今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#cka

找到 27 篇相关文章

AI 资讯

Dependabot can finally pull from private GitHub Packages without a PAT

The first time I wired Dependabot up to a private package registry, it took three meetings and a calendar reminder set six months ahead. The reminder was for the personal access token I had to mint to do it, the one I would have to rotate by hand before it expired, living in a config that drifted somewhere between repo settings, a .github file, and an internal wiki page nobody had touched in a year. On June 23 GitHub posted a small changelog item that quietly retires that whole ritual: Dependabot can now read your private GitHub Packages and GHCR registries through its own GITHUB_TOKEN , no PAT required. If you have ever had to explain to a security review why your bot account holds a token your team owns but a person minted, you already know why this lands. The PAT we all had and nobody loved Until this week, Dependabot's path to a private GitHub-hosted package was the same path it took years ago. A human minted a personal access token, scoped wide enough to read the registry, stored it as a repo or org secret, and plugged it into Dependabot so the bot could authenticate when it tried to resolve dependencies. That token expired on a human schedule. It belonged to whoever happened to set Dependabot up, which is rarely the person who still owns the repo a year later. You can feel how that ends. Tokens that quietly expire and break a Dependabot PR the day someone needs the patch. Tokens that follow an offboarded engineer out the door. Tokens with scopes wider than the job actually requires, because nobody wanted to mint a fine-grained one per registry path. None of those failures are catastrophic on their own. All of them are the kind of papercut a platform team ends up owning. What the GITHUB_TOKEN does here The new behavior is straightforward. Dependabot's job-scoped GITHUB_TOKEN can now request a packages: read permission. When the bot pulls from a hostname under *.pkg.github.com or ghcr.io , it sends that token instead of asking for a PAT. The same token that alre

2026-06-24 原文 →
AI 资讯

Homebrew 6.0.0 turns third-party taps into an opt-in trust list

Your CI runner is a stranger with a credit card and root. Every brew install against a third-party tap is the same trust gesture as curl | sh , just wearing a nicer shirt. (We have all written that step in a script and clicked merge.) This week Homebrew said the quiet part out loud and asked you to consent to it first. The 6.0.0 release shipped the week before DevOps.com's writeup with a tap-trust gate. Out of the box, only taps on a pre-approved list will install. Anything else gets a refusal until a human runs brew trust user/repo . Trust binds to the remote's fully-qualified URL, so the same tap mirrored to a different host is a fresh decision, not a transitive one. What the gate actually refuses Before 6.0.0, the package manager treated user/repo as a name and walked off to fetch the formula. After 6.0.0, an unrecognised remote URL is a refusal at resolve time. Project Leader Mike McQuaid framed it in the 6.0.0 introductory post: The Homebrew team is aware of the supply-side security issues with other package managers. We've taken various steps to mitigate these risks for our users. (He has a point. The last few years of supply-chain incidents were not theoretical.) Tap-trust is one of those steps. It does not inspect the contents of a tap, scan a formula, or pin a SHA. What it does is force a human, or a script, to make an explicit, auditable statement: this remote URL is one we accept. Where your pipeline will feel it DevOps.com flags the part that matters for this site's audience: CI/CD pipelines using Homebrew will need to add brew trust commands to their setup scripts. Quietly bump the Homebrew action on your runner image and the next build that touches a non-core tap will fail at the install step, well before any test runs. That is a feature, but only if you read the changelog. The migration itself is a one-liner per tap. The cost is owning a list. Every tap your pipeline depends on now has to be enumerated somewhere, reviewed when it changes, and version-

2026-06-23 原文 →
开发者

CKA Exam study 2026 Scenario 1 - The etcd Endpoint Trap

The etcd Endpoint Trap A cluster migration just took your whole control plane offline. In the next few minutes you'll find out why, and fix it the way the CKA exam expects. This is a CKA Troubleshooting walkthrough. Every command below is real output from a live cluster, and you can reproduce the whole thing yourself (scripts at the end). The scenario A single-node kubeadm cluster was migrated to a new machine. The control plane won't come up. Your task: identify the broken component, find the root cause, fix the config, restart, and verify. Single-node kubeadm cluster, freshly migrated Control plane will not start Find the broken component Root-cause it, fix it, verify How the control plane actually starts The kubelet runs the control plane as static pods from /etc/kubernetes/manifests . The kube-apiserver cannot start unless it can reach etcd. Give it the wrong etcd address and the apiserver crashes, so the whole cluster looks dead. The kube-apiserver runs as a static pod : the kubelet reads its manifest from /etc/kubernetes/manifests/ and keeps it running. The apiserver cannot start unless it can reach etcd, so a wrong --etcd-servers endpoint takes the whole API down, and with it, everything you'd normally use to debug. Step 1 — Reproduce the symptom First, reproduce the symptom. kubectl get nodes is refused. A refused connection on the API port means the API server is down: a control-plane problem, not a workload problem. $ kubectl get nodes The connection to the server cka-scenario1-control-plane:6443 was refused - did you specify the right host or port? A refused connection on the API port is a control-plane problem, not a workload problem. Step 2 — Investigate from the node kubectl can't help us now, so drop to the node. The kubelet itself is active. But follow its log and you'll see it stuck in a loop, restarting the apiserver over and over. The kubelet is fine; the static pod it manages is the problem. $ systemctl is-active kubelet active $ journalctl -u ku

