今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#cicd

找到 38 篇相关文章

AI 资讯

I built an LLM eval framework from scratch. Here is what I wish I had bought instead.

One weekend I wrote an LLM eval framework in about two hundred lines of Python. It demoed beautifully. I felt clever. Six months later that same framework was a mess. Three different judge models with three different parsing hacks. A test dataset nobody had touched since November. A CI gate that kept failing because a vendor nudged their model, not because anyone broke a prompt. And the second engineer on rotation asking me, fairly, "how does this even work?" The framework did not fail. The eighty percent of the work the weekend tutorial skipped is what failed. That gap is the whole story, and this is what I would tell myself before starting again. The one line I wish someone had told me: build the rubric, buy the runner Here is the split that took me six months to see. Some parts of an eval setup are yours and only yours. The rubric that decides what "good" means for your product. The dataset built from your real failures. The rules for when a change is bad enough to block a release. Nobody else can write these, because they encode your domain. The rest is the same at every company. The thing that calls the judge model, parses its answer, retries, and caches. The machinery to run thousands of checks in parallel. The plumbing that scores live traffic. The system that groups failing calls together. Every team rebuilds these, hits the same bugs, and gains nothing by writing them twice. So build the first list. Do not hand-build the second. I rebuilt the second, and it cost me most of a year. Two questions I now ask about every single piece Before writing any part of this, I ask two things: Is it specific to me, or generic? A rubric for my domain is specific and worth owning. A retry-and-cache loop around a model call is generic. Everyone writes the same one. Does it compound, or does it rot? A dataset that grows from real production failures compounds. A year in, it is a regression suite no competitor can copy. A hand-built tracing layer rots. The moment a vendor chan

2026-07-15 原文 →
AI 资讯

The Modern Browser Testing Stack: AI, CI, Human Review, and the Cost of Maintenance

Browser automation used to be easier to describe. A test opened a page, filled in a form, clicked a button, and checked the result. The hardest parts were usually selectors, waits, and browser compatibility. Those problems still exist, but the surface area has expanded. Today, browser tests may need to handle streaming interfaces, MFA, AI-generated content, multiple operating systems, preview deployments, canary releases, and code changes proposed by AI assistants. The challenge is no longer just writing a script that passes. The challenge is building a testing system that remains understandable and affordable after hundreds of tests and thousands of CI runs. Start by measuring instability instead of normalizing it Flaky tests often become accepted background noise. A test fails, CI retries it, and the second run passes. The pipeline turns green, so the team moves on. Over time, the retry count grows and nobody is sure which failures matter. The problem is that a passing retry does not erase the cost of the first failure. The article on calculating the real cost of flaky test retries in CI provides a useful framework for evaluating compute costs, developer interruptions, delayed feedback, and investigation time. A simple reliability metric can help: first-attempt pass rate = tests passing without retry / total test executions This is often more revealing than the final pipeline pass rate. A suite with a 99% final pass rate may still be deeply unstable if many tests require multiple attempts. Reproduce the environment before changing the test When a browser test fails only in CI, teams often edit the test before reproducing the environment. That can lead to unnecessary waits and conditionals. One of the most common variations is a test that passes in visible Chrome but fails in headless mode. The explanation is not always “headless Chrome is flaky.” Differences in viewport, rendering, animation, fonts, and resource timing can all change application behavior. This det

