In this post, we’ll continue the exploration of Gitsign by extracting some of the attestation data from a signed commit and using it to check how the code was built. This will help you understand how you can use the attestation data in your workflows.

Worried about securing your source code supply chain for GitOps and other processes? Learn how to implement automated signing in CI/CD pipelines, verify commit authenticity using transparency logs, and leverage GitHub OIDC tokens with Gitsign for keyless commit signing.

Over the last three months, the GitHub team behind Actions Runner Controller (ARC) has released three updates. These included bug fixes, performance improvements, improved configurability, and a new approach to metrics. In this post, I’ll cover some of the highlights of these releases and what they mean for you.

Migrating repositories with LFS can be tricky. This is especially true when the repository is configured to use an LFS endpoint that is separate from the Git repository. Learn how to safely migrate repositories that are using .lfsconfig to manage the storage location.

Historically, there’s been no way to really apply resource requests or limits at the pod level in Kubernetes. Instead, we are forced to apply these configurations at the container level. Thankfully, there is a new feature in Kubernetes that promises to change that.

Kubernetes native sidecars can create more reliable deployments. In this post, we’ll explore how to improve the Docker-in-Docker implementation in GitHub Actions Runner Controller (ARC) using native sidecars.

Submodules can require some additional considerations during a migration. If the submodule repositories have large files that need to be migrated to LFS, the change to the commit IDs can break the submodules. This post explains why the problem happens, how to avoid issues during migration, and how to fix problems when they happen.

Need to ensure that you’re using the right version of a CLI tool in your GitHub Actions? Want to be more resilient to change? GitHub Tools are the answer.

A company’s software and development practices are only as secure as their supply chain. This post will explore how to define a process for properly reviewing the supply chain using a GitHub Action as an example.

In most cases, we write a CI/CD workflow where all of the steps succeed. If a step fails, the job and workflow fails. But what do we do when we need the workflow to handle a failing step or job?