#gitops (2021-07)

Discuss continuous delivery of infrastructure Archive: https://archive.sweetops.com/gitops/

2021-07-22

2021-07-21

Mazin Ahmed avatar
Mazin Ahmed

Question: How do you use Git pre-hooks for identifying secrets on organization-level? I’m looking for ideas to detect sensitive commits before it’s committed and pushed to Github. Any ideas how would you approach this on org level?

sheldonh avatar
sheldonh

@ Right now I’m just using lefthook and setting up a gitleaks hook to run on precommit and pre-push. It’s not perfect. I’ve not centralized anything. You can use plugins in whatever CI tool you use to do more widescale work, but for now it’s a way I’ve taken to get a small step towards quick code checks and pushing folks away from even dev certs and keys in the repos

1
1
1
Mazin Ahmed avatar
Mazin Ahmed

Thank you!

Mohammed Yahya avatar
Mohammed Yahya

you need a solid dev workflow runbook, make sure you automate everything with brew or chocolatey its all about setting up developers machine, for me I would move over by offloading all of these checks into CI instead of developers machines.

sheldonh avatar
sheldonh

@ for the sake of discussion, I don’t look at this as shifting from dev to CI checks. I’d rather “shift left” by having the same checks on the devs that CI runs. This improves the feedback cycle dramatically.

Brew and choco is for dev machine setup, and yes the task init i use leverages those for apps needed if required.

Love automation!

Mohammed Yahya avatar
Mohammed Yahya

I totally agree with you, been there, found lot of developers dose not care about pre-checks or what so ever, so you force everything with CI and PR reviews.

sheldonh avatar
sheldonh

@ that’s why I use task init or equivalent in the setup of the project and it self-registers all the hooks and linting tools. Then CI does the exact same thing as manual run.

this means immediate feedback loop before I even open PR having resolved all linting and test failures before it even gets to this point. IMO that quick feedback loop is key to a good trunk based dev workflow and making PR’s less intrusive.

1
Zachary Loeber avatar
Zachary Loeber

@sheldonh, Have a good base project template using task that you’d be willing to share?

sheldonh avatar
sheldonh

Yeah I have lots of examples. I’m actually not using task anymore as I’m exclusively writing all automation tasks with Mage (Go) as it’s far more flexible with full access to all that Go can do cross platform. For mage (if you want to write Go) https://github.com/sheldonhull/magetools I have examples, templates and use this now in other projects. I like it if you are willing to write Go because you also can remote import sets of tasks. Makes it reusable across lots of repos!

I have lots of task starters I was using here: https://github.com/sheldonhull/ci-configuration-files

Less updated as I realized better to be repo than markdown due to regular updates https://www.sheldonhull.com/docs/task/

Hope this helps!

GitHub - sheldonhull/magetools: General tooling helpers for simplifying cross repository automation using Mage

General tooling helpers for simplifying cross repository automation using Mage - GitHub - sheldonhull/magetools: General tooling helpers for simplifying cross repository automation using Mage

GitHub - sheldonhull/ci-configuration-files: This repo will contain some general configuration files for usage with pre-commit, linting, and others that I might want to drop into a new repo. attachment image

This repo will contain some general configuration files for usage with pre-commit, linting, and others that I might want to drop into a new repo. - GitHub - sheldonhull/ci-configuration-files: This…

task attachment image

A cheatsheet with snippets for Task a cross-platform task runner alternative to Make.

Zachary Loeber avatar
Zachary Loeber

You are a maniac! Thanks a ton

1
Zachary Loeber avatar
Zachary Loeber

I’d try to return the favor but I doubt you want 1k line makefiles….

sheldonh avatar
sheldonh

Ha! I’ve actually avoided writing any Makefiles so far in my career Tweaked a couple but since most of my work crosses from build to a lot of other things, and i like cross platform, I’ve tended to use go-task, invokebuild (powershell) or mage.

Since I wasn’t immersed in bash, my natural tendency is once things get beyond simple invoke commands to use a more powerful language and not deal with bash idiosyncrasies

sheldonh avatar
sheldonh

Not saying it’s right. I am a PowerShell ninja but a bash so if I had to pick something I’d gravitate towards powershell because i know all those quirks and object pipeline stuff.

    keyboard_arrow_up