Another great thing is, I actually had a need to get the branch name from which this pull request was coming, so I actually went out there. I was like man. Should I read about the wheel, or should I see if another user has come up with this use case before I did so shout out to the user mde coleman for this for his pr branch name action, because this actually will go ahead and output and grab the branch name from which his pro request is happening. And why did I want that?

B

Because I'm actually going to create a deployment event inside github and include that branch name value, because I actually need that step when I'm creating this deployment event which I'm going to use to actually trace through the sdlc process.

B

So let's go back through to my pull request and let's look at a few things that we have happening so you can see. We have this deployment section right here and apologies aren't calling it earlier, but earlier it just said no deployments and now you can see it's actually in a uh in progress status and that's a great part of this. This deployment, it's really a container for what exactly is going on with either your pull request or commit, and you can relate that to deployments sense, the name which is going to help us know.

B

Okay, something is in progress. We can update it saying that that's occurring. If something fails, we can update it as well. If something passes, we can just relate a bunch of information. That's really useful, especially if you think in the context of our ci cd right.

B

So some more jobs are running here. As you can see, we have several: let's go, take a look at them, while this finishes spinning up and actually I saw in the chat. Mr derrick no worries great to have you here and I hope to see you in the future all right make sure you follow us on twitter and our twitch channel okay. So I go over here to my pull request.

B

We can see that three minutes ago right when I first applied that label, we also had a permission check, occur when a deployment via that label itself. So, let's actually go take a look at this workflow file, because this one triggered off something specific, as you can see once again, that on section is actually triggering on a deployment itself, so that previous step, I did earlier right from my label that actually created a github deployment and now that deployment I can use to actually trigger off this following action here generally.

B

Using actions to trigger actions is not something we do simply from the mindset of you don't want to get in a circular sort of pattern, but since deployments are kind of extrapolate outside of the general workflow and they're very specific and related to a single sha or commit whichever we can use them in this kind of scenario, and still have that separation of the different workflows we're running so our on deployment event, we're actually grabbing some issues from the deployment event that causes this to happen, because once again, you can use your triggers in ways to actually bring information in there.

B

So from that deployment event actually include a payload information, including the issue. It came from different references, ids, etc that I need to bring over, and here I'm actually adding some information for my azure deployment via my azure subscription. So what web app name? I want what the resource group is and what location in azure I want this deployed to.

B

So we go down here same steps before we're doing our permission check because I just want to make sure and then down here we're going to be doing some of our deployment.

B

We're going to update this issue create some more comments in there just so we can see what's going on and down here, I'm doing a bunch of different steps to basically build this.net, mvc application and then we're using actually a handful of actions from azure themselves, including this azure login here, as well as just honestly just running some different steps uh inside the virtual machine in our runner that is occurring.

B

Okay, I'm doing some more checks down here, I'm going ahead and logging out of azure once I'm done. I actually just include this step. I actually want to make a ping out to that website and actually make sure that it's live and running before I go down here and update my deployment status so another, if condition we're doing so we're doing if success go ahead and uh perform this update to that deployment status.

B

Remember that we had um otherwise, if it fails for whatever reason this workflow breaks, go and update it as well, because we want to know it failed and that status of failure if you'll see there okay. So, let's go back to our pull request.

B

And hopefully, all right, we see that this branch was successfully deployed want to click here. Let me click view deployment and there we go. You see our web app is updated. It's up in azure and we update our reading time to say it's reading time of twitch, all right and y'all with that. I think we are actually at time in that close we're happy to stay on for any more questions. I see one here from kieran ray of sun. How do we deploy different environments based on azure region?

B

There's, probably a handful different ways you can use it in our example, we saw just quickly back to this file down here you can see. I specified my azure location, and this is just a variable inside here and then later on the script I'm going to reference that azure location. When I'm doing one of my published jobs, I believe, is how that's occurring yep right here. I'm saying hey, go ahead and create a new azure group. What's that resource group name and then, what's that azure location, we want to stand up.

A

I think it's also worth pointing out that, uh for things like uh variables, basically, when you trigger an event, a workflow, whether it's from a code commit or a adding a label or anything else, the workflow engine will receive a huge volume of information uh and included in that information could be, for example, a list of regions that you want to deploy to uh the same way that we saw earlier when we created that demo environment by filling out a little json in an issue.

A

You can use exactly that same pattern to select any or all of the regions that you want to deploy to as well and then pass that into the workflow. That way,.

B

Exactly great point there, mr brian, all right friends, uh it's been a solid hour with everyone here, appreciate uh all the feedback and comments in there and educating our friends more about github actions, uh especially in regards to get enterprise and different capabilities. There are, um if there's, no other questions in chat. I think we are going to go ahead and wrap up for today, but please follow us on twitch on twitter, our different social medias and we'll see y'all on the next one.