Blog posts

  • My first CVE (CVE 2022-41032)
    Before I started my new job at Vercel in 2022, I took a week off after leaving my job at GitHub. I was intending to spend some time working on one of my too-numerous side projects -- in particular, a .NET Core app that uses libgit2. Instead, I found my first CVE (CVE 2022-41032).
    Read more
  • Pushing a (New) Empty Branch
    Yesterday, I invoked a fun little command to create a new, empty dist branch in a GitHub repository. But I didn't explain it. So today I wanted to unpack exactly what's going on here.
    Read more
  • Packaging an Action
    After having created several actions to use in GitHub Actions workflows, I've settled on a pattern that I really like for packaging them, and in my most recent action, I codified this in a CI process to automate it for me. The reason that this is important is because GitHub Actions uses a git repository as the distribution mechanism for an action. Since actions are actually just Node.js applications, that means that the repository needs to contain the application, and its dependencies. It needs to actually contain the node\_modules directory. But... you're not supposed to check that in, are you? No! You're not. At least... not in your development branch, which is why I recommend a two branch approach.
    Read more
  • libgit2 v1.0 Released
    After many years of planning, writing code, and fixing bugs, libgit2 v1.0 has been released. 🎉🎉🎉 libgit2 is a linkable library for working with git repositories in any application, and you probably interact with the library, even if you don't know it. That's because libgit2 powers your applications and your hosting provider, whether you use GitHub, GitLab, Bitbucket, or nearly anybody else. The Git community -- really, every software developer -- depends on libgit2. And we've finally released libgit2 v1.0.
    Read more
  • libgit2 v0.99 Released
    Today we've released libgit2 v0.99. 🎉🎉🎉 libgit2 is a linkable library for working with git repositories in any application. It's used by IDEs, GUI clients for Git, hosting providers, scientific computing tools, and even scuba diving log software. Whether you keep your code on GitHub, GitLab, Bitbucket, or nearly anywhere else, it's libgit2 that does the work every time you click the "merge pull request" button. So if you write software, you've probably used libgit2, even if you don't know it. And -- finally -- we're getting close to releasing version 1.0.
    Read more
  • GitHub Actions Day 31: Adding an Action to the Marketplace
    Yesterday we built an action that let you send a tweet from a GitHub Actions workflow. Once we built it, you can use it by referencing it in my repository, as ethomson/send-tweet-action\@v1. But... how do people find it? If we publish this action to the GitHub Marketplace, then people who want to build a workflow have a focused place to look for actions that they can use to extend GitHub. The marketplace will even show up in the workflow editor, so that people can find actions easily.
    Read more
  • GitHub Actions Day 30: Integrating Other APIs in an Action
    Yesterday we built an action that posted to a GitHub issue. It showed how easy it is to work with GitHub APIs from within an action. But actions are generally written in JavaScript, so they can easily integrate with APIs from other services. This lets you create actions that can create an issue in Jira, send a text message, or upload security information about your project. One of the things that I want to automate is sending a tweet -- this is something I do whenever I release a new version of something, to announce its availability.
    Read more
  • GitHub Actions Day 29: Creating an Action
    So far this month we've looked at a lot of workflows for GitHub Actions. Almost all of them will run commands as part of the workflow. Some of them will also make use of actions to help set up the environment or expand the workflow. An action is a piece of code -- either a runnably docker container or a JavaScript application -- that you can re-use within several workflows. And it's straightforward to create your own action that you can use in your workflows or share with others. GitHub provides a toolkit to help you get starting building a workflow in JavaScript or TypeScript. I'm going to take the TypeScript sample as a start and create an action that listens for comments on an issue.
    Read more
  • GitHub Actions Day 28: Repository Automation
    This month we've looked at a lot of different ways to build and test your code when a pull request is opened, or when a pull request is merged into the master branch. And we've looked at different ways to deploy your code to a package registry or to a cloud provider. But GitHub Actions provides triggers for any operation that happens in your repository, not just the ones start CI/CD workflows. Here's some simple examples that display information about the event and are a good basis to build on.
    Read more
  • GitHub Actions Day 27: Deploy to Cloud
    So far this month, we've looked at a lot of ways to build and test your software. And we've looked at a few ways to package up your software. But how do you actually get it running in your cloud service provider? As my buddy Damian says, "friends don't let friends right-click publish". Instead, a best practice is to script your deployments so that they're reliable and reproducible.
    Read more