2026-07-15 原文 →
AI 资讯

What a Refinery Taught Me About CI Pipelines

I’m currently relearning the Core Three — HTML, CSS, and JavaScript — as I work toward becoming a full-stack JavaScript developer. Before I came back to learning software, I spent 22 years working industrial turnarounds. One lesson from that world has followed me into software engineering: Never trust a single point of failure. In industrial maintenance, there’s a safety practice called double block-and-bleed . Instead of trusting one isolation valve, you use two independent valves with a bleed point between them. If one valve leaks, you know immediately. The entire system assumes individual components can fail. Safety doesn’t come from perfect parts. It comes from independent layers of protection. That idea completely changed how I think about CI pipelines. When I first started relearning web development, my mindset was simple: Run Lighthouse. Everything green? Great. 100 across the board locally? Even better. Ship it. Different results after deployment? Uh-oh. Now I see Lighthouse as one checkpoint — not the finish line. A fast website can still have accessibility issues. An accessible site can still have broken metadata. Good SEO won’t catch rendering bugs. Passing unit tests won’t tell you if the generated HTML is malformed. Every tool has blind spots. No single tool should get the final vote. So instead of asking: “Did my tests pass?” I ask: “What kinds of failures could still slip through?” That question naturally leads to layered validation. Formatting Linting Type checking Accessibility checks Performance audits HTML validation SEO analysis Manual review None of these tools is perfect. Together, they’re much stronger than any one of them alone. The more I learn about software, the more I find myself applying lessons from heavy industry. Different environment. Different risks. The same engineering mindset. Assume components will fail. Design systems that fail safely. That’s becoming the philosophy behind every test matrix and CI pipeline I’m designing. What’s

2026-07-11 原文 →
AI 资讯

Hướng dẫn chạy kiểm thử API Apidog CLI trên Drone CI

Bạn có thể chạy bài kiểm tra API của Apidog CLI trong Drone CI bằng một bước Docker dùng ảnh Node, cài apidog-cli , rồi gọi apidog run với test scenario và environment tương ứng. Token Apidog nên được lưu trong Drone Secret và inject vào pipeline bằng from_secret . Bài viết này cung cấp cấu hình .drone.yml có thể copy-paste, cách quản lý secret, giới hạn chạy theo branch/event và cách xuất báo cáo khi Drone không có artifact storage tích hợp sẵn. Dùng thử Apidog ngay hôm nay Drone CI là gì và hoạt động như thế nào Drone là nền tảng CI/CD mã nguồn mở, chạy theo mô hình container-native và hiện là một phần của Harness. CI/CD là thực hành tự động build, test và phân phối phần mềm trên mỗi thay đổi mã nguồn. Nếu cần ôn lại nền tảng, xem thêm CI/CD là gì . Điểm quan trọng của Drone: mỗi step trong pipeline chạy trong một Docker container riêng. Bạn chọn image cho từng step, sau đó Drone chạy các command trong container đó. Cách này giúp pipeline dễ tái tạo, dễ debug và không phụ thuộc vào một build agent đã cài sẵn nhiều công cụ. Pipeline được khai báo trong file .drone.yml ở thư mục gốc repository. Một Docker pipeline thường có: kind type name steps Ví dụ tối thiểu: kind : pipeline type : docker name : api-tests steps : - name : greeting image : alpine commands : - echo hello - echo world Drone chạy commands như shell script với cơ chế fail-fast. Nếu một command trả về exit code khác 0 , build sẽ fail. Working directory mặc định là thư mục gốc của repository. Vì sao nên chạy API test trong container step API test giúp phát hiện sớm các thay đổi phá vỡ contract, ví dụ: response schema thay đổi ngoài ý muốn status code khác kỳ vọng field bắt buộc bị thiếu logic xác thực hoặc phân quyền bị lỗi Với Apidog, bạn thiết kế và duy trì test scenario trong UI, sau đó chạy lại chính các scenario đó từ CLI. CI không cần giữ thêm collection file riêng hoặc viết lại test script. Để xem thêm về cách đưa API testing vào pipeline, đọc các phương pháp hay nhất về CI/CD cho kiểm tra API .

2026-07-08 原文 →
AI 资讯

Test Isolation

Test Isolation: A Lesson I Learned While Migrating Playwright Tests During my software engineering internship, I helped optimize our CI pipeline by identifying which E2E tests could safely run in parallel. That work quickly taught me that the biggest obstacle wasn't Playwright or Python, it was test isolation. This article is about that lesson. What is test isolation? A simple rule I now use is this: if a test can't run by itself with the same outcome, it probably isn't truly isolated. A well-isolated test should produce the same result whether it: runs by itself runs first or last runs after another test runs in parallel with hundreds of other tests To understand test isolation, it also helps to understand what state means. State isn't limited to database rows. During the migration, I found tests interacting with many different kinds of state. database records global configuration filesystem resources application caches If any of these are shared between tests, they become potential sources of hidden dependencies. How tests lose isolation As I started reading the existing test suite, I noticed a recurring pattern. Many tests assumed something about the environment instead of creating it themselves. Some expected specific data to already exist. Others modified global settings without restoring them afterward. Some searched for rows based on their position in a table instead of using a stable identifier like a name or ID. None of these looked particularly problematic when reading a single test. The problems only appeared once the entire suite started running together. One test would leave behind data another test didn't expect. A shared configuration would silently affect unrelated tests. A UI assertion would suddenly fail because another test inserted an extra row into the same table. Individually, the tests appeared independent. Together, they formed hidden dependencies. Not all shared state is equally difficult to isolate One realization that helped me reason abou

