Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Follow the wormhole through a path of communities !webdev@programming.dev
skimmed.
preface: I do not like Microsoft or GitHub
a lot of the points I read seem like skill issue
there is validation for the yaml files, some of the criticism is correct. on occasion the error system in actions does not spit anything useful, you cannot dry run them even if you have self hosted runners
but to say it's killing your engineering team when it's just vibes at my work seems odd, your bad CI is killing your team maybe, but GitHub actions is not the problem
Well, I'm in that Nix shop category. For example, I run tests for my OSS project using lots of Python versions. There's no need to use a Github Actions matrix for that - Nix does it more efficiently. Doesn't even require containers or VMs. And the whole setup runs exactly the same locally, on Github Actions, or on Garnix. (But Garnix has better Nix caching than other CI runners, so that's what I use.)
What's your solution to handle secrets locally?
There are a few options:
Sops-nix or Agenix store secrets encrypted in the repo. Each local machine needs to be set up with a PGP or an SSH key to decrypt and encrypt as necessary. This is what I do with my NixOS configuration.
Manage secrets externally to repo code. I like to use direnv; sometimes I configure the checked-in .envrc file to source another file with secrets, that is not checked in.
Don't use secrets locally. If secrets are things like deploy keys, and I want all deploys going through CI, then I don't want secrets configured locally. Instead running a deploy script locally should be a dry run, which doesn't need secrets.
Generate secrets at runtime. This is for cases where the project runs a cluster of services which need to authenticate with each other. For tests with locally running test services, authentication is confined to this isolated system. So secrets can be generated at test time, and written to env or config files that are not checked in.
In your CI which one do you use? I also use SOPS for my own, but it's overhead... So wondering which you settled on?
I use sops for NixOS, but those secrets aren't accessed in CI. For actual CI I've used a combination of 2-4 above.
Sounds about right.
I'm using GitHub actions at work because this place is extremely dysfunctional, and I can just add GitHub actions without it being a whole "research spike planning meeting impact analysis" six week journey.
I took it from "there are absolutely no checks and Bob broke the environment because he pushed up a change that's just invalid syntax" to... well, I couldn't make it block the build on failures but at least now when Bob breaks it again I can point to the big red X and ask why he merged with an error.
If you can get the permissions to do it set the protected branch and prevent merge on build failures. This is a repo setting that will work with any ci provider assuming it updates the PR status.
I thought about it but people are so sensitive here. If they broke something and couldn't merge they'd probably raise a big stink, and then there's good odds the checks would be removed "because they're adding friction" or some nonsense. My boss has already warned me about staying in my lane.
These people have never done any automated testing of any sort. No linter. No unit tests. And they don't seem to want to.
Time to look for a better boss
Well, yes, though my direct manager isn't the worst. He's trying to protect me from other teams that might get pissy.
One of my friends is a product manager type and his analysis was basically "if stakeholders don't care it's not a problem, even if by any reasonable metric it is a problem". So. Here we are.
I mean, sure... But for most users of GitHub actions "it's easy and free" is a huge benefit, easily outweighing any technical advantages Buildkite might have.
TLDR; people are idiots. Dependencies are stealing your data. Write your own CI and stop being a lazy fuck.
Write your own CI and stop being a lazy fuck.
Tell me you're unemployed without telling me you're unemployed
Tell me you’re not a developer without telling me you’re not a developer.
I agree with everything he said, but I'm currently living in the simple, honest truth of God's own "bash" just like he describes and I'm loving it. Maybe someday I won't. Maybe someday will be soon. Maybe my bash scripts are horrible nightmare fuel. But they're also my children. I love them. Even the ugly ones.
I do indeed "have 800 lines of bash that reimplements job parallelism with wait and PID files, has its own retry logic built on a for loop and sleep, and parses its own output to determine success or failure." I do suspect the script is self-aware. This pleases me. I will bend to its desires. If there comes a time when it no longer desires to perform CI for me, I will respect its wishes.
Why not use python at that point? Sounds like the bus factor would be pretty big on this one
This the most logical solution. Python is what you (should) turn to when your Bash scripts start looking like real software. Whenever I see a (non-geriatric) developer with a giant bash script, my first assumption is that this is a junior dev who doesn't know better.
Bash that can do the same job regardless of ci tools is underrated. I likevthat setup too because if your tesm eber needs to run a job/deploy/ect they can with the same exact processes the ci employs.
I'm not sue who Ian Duncan is but i bet they sell or are in the business of developer tools. They always think their better solution is necessary rather than the enemy of having something is wat better than nothing.
Get off github but action on if it keeps your core compiling and your tests run!
Im not sure about the CI solution they are recommending, but I do agree there are some sharp edges to GH Actions. Its not the greatest at logs and had hidden issues all over the place.
I've the impression that it's moving the problem to another vendor instead of solving it. Not exactly sure how to feel on this topic.
Lot of complaining for issues that are easily side stepped, but maybe cos I've learnt it all already, but it does fill the article with lots of words.
The byo compute and logs thing is half the rant which has never even been a problem for me in the last 4 years on GH.
Not sure between config and programming? You literally can choose that yourself.
Biggest issue for CI for me is how to get CI secrets locally.. which I don't know a good answer for.
Nix is great but try getting your whole team / org on it...
Yep. Been there done that. Still doing that. Most of these can be worked around. Doesnt make if less annoying, more infact. But still... its fine.
At the very least its version controlled which is more praise than I can give Jenkins at least one out of the box.
My work uses Azure Dev Ops because it's "free", I assume it's effectively just GitHub actions, but without the AI (because no one has updated it in the last 5 years)?
If so, I can agree the agents are awful.
Believe it or not in some ways they are better and more flexible and in other ways they're more limited. Basically they are totally separate situations to the same problem.
Since they now have the same owner, you've already identified which one is gaining features and fixes.