CI/CD with GitHub Actions

Chris Ayers

Chris Ayers

Senior Customer Engineer
Microsoft

Twitter: @Chris_L_Ayers
Mastodon: @Chrisayers@hachyderm.io
LinkedIn: - chris-l-ayers
Blog: https://chris-ayers.com/
GitHub: Codebytes

Agenda

  • YAML
  • CI / CD
  • Actions Overview
  • Demos

YAML

Yet Another Markup Language

GitHub uses YAML for workflows

Demo: Online Parser

Feature Description
Lists Start with a –
Key-Value Key: value
Objects Objects:
Properties of objects

Workflows / Pipelines

What is CI/CD?

Actions Overview

  • Live in the .github/workflows folder
  • Workflows are defined in YAML
  • Workflows are Event Driven

Events that trigger workflows

https://docs.github.com/actions/using-workflows/events-that-trigger-workflows

  • branch_protection_rule
  • checks
  • create / delete
  • deployment
  • discussion
  • fork
  • issue_comment
  • issues
  • label
  • page_build
  • pull_request
  • pull_request_review
  • pull_request_review_comment
  • push
  • release
  • schedule
  • status
  • workflow_call / workflow_dispatch

Workflows

  • Events trigger workflows
  • Workflows contain jobs
  • Jobs contain steps
  • Steps are commands or actions

Jobs

  • Workflows can contain multiple jobs
  • Jobs run in parallel by default
  • Each job runs on a Runner
  • Steps and Shell Commands run in sequence

Runners

  • Specify the type of runner with runs-on (e.g., ubuntu-latest).
  • GitHub provisions a new VM for each job.
  • Steps in a job share information using the runner's filesystem.
  • VM is decommissioned after job completion.

Supported runners and hardware

  • GitHub-hosted runner application is open source.
  • OS: Windows, Linux, and macOS
    • Runners include preinstalled software, updated weekly.
    • There are also Large Hosted Runners
  • Self-Hosted Runners
  • You can install additional software on runners.

DEMOS

ACT

Run Actions Locally

nektos/act

Security

  • Never use structured data as a secret
  • Register all secrets used within workflows
  • Audit how secrets are handled
  • Use credentials that are minimally scoped
  • Audit and rotate registered secrets
  • Consider requiring review for access to secrets
  • Use an action instead of an inline script (recommended)
  • Use an intermediate environment variable
  • Use OpenID Connect to access cloud resources
  • Pin third-party actions to a full length commit SHA

Actions Updates - Dependabot

  • Actions are regularly updated for enhanced automation.
  • Dependabot keeps GitHub Actions references in workflow.yml up-to-date.
  • If newer action versions exist, Dependabot sends an update pull request.
  • Dependabot also updates git references for reusable workflows.

.github/dependabot.yml

version: 2
updates:
  # See documentation for possible values
  - package-ecosystem: "github-actions"
    # Location of package manifests
    directory: "/" 
    schedule:
      interval: "weekly"

DEMOS

Bonus - Private Networking

  • GitHub Actions is triggered.
  • Actions service creates a runner.
  • The runner service deploys the GitHub-hosted runner's NIC into your Azure VNET.
  • The runner agent picks up the workflow job.
  • The runner sends logs back to the GitHub Actions service.
  • NIC accesses private resources.

Questions

Resources

Follow Chris Ayers

Twitter: @Chris_L_Ayers
Mastodon: @Chrisayers@hachyderm.io
LinkedIn: - chris-l-ayers
Blog: https://chris-ayers.com/
GitHub: Codebytes

Zelda: type: pit bull favoriteThings: - treats - naps - belly rubs toys: [bone, doll]

act -W .github/workflows/02-basic-multiple-jobs-needs.yml

Needed for mermaid, can be anywhere in file except frontmatter