今日已更新 63 条资讯 | 累计 20533 条内容
关于我们

标签:#GitHub

找到 1033 篇相关文章

AI 资讯

How I built an automated SBOM scanner to secure my supply chain 🛡️

Supply chain security is terrifying right now. With new vulnerabilities popping up daily and governments mandating compliance (like the EU CRA and US Executive Orders), I realized my open-source projects were completely flying blind. I needed a Software Bill of Materials (SBOM) to track exactly what dependencies I was shipping. But every tool I found was either a massive enterprise platform or a clunky CLI tool that took forever to set up. So, I built my own. It's called Deptic . 🏗️ The Architecture I wanted the developer experience to be completely frictionless: you paste a GitHub URL, and it instantly spits out a compliant SBOM and highlights any critical CVEs. Here is the tech stack I went with: Next.js 14 (App Router): For a lightning-fast React frontend and seamless API routes. Go (Golang): The backend scanning engine. Go's incredible concurrency allows it to parse massive dependency trees in milliseconds. Supabase: For database management and instant authentication. Tailwind CSS: Because writing raw CSS is pain. 🧩 The Hardest Part: Dependency Resolution Building the UI was easy. Parsing package.json or go.mod files? Also easy. The hardest part was recursively walking down the dependency tree to find transitive dependencies (the dependencies of your dependencies). I had to write custom parsers that could speak to the NPM registry, PyPI, and Maven Central simultaneously to map out the entire tree and cross-reference them with global CVE databases in real-time. 🚀 The Result What started as a weekend script turned into a full platform. Deptic now supports: Instant scanning of public GitHub repos. Generating perfectly compliant CycloneDX (1.5) and SPDX (2.3) JSON files. Live CVE vulnerability detection. Try it out! If you want to see exactly what dependencies are hiding in your codebase, you can run a free scan here: 👉 deptic.netlify.app It's completely free for developers. I would love to get your brutal feedback on the UI, the scanning speed, or any feature reque

2026-06-14 原文 →
AI 资讯

Tag release pipelines without a 400-line GitHub Actions workflow

You push v1.2.3 and expect a predictable sequence: tests pass → version is resolved → GitHub Release is created . In practice, teams usually pick one of two painful options: One giant workflow — every stage in a single YAML file. It works until you need reuse, workflow_call , or different triggers per stage. workflow_run chains — workflow A triggers workflow B. Passing outputs between runs is awkward, and renaming a workflow breaks the chain silently. There is a middle path: keep small, focused stage workflows (the ones you already have), declare order and wiring in one pipeline file , and use a single orchestrator step on tag push. This tutorial uses pipeline-compose-run — available on the GitHub Marketplace — and a copy-paste example you can drop into any repo. Full example (copy .github/ ): examples/run-tag-release What we are building On git push origin v* : release.yml ← one job, one action step └─ pipeline.yml ← declares order + wiring ├─ ci.yml ├─ stage-version-sync.yml → exports version └─ stage-release-publish.yml ← receives version No generated workflow to commit. No manual workflow_run graph. Step 1 — Entry workflow Create .github/workflows/release.yml : name : Release on : push : tags : [ " v*" ] permissions : contents : write actions : write jobs : run-pipeline : runs-on : ubuntu-latest steps : - uses : actions/checkout@v6 - uses : aeswibon/pipeline-compose-run@v0.3.0 with : pipeline_file : .github/pipelines/pipeline.yml github_token : ${{ github.token }} The actions: write permission is required because the action dispatches your stage workflows via workflow_dispatch . Step 2 — Pipeline file (order only) Create .github/pipelines/pipeline.yml : name : pipeline version : 1 stages : - id : ci workflow : .github/workflows/ci.yml - id : version-sync workflow : .github/workflows/stage-version-sync.yml needs : - ci outputs : - version - id : release-publish workflow : .github/workflows/stage-release-publish.yml needs : - version-sync inputs : version : ${{ co

2026-06-14 原文 →
AI 资讯

agentic workflows are being domesticated by actions

GitHub's Agentic Workflows preview has the kind of headline that makes people reach for the wrong conclusion. Natural language Markdown can turn into GitHub Actions workflows. That sounds like "the YAML is going away." I do not think that is the interesting story. The interesting story is that the agent is not escaping the workflow engine. It is being pulled into it. That matters because a lot of agent demos still pretend the future is a smart process floating above the boring machinery: the agent understands the request, edits the repo, runs some commands, and hands back a neat result. Nice demo. Very clean. Production engineering is not clean like that. Production engineering has permissions, logs, runner groups, approval rules, secrets, firewalls, budgets, weird old repositories, compliance questions, and someone who has to explain what happened when the helpful automation did something surprising. So the shape of Agentic Workflows is useful precisely because it is less magical than the demo version. GitHub is putting agents inside the same CI/CD world that already carries a lot of organizational trust. That is the right direction. markdown is not the control plane The cute part is that a developer can describe a workflow in Markdown and have GitHub turn that into standard Actions YAML. That is useful. YAML is not a personality test, and most teams have better things to do than memorize every Actions syntax edge case. But Markdown is only the input surface. The control plane is still Actions. That distinction matters. If the generated workflow is a normal Actions workflow, then all the existing machinery can still matter: repository permissions, runner selection, logs, environments, approvals, branch protection, organization policy, and whatever security controls the company already built around CI. This is where I get more optimistic about agentic tooling. The bad version of agents asks every organization to trust a new, parallel execution model because the mode

2026-06-14 原文 →
AI 资讯

From Confused to Confident: How I Finally Mastered GitHub Copilot in Every Situation

From Confused to Confident: How I Finally Mastered GitHub Copilot in Every Situation I still remember the afternoon I rage-closed VS Code because Copilot kept suggesting the wrong function signatures — again . I had been treating it like a magic oracle, typing vague comments and expecting perfect code to rain down from the AI heavens. Spoiler: that's not how it works. After weeks of trial, error, and a few embarrassing pull request reviews, I cracked the code (pun intended). Here's everything I wish someone had told me about using GitHub Copilot accurately — across Chat , Plan , and Agent modes. 🧠 First, Understand What Copilot Actually Is Before diving into tips, let's reset expectations. GitHub Copilot is not a search engine. It's not Stack Overflow with a fancy UI. It's a context-aware AI assistant trained on massive amounts of code. That means: The quality of your output depends directly on the quality of your input . It works best when it has rich context — open files, good comments, clear naming. It can be wrong. Confidently wrong. Always review what it generates. With that mindset locked in, let's explore each mode. 💬 Copilot Chat: Your Pair Programmer in the Sidebar The first time I opened Copilot Chat, I typed: "fix my code." It stared back at me, basically confused. Of course it was — I hadn't told it which code, what was broken, or what I expected. Tips for Accurate Chat Usage 1. Be specific and contextual. Instead of: "Why isn't this working?" Try: "This useEffect hook in React runs on every render instead of only when userId changes. Here's the code: [paste snippet]. What's wrong?" The more context you give, the more surgical the answer. 2. Use slash commands to guide intent. Copilot Chat supports built-in commands that dramatically improve accuracy: /explain → Explains selected code in plain English /fix → Suggests a fix for a highlighted bug /tests → Generates unit tests for selected code /doc → Writes documentation for a function or class These aren'

2026-06-14 原文 →