2026-07-07 原文 →
AI 资讯

Scaling Terraform Infrastructure Beyond a Single Team

When a single engineer manages all the Terraform in an organisation, everything is simple. One repo, one state, one pipeline, one set of credentials. There's no coordination overhead because there's no one to coordinate with. That stops working the moment a second team needs to deploy infrastructure. And by the time you have three or four teams — networking, platform, application, security — the single-team model is actively slowing everyone down. This guide covers what breaks, how teams typically work around it, and how to set up a structure where each team owns their slice of infrastructure independently. What breaks State lock contention Terraform's state locking is per-state. When the networking team is running terraform plan , the application team's pipeline is blocked — even though they're changing completely unrelated resources. The more teams share a state, the more time everyone spends waiting. Blast radius A junior engineer deploying a new application service shouldn't be able to accidentally destroy the VPC. But if application resources and networking resources share a state, a single misconfigured terraform apply can touch anything. Code review catches some of this. Not all of it. Credential sprawl A shared pipeline needs credentials for everything — the networking team's Azure subscription, the application team's AWS account, the security team's DNS provider. Every team's secrets end up in one CI environment, accessible to anyone who can trigger a run. This fails most compliance audits. Approval bottlenecks In many organisations, one person or a small group gatekeeps all infrastructure changes. Every PR needs their review. Every apply needs their approval. The gatekeeper becomes a bottleneck not because they're slow, but because they're a single point of serialisation for all infrastructure work. Backend access as implicit access control Terraform has no built-in concept of per-team or per-workspace permissions. All workspaces in a backend share the sam

2026-07-06 原文 →
AI 资讯

Managing Terraform Across Multiple Cloud Providers

Most organisations don't live in a single cloud. You might run compute in AWS, DNS in Cloudflare, identity in Azure AD, and logging in GCP. Terraform handles each provider fine on its own, but the moment you need to coordinate across providers the tooling fights you. This guide walks through the common pain points of multi-cloud Terraform setups and the approaches teams use to cope — then shows how Snap CD makes cross-cloud dependency management a solved problem. Where it gets difficult Credential sprawl Each cloud provider has its own authentication mechanism. AWS uses IAM roles and access keys. Azure uses service principals and managed identities. GCP uses service accounts and workload identity federation. A single Terraform state that spans providers needs credentials for all of them — which means your CI runner or developer workstation holds keys to everything. That's a security problem. A compromised CI pipeline with AWS and Azure credentials exposes both clouds simultaneously. And it's an operational problem — rotating credentials means updating every pipeline that touches that state. This problem compounds at scale: Terraform couples provider processes tightly to credentials , so managing hundreds of accounts across clouds means spawning thousands of provider processes, which quickly becomes unmanageable. Provider version conflicts Terraform providers are versioned independently. Upgrading the AWS provider to fix a bug in aws_eks_cluster shouldn't require you to also test a new version of the Azure provider. But when they share a state, a terraform init -upgrade pulls new versions for everything, and a regression in one provider blocks all deployments. Terraform also lacks built-in support for instantiating multiple providers with a loop and passing providers to modules in for_each , making multi-cloud configurations especially verbose and repetitive. Blast radius across clouds A misconfigured terraform apply in a single-cloud state damages resources in one c

