今日已更新 213 条资讯 | 累计 20683 条内容
关于我们

标签:#GitHub

找到 1034 篇相关文章

AI 资讯

I Thought Open Source Was About Code. I Was Wrong.

The biggest lessons I learned from open source contributions weren't found in the code itself. Communication, collaboration, and workflows matter more than I expected. For a long time, I hesitated to contribute to open source. Part of it was because I assumed that contributing meant writing code. As a self-taught developer, that felt intimidating. The other part was "Git anxiety." Forks, branches, pull requests, merge conflicts, and CI checks all seemed like a lot to understand before I could even make a contribution. Eventually, I started small. Instead of focusing on code, I looked for opportunities to improve documentation, README files, and learning materials. What surprised me was that writing the actual change was often the easy part. Most of my learning happened outside the code itself: understanding contribution guidelines, repository workflows, automation, and review expectations. Over time, I realized that modern open source contribution is about much more than just writing code. Contribution Model Has Changed When many people think about open source contributions, the mental model is still fairly simple: Find Bug ↓ Write Code ↓ Open PR In reality, I realized that most modern repos involve much more than that. Before making a change, contributors often need to understand project workflows, CI pipelines, automated checks, contribution guidelines, and review expectations. The code change itself might only take a few minutes, while understanding how the repo operates can take much longer. A modern contribution often looks more like this: Understand Repository ↓ Understand Workflow ↓ Understand Automation ↓ Make Change ↓ Open PR ↓ Respond to Review It looks intimidating, but I think this flow helps projects stay maintainable as communications grow. What I've learned from contributing to different projects is that open source is not just a coding skill. It's also a collaboration skill. The faster you can understand how a project works, the easier it becomes to

2026-06-11 原文 →
AI 资讯

Most repos hit by the Shai-Hulud worm are still infected a week later, and the obvious fix punishes the victims.

This is a follow-up to my earlier posts, and it is more of an open question than an answer. I have the data, I have a way to act, and I am genuinely unsure that acting is the right call. I could use the community's help thinking it through. Last week a supply-chain worm got into my GitHub account and repositories. I got out, cleaned up the proper way, and wrote it up. Then I checked the public list of repositories hit by the same worm, to see how the cleanup was going across the ecosystem. Nearly a week later, most of them are still carrying the live payload. It is worse than a count When you look closely, a lot of the owners are clearly trying. But they are missing how this actually works, in two ways that matter: Deleting is not removing. They remove the malicious files with an ordinary commit. That takes the payload off the branch tip, but the commit that introduced it is still in history, and the blob is still recoverable by anyone who reverts or checks out the old commit. The only real removal is rewriting history (reset, not revert) and asking GitHub to purge the objects, because the fork network keeps them reachable by SHA. One branch is not all branches. They clean the branch they know about and never see the backdated copies the worm planted on other branches, which are still live. And the part that genuinely worries me: some of these owners are almost certainly opening the infected repository in VS Code or an AI assistant to fix it , which is exactly the trigger that runs the payload again. The act of trying to clean it can re-detonate it. So: a large number of repositories still carrying a live credential stealer, and a large number of owners and contributors who do not know they are still exposed. The dilemma Here is where I am stuck. There are two paths and I do not like either. Report them to GitHub. Their response is automated and blunt. The repo gets disabled, with no human in the loop, the same hands-off automation that locked me out of my own accou

2026-06-11 原文 →
AI 资讯

Copilot Chat Goes GA in PRs — But Multi-Repo Visibility Is Still Missing

GitHub moved Copilot Chat's richer pull request experience to general availability this week — side-by-side chat with diffs, inline editing, and context-aware answers without leaving the review view. Previously in public preview, it is now live for all Copilot license holders. It is a real improvement for reviewing changes inside a single pull request. But it highlights a gap that per-PR AI tooling structurally cannot close: knowing what is open across the rest of your organisation. The Problem That Lives Outside the PR Most engineering teams don't work in one repository. They ship across services, libraries, and infrastructure — often with related PRs open in multiple repos simultaneously. A reviewer approving a payments service change without knowing that a dependent auth-service PR is still in draft is reviewing without full context. This is not a quality-of-feedback problem. It is a visibility problem. No amount of intelligence surfaced inside a PR tells you what is happening across your repositories. Gartner's 2026 assessment of AI coding agents makes the point clearly: the bottleneck has shifted from generating code to reviewing, securing, and governing it. Better per-PR AI raises the floor on feedback quality. The teams that pull ahead will be the ones who also solve the coordination layer — which PRs are open, which are stale, which are blocked on a dependency in another repo. What Changes With Better In-PR AI GitHub's GA release makes the review experience faster and less disruptive for individual PRs. That matters. But as per-PR intelligence becomes table stakes, the differentiator shifts toward cross-repo awareness: who is waiting for review, what related work is in flight, and where the actual bottlenecks in the delivery pipeline are. Engineering leaders should be watching PR age distribution and review load across all repositories — not just the ones that happen to be open in a browser tab right now. For teams already dealing with multi-repo sprawl, Cod

2026-06-11 原文 →