With the rise of OIDC, we no longer need to rely on secret keys or passwords to connect two services together. Instead, we can configure a trust relationship between the services and use that to securely request tokens for accessing resources. Adopting this approach can simplify things, but it can be scary for security teams and developers; they want to understand what makes this process work. In this post, walk through what’s happening under the covers.

I like having my SSH commit signing automatically configured. In a previous article, I discussed how you can do this using your dotfiles repository. If you want to add support for reading the SSH keys from 1Password, then there are just a few more things you need to know.

One challenge with the GitHub’s Actions Runner Controller (ARC) is that it does not officially support Windows containers for the runners. With a little bit of work, though, it’s possible to make this configuration work on a hybrid Linux/Windows cluster.

With automation you can simplify many things as a developer. This includes automating the process of configuring commit signing with dotfiles.

Creating a well-organized build or release workflow is both an art and a science. Done properly, the process can be testable and maintainable, able to work on any CI/CD system. Like many things in software, there’s even a pattern that helps!