2026-07-06 原文 →
AI 资讯

A Docker-Based AWS SES Smoke Test With Disposable Inboxes

Use Docker and a disposable mailbox to verify AWS SES delivery in CI before release without touching shared inboxes or leaking test mail. Shipping an app that "sent the email" is not the same as shipping an app that delivered a usable message. In AWS stacks, the miss usually shows up late: a container points at the wrong SES region, a preview environment uses stale credentials, or the message lands with broken links after templating. A disposable email address check is a simple final guardrail, and its easy to automate when your mail sender already runs in Docker. This is the pattern I recommend when teams are searching for temp mail com style testing, but need something cleaner for production-like CI. The goal is not to replace unit tests or the Amazon SES mailbox simulator . The goal is to prove that your real app container, with real environment wiring, can send one controlled message and that the inbox content is worth shipping. Why this check belongs in the release path AWS SES is strict in useful ways. If your account is still in the sandbox, you can only send to verified identities or the mailbox simulator . Even after production access, delivery problems still happen becuase the application layer and the cloud layer drift separately. A practical smoke test catches things that mocks often miss: wrong AWS_REGION or SES endpoint selection missing secrets in the container runtime template variables that render empty in preview builds broken confirmation links caused by bad environment URLs unexpected sender identity changes between staging and release That list looks basic, but it doesnt stay basic when three services, one worker, and a release job all touch outbound email. A small Docker pattern that keeps the test deterministic Keep the sender in the same Docker image you deploy, but trigger a narrow email scenario from CI. For example, seed a temporary user, call the notification path once, then poll a disposable inbox API for the matching subject line. servi

2026-07-03 原文 →
AI 资讯

I Spent 40 Minutes at 11pm Debugging a Deploy That Wasn't Broken

I once spent forty minutes at eleven at night debugging a deploy that wasn't broken. The release script ran the database migration, the migration threw connection refused , the script exited non-zero, the deploy rolled itself back, and I got paged. So I did the things you do. I read the migration. I read the logs. I checked the database — it was up, it was healthy, it accepted my connection instantly. I re-ran the deploy and it worked. I chalked it up to gremlins and went to bed, which is the part I'm not proud of, because it happened again two days later. That time I watched the timing: the script brought up a fresh database container and started the migration about six seconds before Postgres finished initializing and began accepting connections. The migration was racing the database's boot. Most of the time it won. The times it lost, I lost forty minutes. The script wasn't wrong about anything except one assumption: that a dependency is ready the instant you ask for it. In production, dependencies are eventually ready That's the mental model shift. Networks blip. A service you call returns a 503 for the two seconds it takes to finish a rolling restart. An API rate-limits you with a 429 it fully expects you to retry. A fresh container's database isn't accepting connections for its first few seconds. Treating the first failure as fatal turns every one of these normal, transient conditions into a paged engineer — and the script that handles them isn't smarter — it declines to give up on the first try. But retrying naively is its own trap. Retry instantly and you hammer a recovering service into staying down. Retry forever and a genuinely dead dependency hangs your script indefinitely. Retry a 404 and you wait a minute to confirm what you already knew. Good retries are bounded, backed off, and selective. A retry function you can reuse anywhere #!/bin/bash # Purpose: survive transient failures instead of dying on the first error set -euo pipefail CHECK = "✓" CROSS = "

2026-07-02 原文 →
开发者

The Terraform Awakens: Infrastructure as Code Quest

The Quest Begins (The "Why") Honestly, I was tired of playing “guess the state” every time I spun up a new environment. One day I clicked “Apply” in the AWS console, watched a handful of EC2 instances, S3 buckets, and IAM roles appear, and then realized I had no idea how to recreate that exact setup six months later when the team needed a staging copy. It felt like trying to rebuild the Death Star from memory after a single glance at the blueprints—frustrating, error‑prone, and definitely not the heroic saga I signed up for. That moment was my “aha!”: I needed a repeatable, version‑controlled way to describe infrastructure. Enter Infrastructure as Code (IaC). I’d heard the buzz, but the real question was which tool to wield—Terraform or CloudFormation? Both promised declarative provisioning, but they spoke different dialects. I decided to embark on a quest to learn both, slay the configuration drift dragon, and come out with a reusable spellbook I could share with anyone on the team. The Revelation (The Insight) The breakthrough came when I stopped thinking of IaC as “just another config file” and started seeing it as a storytelling language . Every resource block is a character, every variable a plot twist, and the state file the ever‑growing script that remembers what happened in previous chapters. When I wrote my first Terraform module, it felt like Neo realizing he could bend the spoon—suddenly the impossible became trivial. I could define a VPC, subnets, security groups, and an RDS instance in a few dozen lines, run terraform init , terraform plan , and watch the plan show exactly what would change before any resources touched the cloud. No more surprise “you created a public‑facing DB!” moments. CloudFormation, on the other hand, felt like the loyal sidekick that already lives in the AWS universe. Its JSON/YAML templates are native to AWS, so there’s no extra provider to install, and drift detection is built‑in. The trade‑off? A bit more verbosity and a steepe

