今日已更新 328 条资讯 | 累计 20300 条内容
关于我们

标签:#github

找到 1016 篇相关文章

开源项目

🔥 xbtlin / ai-berkshire - AI 时代的伯克希尔:基于 Claude Code 的价值投资研究框架。巴菲特·芒格·段永平·李录四大师方法论 + 多A

GitHub热门项目 | AI 时代的伯克希尔:基于 Claude Code 的价值投资研究框架。巴菲特·芒格·段永平·李录四大师方法论 + 多Agent并行研究。| AI-era Berkshire: a value investing research framework built on Claude Code. 4 masters' methodologies + multi-agent adversarial analysis. | Stars: 1,563 | 201 stars today | 语言: Python

2026-06-25 原文 →
AI 资讯

GitHub ships a one-click self-revoke for users whose credentials just leaked

You forwarded the phishing email to the security channel about ninety seconds too late. The laptop is already cooperating with someone else. Your personal access token, the one you minted "just for that one script", is on its way to whatever Discord pays for stolen tokens this week. Now what? For users on GitHub Enterprise, what was previously a clickthrough checklist you complete while your hands shake is now one button. On June 24 the GitHub Changelog announced a self-service credential revocation flow under Settings, Credentials. From that view a user can see counts of every credential they have generated or authorized through SSO, then revoke or delete all of them in a single action. Personal access tokens, SSH keys, OAuth tokens, SSO authorizations: gone together. What actually shipped Containment used to be a manual scavenger hunt. PATs sat under Developer Settings. SSH keys lived one tab over. OAuth apps you forgot you authorized two years ago hid behind a different submenu. SSO was its own world. In practice that meant during an incident you forgot something, and the something you forgot was the credential the attacker actually wanted. The new view collapses that surface onto one screen. Counts on one side, a revoke-or-delete-everything action on the other. Whoever wrote it had clearly pictured the 3am screenshot: a user who has just been told to "rotate everything" and has no idea where "everything" lives. GitHub frames this as a complement to an earlier enterprise-owner capability that lets admins with the "Manage enterprise credentials" permission bulk-revoke across one user or many. So there are now two pairs of hands on the kill switch: the user, and the org. (Whichever one notices first.) Why a pipeline owner should care Because users are the trust boundary you keep pretending is somebody else's problem. A leaked PAT in a CI pipeline is rarely a CI bug. It is a human who pasted the token into a script, then a laptop, then a sync folder, then a backup,

2026-06-25 原文 →
AI 资讯

Building a Real-Time World Cup 2026 Bracket Predictor with Vanilla JS and GitHub Actions

Introduction With the World Cup 2026 group stage reaching its climax, football fans worldwide are speculating about who will make it to the finals. To make this experience interactive, I built a fully dynamic World Cup 2026 Bracket Simulator. Instead of just letting users click and choose winners, this app dynamically calculates ELO win probabilities and probabilistically generates realistic match scores (including extra time and penalties) based on team ratings. It also syncs with live match data in real-time. Live URL: https://worldcup-predict2026.github.io/champion/ Tech Stack: Vanilla JS, CSS3 (3D parallax), GitHub Actions, Python, football-data.org API Core Features & Technical Implementation ELO-Based Win Probability & Score Simulation Each team in the database is assigned an ELO-based strength rating. When a user runs the AI auto-prediction, the script calculates win probability and generates a realistic scoreline. Here is the goal roll algorithm (Poisson-like simulation) implemented in Vanilla JS: javascript function generateMatchScore(team1, team2, winner) { if (team1 === "TBD" || team2 === "TBD" || !winner) return null; const s1 = teamStrengths[team1] || 70; const s2 = teamStrengths[team2] || 70; const winnerIsTeam1 = (winner === team1); const strengthDiff = Math.abs(s1 - s2); const baseGoalExpected = 1.1; const bonusGoal = Math.min(1.8, strengthDiff / 12.0); // Goal weight based on ELO difference const rollGoals = (lambda) => { let L = Math.exp(-lambda); let k = 0; let p = 1.0; do { k++; p *= Math.random(); } while (p > L && k < 10); return k - 1; }; let gWin = 0; let gLose = 0; const r = Math.random(); if (r < 0.75) { // Regular time win (90 mins) gLose = rollGoals(baseGoalExpected); gWin = gLose + 1 + rollGoals(0.7 + bonusGoal); return winnerIsTeam1 ? ${gWin} - ${gLose} : ${gLose} - ${gWin} ; } else if (r < 0.92) { // Extra time win (AET) const normalGoals = rollGoals(baseGoalExpected); gLose = normalGoals; gWin = normalGoals + 1; return winnerIsTeam1 ?

2026-06-25 原文 →
AI 资讯

Dependabot can finally pull from private GitHub Packages without a PAT

The first time I wired Dependabot up to a private package registry, it took three meetings and a calendar reminder set six months ahead. The reminder was for the personal access token I had to mint to do it, the one I would have to rotate by hand before it expired, living in a config that drifted somewhere between repo settings, a .github file, and an internal wiki page nobody had touched in a year. On June 23 GitHub posted a small changelog item that quietly retires that whole ritual: Dependabot can now read your private GitHub Packages and GHCR registries through its own GITHUB_TOKEN , no PAT required. If you have ever had to explain to a security review why your bot account holds a token your team owns but a person minted, you already know why this lands. The PAT we all had and nobody loved Until this week, Dependabot's path to a private GitHub-hosted package was the same path it took years ago. A human minted a personal access token, scoped wide enough to read the registry, stored it as a repo or org secret, and plugged it into Dependabot so the bot could authenticate when it tried to resolve dependencies. That token expired on a human schedule. It belonged to whoever happened to set Dependabot up, which is rarely the person who still owns the repo a year later. You can feel how that ends. Tokens that quietly expire and break a Dependabot PR the day someone needs the patch. Tokens that follow an offboarded engineer out the door. Tokens with scopes wider than the job actually requires, because nobody wanted to mint a fine-grained one per registry path. None of those failures are catastrophic on their own. All of them are the kind of papercut a platform team ends up owning. What the GITHUB_TOKEN does here The new behavior is straightforward. Dependabot's job-scoped GITHUB_TOKEN can now request a packages: read permission. When the bot pulls from a hostname under *.pkg.github.com or ghcr.io , it sends that token instead of asking for a PAT. The same token that alre

2026-06-24 原文 →