In Part 1, I shared how disabling package scripts and using dev containers saved me from Shai-Hulud. But those were just the first two layers. Here’s where things get interesting – I’ll show you how signed commits can catch unauthorized changes before they happen, and how repository protections created a final safety net. These aren’t theoretical security measures. They’re the same practical defenses I use every single day.

When the Shai-Hulud v2 supply chain attack hit last week, I watched thousands of developers scramble to check their systems. Mine? I was able to mark it as safe. This was because I’d already layered in some straightforward security practices. If you’re wondering how to protect your own development environment from these kinds of attacks, I’ll walk you through the exact configurations and tools I use every day that kept me safe.

IPv6 isn’t just coming – it’s here. If you’re managing a network or communicating with the internet, you need to understand how IPv6 affects your infrastructure and deployments. In this post, I will explore the basics of what IPv6 really means, how it works with the DevOps tools you use every day (such as GitHub, Docker containers, and Kubernetes), and how GitHub Actions Runner Controller’s latest update improves support for IPv6.

A creepy real-world branch name showed how a single Git ref can execute code in your Actions workflow and poison releases. See how the trick works, why it succeeded, and the quick fixes that turn a weaponized ref back into harmless text.

Many companies and teams focus on technical security solutions that lock down development and innovation to avoid risk. To protect their systems, they often end up making it harder for developers to do their jobs (and less secure in the process). What if I told you there was a better way? If you start with people and process first, you can create a secure CI/CD pipeline that balances safety and speed.

Managing a cluster of machines that each need to clone a large repository? Wondering how you can make it faster to clone a Git repo on the other side of the world? In this post, you’ll learn how Git’s reference option can dramatically reduce clone times and bandwidth usage. You’ll also learn how Git handles missing objects when your reference is out of date.

Ever tried to publish a JavaScript package to GitHub Packages with Yarn 4 and felt buried in docs that only cover npm or classic Yarn? You end up piecing together modern guidance from half answers. The good news: it’s actually straightforward. Let me walk you through a clean, repeatable setup.

While AI tools like GitHub Copilot are revolutionizing software development, they’re not replacing developers—they’re amplifying them. Learn why companies that think they can eliminate developers are making a costly mistake, and how the smartest organizations are using AI to make their teams faster and more effective than ever. And learn how you and AI will be working together to create even more value.

Ready to finish crafting your CodeQL Actions runner image? Following up on my previous post, it’s time to add Python 2 support to the Docker image. You’ll add to the multistage build, learn how to preserve symbolic links, and learn a trick for unpacking archives without needing to copy the archive into the image first.

Have you struggled with running CodeQL analysis on your own runners? You’re not alone. I figured that it was probably time to tackle this challenge to show you how to build the image, a few advanced Docker tricks, and a way to incorporate the scripts that the Actions team uses to build the official hosted runner VM images.