2026-07-01 原文 →
AI 资讯

Splitting a Terraform Monolith into Smaller States

If your Terraform plans are slow, your blast radius is too wide, or multiple teams are stepping on each other's changes, it's time to split your monolith. See The Problem with Large Terraform States for how to diagnose whether you've reached that point. This guide walks through the process of breaking a monolithic Terraform state into smaller, focused states — and how Snap CD can manage the dependencies between them so you don't have to. The approach 1. Identify natural boundaries Look at your resources and group them by lifecycle and ownership. Common boundaries: Networking — VPCs, subnets, route tables, NAT gateways. Changes rarely, underpins everything. DNS — Zones, records. Usually owned by a platform team. Compute — Kubernetes clusters, VM scale sets, container services. Changes more often, depends on networking. Application infrastructure — Databases, caches, queues, storage accounts. Owned by application teams. Monitoring — Dashboards, alerts, log sinks. Changes frequently, depends on everything but nothing depends on it. A useful test: if two resources would never be changed in the same PR by the same person, they probably belong in different states. 2. Map the dependencies Before you move anything, draw the dependency graph. Which groups produce values that other groups consume? networking dns │ ▲ ▼ │ compute ──────────►─┘ │ ▼ application │ ▼ monitoring The outputs that cross these boundaries are what you'll need to wire up after the split. Typical examples: Networking → Compute: vpc_id , private_subnet_ids Compute → DNS: load_balancer_ip Compute → Application: cluster_endpoint , cluster_ca_certificate Application → Monitoring: database_id , cache_name 3. Use terraform state mv to migrate resources Terraform's state mv command lets you move resources from one state to another without destroying and recreating them. # Initialize the destination state cd modules/networking terraform init # Move resources from the monolith to the new state terraform state mv \

2026-06-30 原文 →
AI 资讯

The Problem with Large Terraform States

At some point every growing Terraform project hits a wall. Plans that used to finish in seconds now take minutes. Applies feel risky because hundreds of resources share a single blast radius. Colleagues avoid running terraform plan because it hammers cloud APIs hard enough to trigger throttling. The state file itself becomes a liability — large, slow to lock, and one bad write away from corruption. This guide covers the symptoms of an oversized state, the band-aids teams reach for, and the structural fix that actually works. How Terraform state works under the hood Every terraform plan does two things: Refresh — for every resource in state, Terraform calls the provider's API to read the current real-world status. A state with 500 resources means 500+ API calls, often more when resources have nested data sources. Diff — compare the refreshed state against the desired configuration and produce a change set. The refresh phase is the bottleneck. It's sequential per provider (parallelism helps across providers, not within one), and every resource pays the cost whether you changed it or not. Adding ten resources to a 500-resource state doesn't make plans 2% slower — it makes the refresh 2% slower on every single plan, for every engineer, forever. Symptoms of a state that's too large Slow plans The most visible symptom. Plan time scales with resource count because every resource is refreshed on every plan, regardless of whether its configuration changed. The exact speed depends on provider — AWS resources with complex nested structures (IAM policies, security group rules) are slower to refresh than simple ones, and Azure resources that require multiple API calls per refresh are worse still. These aren't edge cases — users regularly report 2,900-resource states taking 20–25 minutes to plan and 1,600-resource states taking 8+ minutes . Even starting Terraform with a large state can take minutes before a single API call is made . There's a long-standing proposal for terraform