2026-06-20 原文 →
AI 资讯

uv 0.11.19 + CPython 3.15, Spring AI 2.0, and the RAG Poisoning Problem

This week's releases split neatly into two categories: useful incremental hardening (uv, GitLab, Copilot) and things that should change how you architect systems today (Spring CVEs, pg_durable, and a Cornell paper that quietly invalidates a lot of RAG assumptions). The Spring security cluster alone is enough to justify a dependency audit before the weekend. uv 0.11.19 adds CPython 3.15 beta support uv now always computes SHA256 checksums for remote distributions—previously this was situational—and adds PyEmscripten platform support per PEP 783, which formalizes Python packaging for browser and WASM targets. CPython 3.15.0b2 is available as a managed runtime, and a cross-platform installation edge case on Windows hosts has been resolved. The SHA256 change is the one worth noting for security posture. Making verification unconditional rather than optional closes a gap where distribution integrity could go unchecked depending on resolver path. The PyEmscripten addition matters if you're packaging Python for browser runtimes—previously you were working around the absence of a formal platform tag; now you're not. Verdict: Ship. Drop-in upgrade, no breaking changes. If you manage Python distributions or target WASM, update now. Everyone else should still update—supply-chain hardening by default is worth the two minutes. GitLab 19.0 adds group-level review instructions, secrets manager GitLab 19.0 ships two meaningful additions for teams: group-level custom review instructions for Duo code review, configured via .gitlab/duo/mr-review-instructions.yaml with cascading inheritance across projects, and a Secrets Manager that exits closed beta for Premium and Ultimate tiers. Group-level review instructions solve a real annoyance—if you've been maintaining per-project AI review configuration across a monorepo organization, you can now centralize that and let projects inherit or override. It's the kind of change that sounds minor until you've had to sync a guideline update across

2026-06-19 原文 →
开发者

Building and Scaling a Platform with Project-as-a-Service

When a platform started with total developer autonomy, teams felt overwhelmed and ended up solving the same problems in completely different ways. The company shifted to enablement over support, working together with teams intensively, and helping teams feel confident and capable, turning the right way into being the easiest way. By Ben Linders

2026-06-11 原文 →
AI 资讯

How I Built an AI Invoice Generator with Groq, AWS DynamoDB, and Vercel v0

I built InvoiceAI an AI powered invoice generator that lets you describe what you want to invoice in plain English and get a fully formatted invoice in seconds, complete with PDF download and a real payment link. Here's how I built it for the #H0Hackathon. The Problem Freelancers and small businesses waste time manually creating invoices. You know what you did, who you did it for, and how much it costs you shouldn't have to fill out a form to capture that. The Stack - Vercel v0 — scaffolded the entire UI in one prompt Next.js 16 — framework Groq (Llama 3.3 70B) — AI natural language to invoice fields AWS DynamoDB — stores every generated invoice Paystack — generates real payment links jsPDF — client-side PDF generation Vercel — deployment How It Works User types: "50 hours of mobile app development at $80/hr for TechLagos Ltd, 7.5% VAT" Groq parses the text and extracts structured invoice data Live preview updates instantly User downloads PDF — invoice is saved to DynamoDB automatically One click generates a real Paystack payment link to send to the client Building the UI with v0 I used Vercel v0 to scaffold the entire UI in one prompt. It generated a production-ready Next.js component with a split-panel layout form on the left, live invoice preview on the right. I just had to wire up the AI and database logic. Connecting AWS DynamoDB Using the AWS SDK v3, I connected DynamoDB directly from Next.js server actions. Every time a user downloads an invoice, it's saved to DynamoDB with the client details, line items, tax rate, and timestamp. This gives the app a real data foundation that scales from day one. await dynamo . send ( new PutCommand ({ TableName : ' invoices ' , Item : { invoiceId : data . invoiceNumber , clientName : data . clientName , clientEmail : data . clientEmail , items : data . items , createdAt : new Date (). toISOString (), }, })) The Result AI generates invoice from plain English in under 2 seconds Real PDF download (no print dialog) Real Paystack

2026-06-09 原文 →