#github-actions (2024-09)
Discussions related to GitHub Actions
2024-09-03
GitHub Actions: arm64 Linux and Windows runners are now generally available GitHub Actions: arm64 Linux and Windows runners are now generally available The post GitHub Actions: arm64 Linux and Windows runners are now generally available appeared first on The GitHub Blog.
does anyone if it’s possible to use github oidc for auth in GHA for argocd diffs?
there a bunch of examples of people accomplishing this with static creds (api token generated in argo), but would love to take it one step further with modernized auth / security best practices. would it be possible using oidc.config with a github app?
https://github.com/argocd-diff-action/argocd-diff-action
I also heard of this recently. Please try it out. I’d love to get this working too
btw, just got this working! m2m (gha to argocd) auth, that im specifically using for Argo cd diffs on pull requests. I havent optimized the diff portion (thinking about using quizlets diff action) but the authn/authz portion is working smoothly
2024-09-04
Hey folks! I have experience with GitLab CI but considering using GitHub Actions for my new gig. There are a couple of things I really liked about GitLab and I’m curious how GHA stacks up.
- You can provision multiple GitLab runner management pods with different SAs and settings (for example, nodegroup affinity to determine which nodes actual runners need to run on and resource requests that can be overriden in pipeline config via env vars). The management pods then listen for new jobs and spin up pods to execute as required with necessary settings. This is very convenient as you can easily set up new pods with AWS permissions and run them on Karpenter nodes of your choosing. Does the Github Actions runner controller offer similar flexibility?
- It seems that Github Actions CI is free to run on Self-hosted runners, but just wanted to confirm that there are no hidden costs anywhere
- GitLab runner pods had “service” containers which supported running docker-in-docker if needed. Can you do docker-in-docker in GHA?
- For those familiar with both GitLab CI and GHA, any other “limitations” in GHA I should be aware of?
@Igor Rodionov
I believe @mike186 has some opinions on this (proponent of GitLab)
Bottom line up front: Most people coming from GitLab over to Github Actions are likely to be be disappointed, annoyed and dismayed when using GHA. And it just gets worse the longer you use GHA, because you’ll discover more basic things they don’t do well, and also because as the “upgrades” come, it often feels to me like the entire github actions solutionset is moving deliberately backwards.
That isn’t a detailed or point for point answer, but I figured I’d get that out of the way first. I respect people who do not feel this way, but it’s my truth all the same.
- The pools and label system is has been taking steps backwards lately, and it’s upset a percent of the userbase. Changes to how the job labels get matched to pools are a sore point. Another surprise for GL to GHA you shouldn’t have two pools that can match a job, and assume one of them will pick it up. Both controllers get the job and weird things happen, as I’m told. My brain rejects this so I haven’t confirmed it but the guy who explained it to me, I trust. Flexibility is not how I would describe the GHA runner controller.
-
Basically no, this is one area we don’t see some of the nasty expenses. There are other areas where it’s pretty ugly. However, technically, yes, there can be fees here, related to artifact storage quotas, if you go over those for whatever tier you’re on. I cannot say if you will, I’m on GH enterprise and those fee never hit the pain threashold compared to the other games played at an EA level for GH Enterprise/Microsoft EA “billing inefficiencies, mistakes and not provably mistakes” like rather than assigning blocks of 10 licenses to our account, they assign and bill for 10 x 10 seats and call it a communication error that never gets corrected. One that becomes very expensive when someone turns up Advanced security, flipping each committer from $24/user/mo to $49/user/mo. What I mean to say, is, if you’re on the free teir, you might watch out for artifact storage costs if you go over, and that might hurt. But the pain at the enterprise tier is so much more elsewhere, you won’t even notice file storage overages.
-
Yes, you can do DND on GHA but it works better on GitLab, and is more complex to get working
- Yes, lots. You’ll be stunned once you start working with it. It all feels like a system from the dark ages that’s been hacked on without real direction. GitLab feels like someone thought about the pipeline, how you string togeather workflows, how you scale them, reuse them, keep them DRY. GitHub actions, you’ll feel like someone deliberately made these things hard to do; simple tasks, all the things you expect to do like make most of your other workflows depending on, and wait for basic validation checks before launching them, you’ll face disbelieve that “there isn’t a way to do” what you have been dong for years in gitlab, over and over. But it’s an illusion. It’s not an illusion that there is a way to do it, the illision is that it wasn’t deliberate. GitLab understood the assignment, github has been growing a wart, and a lot of people use it, and the value is in the community content, not the platform. Its mass, the sheer bulk of it, smelly as it is, has it’s own sort of gravitational attraction.