2026-06-30 原文 →
AI 资讯

The GitHub Actions workflow that's been failing for weeks (and how to find yours)

trpc has a scheduled workflow called "Lock Issues & PRs." Its own scorecard shows it failing on almost every run. It is still scheduled, still running, still red. trpc ships excellent software, which is exactly the point: if a project this careful has a workflow that has been red for ages, the rest of us almost certainly do too. It is not a one-off. drizzle-orm has one ("Unpublish release"). cal.com has one ("PR Update"). I scanned 35 popular open-source repos and the same thing kept turning up: a scheduled workflow that fails on nearly every run, quietly, for a long time. Why nobody notices GitHub does email you when a scheduled workflow fails. So how do these survive? Two reasons. First, those emails are routine. You get them for flaky reruns and transient blips too, so you filter them out. Second, a workflow that is always red stops reading as a signal. It is just how that row looks now. I did exactly this on my own project. GitHub emailed me that a workflow had failed. The next day it emailed again. I saw it, told myself I would fix it tomorrow, and promptly forgot. It was my nightly database backup, quietly broken the whole time, and I only caught it when a failure-rate number crept up where I would notice. An always-red workflow is not free It burns minutes every run to produce nothing but a red X. Worse, it trains you to ignore the failure that actually matters: the day a real one lands in the same inbox you have learned to skim past. How to find yours Open your Actions tab and look at the scheduled workflows, the cron-triggered ones nobody watches. If the last several runs are all red, you found one. From the CLI: gh run list --workflow = "Lock Issues & PRs" --status = failure What to do about it Two honest options: fix it, or if the workflow is genuinely abandoned, turn it off. Do not leave it scheduled and red. gh workflow disable "Lock Issues & PRs" Or drop the schedule trigger from the workflow file if it should not run on a timer at all. A disabled work

2026-06-30 原文 →
AI 资讯

Why your GitHub Actions CI is slow (and how to speed it up)

Two days ago GitHub emailed me to say one of my workflows had failed. The next day it emailed me again. I saw it, told myself I would fix it tomorrow, and promptly forgot. It was my nightly database backup, quietly broken the whole time, and I only caught it because a failure-rate number nudged up. A failed run at least gets you an email. A slow run gets you nothing. GitHub never pings you when CI quietly takes twice as long, runs the whole suite twice per PR, or rebuilds dependencies from scratch every time. That waste compounds where no one looks. Here are the usual culprits, each with the exact fix. When I scanned 35 popular open-source repos, not one had a fully clean config. 32 of 35 had no concurrency control, 33 of 35 had no job timeouts, and 22 of 35 ran the full suite twice on every PR. If projects this polished leave minutes on the table, the rest of us definitely do. Your suite runs twice on every PR Trigger a workflow on both push and pull_request and, for a branch in the same repo, opening a PR fires both. You just paid for two identical runs. This one is pure waste and it can roughly halve your PR-related minutes. Trigger on pull_request , and keep push for your default branch: on : push : branches : [ main ] pull_request : Old runs don't cancel when you push again Push a fix 30 seconds after the first push and, with no concurrency group, both runs go to completion. The first is dead weight, and it is holding a slot in your queue while it finishes. This hides even when you do have a group: astro has a concurrency group on one workflow but left off cancel-in-progress , which our scan estimates leaves roughly 1,850 minutes a month on the table. Add a group keyed on the branch, with cancel-in-progress , so a new push supersedes the old run: concurrency : group : ${{ github.workflow }}-${{ github.ref }} cancel-in-progress : true Every run reinstalls dependencies from scratch No cache means every run re-downloads and rebuilds your dependencies. On a typical

