Your DevOps guide to GitHub Universe

GitHub Universe is almost here. For more on what to expect from this year’s stream, we sat down with virtual host, Brian Douglas, for a quick Q&A on GitHub Actions,…

GitHub Universe
|
| 6 minutes

GitHub Universe is almost here. For more on what to expect from this year’s stream, we sat down with virtual host, Brian Douglas, for a quick Q&A on GitHub Actions, DevOps, and automation.

A lot has changed since last year’s GitHub Universe. What can folks expect to see this year, and what might be different? 

The biggest difference this year is that Universe is a hundred percent online. It’s three days with five hours of content each day, and we’re doing a rebroadcast in the Asia-Pacific region for everyone outside of the original timezone. Beyond the new format, we’re going to be following up on a lot of the features we shipped earlier this year. You’ll learn more about code scanning, and get updates on GitHub Discussions, GitHub Actions, and more.

Your talk is on GitHub Actions, which runs automated workflows based on nearly any GitHub event. Tell us more.

Actions is a feature we shipped about two years ago—actually two Universes ago. It’s something that many folks have dabbled with, whether it’s for starting CI jobs or running tests. You can automate nearly any part of your workflow with Actions, and at GitHub, Actions is a building block for a lot of our other features. It powers everything from security and authentication to access to webhooks. My talk, Getting traction with GitHub Actions, is going to cover everything you can use Actions for outside of CI/CD, like automating performance and checking if your site is up and running. I’ll also show how I manage staging for some of my projects’ design systems with Actions. Overall, the goal is to help expand the footprint of what you can do with Actions outside of just simple things like running tests.

Awesome—can you give us an example of a non-CI/CD action? 

One of the most interesting workflows I’m using right now is the Lighthouse action. The action is based on Google’s Lighthouse project, which is an open source tool for auditing your project’s performance and accessibility. With the Lighthouse tool, you can just open up your browser and check your website’s performance directly. But with the Lighthouse action, I can actually check my site’s performance on GitHub when a new pull request is opened. If a pull request makes performance go down, I can stop and figure out why. This is huge for organizations: we’ve seen many major companies ignore accessibility and performance issues only to have to backtrack and fix them. Now you and your team can be on the same page. Every time a pull request is opened, a GitHub action is triggered to give you a Lighthouse score. The action will also upload a report directly into the artifact, which I’ll share more about in the session.

It sounds like knowing a few basics might be helpful. If someone’s new to Actions, how can they get up to speed before Universe? 

I’d recommend checking out the Actions course on GitHub Learning Lab. From there, you should definitely visit the Actions tab in your repository. It’ll give you a lot of hands-on insights for your project and how to get started with actions, even before you attend Universe.

You mentioned security earlier. We know security plays a role in DevOps automation—sometimes referred to as ‘DevSecOps.’ Will we be hearing more at Universe? 

Security is definitely going to be a main theme. Even if security hasn’t been top of mind for your workflows, most developers have accidentally shipped a token or committed a secret. I’ve done it myself. Afterwards, everyone’s frantic and there’s a lot of running around to try to clean it up—when it can actually be avoided or fixed easily. I love the fact that GitHub now automatically identifies and regenerates tokens, which you can choose to replace and no one has to know. Those small wins for developers add up. So, even if you’re just attending Universe for DevOps tips or ways to improve your workflows, you’re going to get a lot of security answers. You’ll walk away with tools and questions you can take back to your team to help you better navigate some of the risks that are out there.

Which security sessions do you recommend for DevOps teams? 

There are several—like the HashiCorp session on keeping secrets in your infrastructure pipeline and how to manage that with GitHub. There’s also a counterpoint talk from Sasha Rosenbaum around what happens after you committed a secret. And I know Maya Kaczorowski and William Bartholomew are also doing similar content on how the GitHub Product Team has managed our code scanning feature.

Check them all out here:

Similar to Actions, how can teams prepare for security sessions before they attend Universe?

First off, you can have access to the work of security researchers right now. The Security tab on your project has a lot of good links to security research documents, or reports that security researchers have linked to actual libraries you’re leveraging your project. I discovered the power of this connection firsthand when I realized one of my actions was being featured in another Universe security talk. We found some security vulnerabilities within the action, and fixing it didn’t only help me. It helped everyone using the action. So, even if you don’t feel like you’re up to date or can stay up to date on all the stuff that’s happening, we do have a community of security researchers on GitHub who can share that information. Start checking the Security tab now, and you can continue checking back in over time to confirm nothing you’re using is vulnerable.

If folks could only take away one thing from Universe, what would it be? 

Whether it’s security or DevOps, the most important thing is just being aware and understanding what GitHub tools are out there. Take CodeQL for example: You have to go to the Security tab, enable it on your project, and your code is secure. That’s simplifying, but it starts with doing things like that and making sure you’re aware of what’s happening in your code base and in your community. So, whether you’re writing Python, Ruby, or JavaScript, understand that the community has security researchers involved and that you have access to all their research.

Now onto the fun stuff. ✨ This year we’re introducing our first virtual play track and using Discussions. What else do first-time attendees need to know? 

It can be overwhelming for folks to try to feel like they need to be online and watch every single talk. We’re all going to be at home working or doing other things while we’re watching Universe. That’s why we have the play track—being able to have the play track tab open is a way to still feel connected to Universe. It’s a nice break. You can play performances in the background, get a quick 10-minute tutorial on creative coding tools, just to name a few.

I also recommend checking out the discussions. You can create your own Universe threads with Discussions, the built-in native feature that we shipped earlier this year. It’s an opportunity for you to get a first-hand look and try it out for yourself. Put yourself out there, ask questions, or use discussions to connect directly with the speakers. I’ll be hanging out there too—just tag me @bdougie!


Want to learn more? Tune in to Brian’s Universe talk on December 9 at 10:00am PT/1:00pm ET or see the full list of DevOps sessions

Related posts