#github-actions (2024-09)
Discussions related to GitHub Actions
2024-09-03
GitHub Actions: arm64 Linux and Windows runners are now generally available GitHub Actions: arm64 Linux and Windows runners are now generally available The post GitHub Actions: arm64 Linux and Windows runners are now generally available appeared first on The GitHub Blog.
GitHub Actions: arm64 Linux and Windows runners are now generally available
Updates, ideas, and inspiration from GitHub to help developers build and design software.
does anyone if it’s possible to use github oidc for auth in GHA for argocd diffs?
there a bunch of examples of people accomplishing this with static creds (api token generated in argo), but would love to take it one step further with modernized auth / security best practices. would it be possible using oidc.config
with a github app?
https://github.com/argocd-diff-action/argocd-diff-action
This GitHub action generates an ArgoCD diff between the current PR and the current state of the cluster.
I also heard of this recently. Please try it out. I’d love to get this working too
This GitHub action generates an ArgoCD diff between the current PR and the current state of the cluster.
2024-09-04
Hey folks! I have experience with GitLab CI but considering using GitHub Actions for my new gig. There are a couple of things I really liked about GitLab and I’m curious how GHA stacks up.
- You can provision multiple GitLab runner management pods with different SAs and settings (for example, nodegroup affinity to determine which nodes actual runners need to run on and resource requests that can be overriden in pipeline config via env vars). The management pods then listen for new jobs and spin up pods to execute as required with necessary settings. This is very convenient as you can easily set up new pods with AWS permissions and run them on Karpenter nodes of your choosing. Does the Github Actions runner controller offer similar flexibility?
- It seems that Github Actions CI is free to run on Self-hosted runners, but just wanted to confirm that there are no hidden costs anywhere
- GitLab runner pods had “service” containers which supported running docker-in-docker if needed. Can you do docker-in-docker in GHA?
- For those familiar with both GitLab CI and GHA, any other “limitations” in GHA I should be aware of?
@Igor Rodionov
I believe @mike186 has some opinions on this (proponent of GitLab)
Bottom line up front: Most people coming from GitLab over to Github Actions are likely to be be disappointed, annoyed and dismayed when using GHA. And it just gets worse the longer you use GHA, because you’ll discover more basic things they don’t do well, and also because as the “upgrades” come, it often feels to me like the entire github actions solutionset is moving deliberately backwards.
That isn’t a detailed or point for point answer, but I figured I’d get that out of the way first. I respect people who do not feel this way, but it’s my truth all the same.
- The pools and label system is has been taking steps backwards lately, and it’s upset a percent of the userbase. Changes to how the job labels get matched to pools are a sore point. Another surprise for GL to GHA you shouldn’t have two pools that can match a job, and assume one of them will pick it up. Both controllers get the job and weird things happen, as I’m told. My brain rejects this so I haven’t confirmed it but the guy who explained it to me, I trust. Flexibility is not how I would describe the GHA runner controller.
-
Basically no, this is one area we don’t see some of the nasty expenses. There are other areas where it’s pretty ugly. However, technically, yes, there can be fees here, related to artifact storage quotas, if you go over those for whatever tier you’re on. I cannot say if you will, I’m on GH enterprise and those fee never hit the pain threashold compared to the other games played at an EA level for GH Enterprise/Microsoft EA “billing inefficiencies, mistakes and not provably mistakes” like rather than assigning blocks of 10 licenses to our account, they assign and bill for 10 x 10 seats and call it a communication error that never gets corrected. One that becomes very expensive when someone turns up Advanced security, flipping each committer from $24/user/mo to $49/user/mo. What I mean to say, is, if you’re on the free teir, you might watch out for artifact storage costs if you go over, and that might hurt. But the pain at the enterprise tier is so much more elsewhere, you won’t even notice file storage overages.
-
Yes, you can do DND on GHA but it works better on GitLab, and is more complex to get working
- Yes, lots. You’ll be stunned once you start working with it. It all feels like a system from the dark ages that’s been hacked on without real direction. GitLab feels like someone thought about the pipeline, how you string togeather workflows, how you scale them, reuse them, keep them DRY. GitHub actions, you’ll feel like someone deliberately made these things hard to do; simple tasks, all the things you expect to do like make most of your other workflows depending on, and wait for basic validation checks before launching them, you’ll face disbelieve that “there isn’t a way to do” what you have been dong for years in gitlab, over and over. But it’s an illusion. It’s not an illusion that there is a way to do it, the illision is that it wasn’t deliberate. GitLab understood the assignment, github has been growing a wart, and a lot of people use it, and the value is in the community content, not the platform. Its mass, the sheer bulk of it, smelly as it is, has it’s own sort of gravitational attraction.
Apologies for the tone, you may have picked up that I’m not a fan. It’s one of my life regrets that I let GitHub back into my life and that of my team. We’ve only touched on a few of many sore areas.
But as passionately as I feel, I know more people who feel the other way. So I hope your experience is better than mine, and I hope that I will come around and shake off my wrong thinking one day.
A lot of folks here know GHA far better than me, and I’l accept correction like a gentleman, whatever my strong, bad message above. There are plenty of smart people to speak for GHA. I’m not all of those things so I give you my honest appraisal as someone who does use both, and continues to regret coming back to GH. I’ve been suffering daily for three years, so it’s not adjustment period FWIW.
Thank you so much for that write up.
2024-09-05
2024-09-12
I noticed there is no convention posted for github action input/output naming conventions. Does cloudposse have a documented standard?
@Igor Rodionov
2024-09-16
Notice of upcoming deprecations and changes in GitHub Actions services Notice of upcoming deprecations and changes in GitHub Actions services The post Notice of upcoming deprecations and changes in GitHub Actions services appeared first on The GitHub Blog.
Notice of upcoming deprecations and changes in GitHub Actions services
Updates, ideas, and inspiration from GitHub to help developers build and design software.
2024-09-19
I don’t see a serviceAccount under runner spec for https://github.com/cloudposse/terraform-aws-components/blob/main/modules/eks/github-actions-runner. Would that not be how you’d associate IAM permission to the runner scale set?
@Dan Miller (Cloud Posse)
do you mean how to assign IAM permission to the runners in GitHub?
Yes, I was expecting to do it with Service Roles (IRSA) but is there a different approach?
Yes entirely. We use GitHub OIDC https://docs.cloudposse.com/layers/github-actions/github-oidc-with-aws/
This is a detailed guide on how to integrate GitHub OpenID Connect (OIDC) with AWS to facilitate secure and efficient authentication and authorization for GitHub Actions, without the need for permanent (static) AWS credentials, thereby enhancing security and simplifying access management. First we explaini the concept of OIDC, illustrating its use with AWS, and then provide the step-by-step instructions for setting up GitHub as an OIDC provider in AWS.
then it doesnt matter if the actions are running on self-hosted, GitHub hosted, etc
Got it, thank you!