2026-06-30 原文 →
AI 资讯

A homemade CI/CD pipeline with GitHub Actions

In the previous article on hosting a Next.js app on a VPS , I'd left the deployment pipeline as a rough sketch: four lines to say "it ships to production on its own when you push." That's the piece I want to open up here, because it's what separates a VPS you fuss over by hand from infrastructure you can forget about. There's a stubborn myth that CI/CD is a big-company thing, with a dedicated DevOps team and six-figure tooling. Not true. The pipeline that deploys this portfolio fits in two YAML files, you can read it in five minutes, and it gives me back exactly the comfort I liked about Vercel: I push to master , I go grab a coffee, the app is live when I'm back. The one thing I gained along the way is knowing precisely what happens between the git push and the running container. Four steps, in this order Deployment is a chain. On every push to master , GitHub Actions runs lint, security scan, image build, and deploy. What matters is the needs : as long as a step fails, the following ones don't start. A critical vulnerability caught by the scan, and the image never gets built. At all. jobs : lint : # ESLint runs-on : ubuntu-latest # ... security : # Trivy scan (reusable workflow) uses : ./.github/workflows/security.yml build-push : # build the Docker image → push to GHCR needs : [ lint , security ] # ... deploy : # SSH to the VPS → docker compose pull && up -d needs : [ build-push ] # ... Lint first, because it's the cheapest step and there's no point building an image if ESLint is already screaming. The scan next, as a barrier. Then the build, which produces the Docker image and pushes it to GHCR, GitHub's container registry (private, in my case). And finally the deploy, which connects over SSH to the VPS, pulls the new image and restarts the container. Four links, each blocking the next. That's the whole secret. The security scan is in the path, not in a review "for later" This is the one I won't budge on. Dependency security, in a lot of projects, is a Dependabo

2026-06-28 原文 →
开发者

PaperQuire Render Action — PDFs in Your CI Pipeline

Your docs should build themselves You write your documentation in Markdown. You keep it in a Git repo. Every time someone updates a spec or runbook, someone else has to open PaperQuire (or the CLI), render the PDF, and upload it somewhere. That manual step is now gone. The PaperQuire Render Action generates branded, print-ready PDFs directly in your GitHub Actions workflow — on every push, every PR, or every release. One step. That's it. - uses : paperquire/render-action@v1 with : files : ' docs/*.md' template : executive-report output : build/pdfs Every Markdown file matching the glob is rendered to PDF using the same Chromium engine as the desktop app. Same templates, same quality, no Pandoc or LaTeX to install. What you can build Auto-generate docs on push Whenever someone pushes to docs/ , produce fresh PDFs and attach them as build artifacts: name : Generate PDFs on : push : paths : - ' docs/**/*.md' jobs : render : runs-on : ubuntu-latest steps : - uses : actions/checkout@v4 - uses : paperquire/render-action@v1 with : files : ' docs/*.md' template : minimal-clean output : build/pdfs - uses : actions/upload-artifact@v4 with : name : pdfs path : build/pdfs/ Team members download the latest PDFs from the Actions tab. No Slack messages, no "can you re-export this?" Attach PDFs to releases Ship documentation alongside your code: - uses : paperquire/render-action@v1 with : files : ' docs/*.md' template : executive-report output : dist/ - name : Upload to release env : GH_TOKEN : ${{ github.token }} run : gh release upload ${{ github.event.release.tag_name }} dist/*.pdf Every release automatically includes the latest versions of your specs, guides, and reports. PR previews Use the action in pull request workflows so reviewers can download rendered PDFs before merging: on : pull_request : paths : [ ' docs/**' ] jobs : preview : runs-on : ubuntu-latest steps : - uses : actions/checkout@v4 - uses : paperquire/render-action@v1 with : files : ' docs/*.md' output : preview

2026-06-26 原文 →
开源项目

Docs as Code: Build a CI/CD Pipeline for Your Documentation

Your code has CI/CD. Your docs don't. Every modern engineering team has automated builds, tests, and deployments for their code. But documentation? That's still someone manually exporting a PDF, uploading it to Confluence, and hoping it's the latest version. This post shows you how to treat documentation like code: version-controlled Markdown in a Git repo, automatically rendered to branded PDFs on every push. No manual steps, no stale documents. The stack PaperQuire gives you three tools that work together: .paperquire.yml — project config that locks in your template, branding, and document options CLI — paperquire render and paperquire batch for scripting and local builds GitHub Action — paperquire/render-action for automated builds in CI Each one builds on the previous. The config file means no one has to remember flags. The CLI means you can test locally. The action means it happens automatically. Step 1: Add a project config Drop a .paperquire.yml in your repo root. Every render — GUI, CLI, and CI — picks up these settings automatically: template : corporate toc : true toc-depth : 3 h1-page-break : true cover : title : " Project Documentation" author : " Engineering Team" branding : primary-color : " #2563eb" This is your single source of truth for how documents look. Change it once, and every PDF across every environment updates. Step 2: Test locally with the CLI Before committing, verify your docs render correctly: # Render a single file paperquire docs/architecture.md -o out/architecture.pdf # Batch render the entire docs directory paperquire batch ./docs -o ./out # Dry run — validate without producing output paperquire batch ./docs --dry-run The CLI reads .paperquire.yml automatically. The output is identical to what CI will produce. Step 3: Automate with the GitHub Action Add one workflow file and your docs build themselves: # .github/workflows/docs.yml name : Build Documentation on : push : paths : - ' docs/**/*.md' - ' .paperquire.yml' jobs : render : ru