Apologies for the tone, you may have picked up that I’m not a fan. It’s one of my life regrets that I let GitHub back into my life and that of my team. We’ve only touched on a few of many sore areas.
But as passionately as I feel, I know more people who feel the other way. So I hope your experience is better than mine, and I hope that I will come around and shake off my wrong thinking one day.
A lot of folks here know GHA far better than me, and I’l accept correction like a gentleman, whatever my strong, bad message above. There are plenty of smart people to speak for GHA. I’m not all of those things so I give you my honest appraisal as someone who does use both, and continues to regret coming back to GH. I’ve been suffering daily for three years, so it’s not adjustment period FWIW.
Thank you so much for that write up.
2024-09-05
2024-09-12
I noticed there is no convention posted for github action input/output naming conventions. Does cloudposse have a documented standard?
@Igor Rodionov
2024-09-16
Notice of upcoming deprecations and changes in GitHub Actions services Notice of upcoming deprecations and changes in GitHub Actions services The post Notice of upcoming deprecations and changes in GitHub Actions services appeared first on The GitHub Blog.
2024-09-19
I don’t see a serviceAccount under runner spec for https://github.com/cloudposse/terraform-aws-components/blob/main/modules/eks/github-actions-runner. Would that not be how you’d associate IAM permission to the runner scale set?
@Dan Miller (Cloud Posse)
do you mean how to assign IAM permission to the runners in GitHub?
Yes, I was expecting to do it with Service Roles (IRSA) but is there a different approach?
Yes entirely. We use GitHub OIDC https://docs.cloudposse.com/layers/github-actions/github-oidc-with-aws/
then it doesnt matter if the actions are running on self-hosted, GitHub hosted, etc
2024-09-22
Any suggestions on this?
You can deploy in an ec2
• using userdata on the launch template
• using an ami on the launch template
Your method might require keeping a persistent ec2 running which is not the best approach (see pets vs cattle)
By using either of the above methods, you would spin up a new instance in your auto scaling group to run the latest Python code
Hello @RB Sorry couldnt understand the approach, I am looking for the suggestions to deploy from GActions
@Yonatan Koren @Igor Rodionov
@Dhamodharan Actually, nowadays, we primarily deploy containerized applications on EKS or ECS clusters. The deployment strategy you are working on is old school, but it still works for small projects without strict requirements for downtime, availability and etc.
From a security perspective, I like your second approach - with ssm command. Just be aware that IAM user behind the AWS creds have minimum permissions - ideally just to run ssm command for specific resource.
Also, you can check GHA OIDC auth on AWS that will generate short-live AWS creds for each run and will be restricted to specific IAM role with required permissions. You can read more here https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
Cloudposse also have open sourced terraform modules to provision all required resources for such auth method.
2024-09-23
2024-09-24
The ultimate goal of this App is to wholly eliminate the need for GitHub Personal Access Tokens (aka PATs).
The original blog post.
https://github.com/octo-sts/app by chainguard
Wow! We were just talking about how badly this is needed on #office-hours
I haven’t tried it. It looks very promising
2024-09-25
End of life for Actions Node16 End of life for Actions Node16 The post End of life for Actions Node16 appeared first on The GitHub Blog.
Actions: new images and ubuntu-latest changes Actions: new images and ubuntu-latest changes The post Actions: new images and ubuntu-latest changes appeared first on The GitHub Blog.
Introducing “CI/CD Admin” – A New Pre-Defined Organization Role for GitHub Actions Introducing “CI/CD Admin” - A New Pre-Defined Organization Role for GitHub Actions The post Introducing “CI/CD Admin” – A New Pre-Defined Organization Role for GitHub Actions appeared first on The GitHub Blog.
@Igor Rodionov