2026-06-26 原文 →
AI 资讯

Homebrew 6.0.0 turns third-party taps into an opt-in trust list

Your CI runner is a stranger with a credit card and root. Every brew install against a third-party tap is the same trust gesture as curl | sh , just wearing a nicer shirt. (We have all written that step in a script and clicked merge.) This week Homebrew said the quiet part out loud and asked you to consent to it first. The 6.0.0 release shipped the week before DevOps.com's writeup with a tap-trust gate. Out of the box, only taps on a pre-approved list will install. Anything else gets a refusal until a human runs brew trust user/repo . Trust binds to the remote's fully-qualified URL, so the same tap mirrored to a different host is a fresh decision, not a transitive one. What the gate actually refuses Before 6.0.0, the package manager treated user/repo as a name and walked off to fetch the formula. After 6.0.0, an unrecognised remote URL is a refusal at resolve time. Project Leader Mike McQuaid framed it in the 6.0.0 introductory post: The Homebrew team is aware of the supply-side security issues with other package managers. We've taken various steps to mitigate these risks for our users. (He has a point. The last few years of supply-chain incidents were not theoretical.) Tap-trust is one of those steps. It does not inspect the contents of a tap, scan a formula, or pin a SHA. What it does is force a human, or a script, to make an explicit, auditable statement: this remote URL is one we accept. Where your pipeline will feel it DevOps.com flags the part that matters for this site's audience: CI/CD pipelines using Homebrew will need to add brew trust commands to their setup scripts. Quietly bump the Homebrew action on your runner image and the next build that touches a non-core tap will fail at the install step, well before any test runs. That is a feature, but only if you read the changelog. The migration itself is a one-liner per tap. The cost is owning a list. Every tap your pipeline depends on now has to be enumerated somewhere, reviewed when it changes, and version-

2026-06-23 原文 →
AI 资讯

Meet AppPipe: The Lightweight, On-Premises Alternative to .NET Aspire

Modern cloud-native developer environments are fantastic. Frameworks like .NET Aspire have revolutionized local development by providing a unified developer dashboard, automatic service discovery, and OTLP telemetry collection. But what happens when it's time to deploy your microservice topology on-premises? If your target is IIS on Windows Server or a systemd service on Linux , you've likely realized that deploying the standard .NET Aspire stack on-prem is a complex puzzle. There is no native hosting model for IIS, gRPC telemetry port mapping is fragile, and the dashboard's constant WebSocket connections can consume excessive resources on on-premises virtual machines. Enter AppPipe.Hosting —a lightweight, developer-friendly NuGet package designed specifically to bring the best features of .NET Aspire to your on-premises environments. The Problem: On-Premises Microservice Orchestration is Hard While cloud platforms have native orchestration (like Kubernetes or ECS), traditional Windows and Linux environments still host a massive volume of enterprise applications. When running microservices on IIS or Linux servers, developers face three major friction points: Port Conflicts & Service Discovery : Dynamically assigning ports to multiple microservices in IIS or systemd and injecting them into dependent services is tedious. Telemetry Aggregation : Running an OpenTelemetry Collector just to aggregate traces, logs, and metrics for a small on-prem cluster is heavy and complex to configure. Resource Exhaustion : Standard Blazor Interactive Server dashboards maintain constant WebSockets and high memory usage, which quickly drains limited hosting environments. The Solution: AppPipe AppPipe is a lightweight alternative that integrates a routing gateway, an in-memory telemetry store, and a visual dashboard directly into a single library. graph TD Client(Browser/Client) -->|HTTP| Gateway subgraph User's Application Space Backend1[Backend Microservice A] Backend2[Backend Microserv

2026-06-22 原文 →