Ever wondered what’s really happening when Docker runs your containers? It turns out the daemon needs some serious privileges to do its job. I wrote this post to trace the path from the Docker daemon through the Unix socket, image builds, and BuildKit – showing you exactly where root access comes into play and why every step depends on it.

Ever wondered why Docker commands need sudo or docker group membership? The answer is baked into the Linux kernel itself. I wrote this post to peel back the curtain on what a container actually is. You’ll recreate container-style process isolation from scratch using standard command-line tools – building your own namespaces and cgroups by hand to see exactly what’s happening under the hood.

What if your repository could triage issues, investigate CI failures, and update documentation without you? GitHub just launched Agentic Workflows – a new way to automate repository tasks using AI coding agents, all written in plain Markdown. Here’s a look at how they work, what makes the security model interesting if you work with AI, and why you should pay attention.

Your dotfiles repository already personalizes your development environments, but what if it could do more? What if the same configurations that protect your local machine could secure your CI/CD pipelines? By adding a simple composite action to your dotfiles repo, you can apply security settings and configurations to any GitHub runner – without managing tokens or cloning anything yourself. Let me show you how.

When using GitHub custom images, you may need to handle sensitive information at different stages of the image lifecycle. Today, you’ll learn to use workflow commands to mask sensitive data during both image creation and job execution, ensuring secrets stay protected in your build logs.

Sometimes you need to configure the workflow’s runner dynamically before it runs any steps. For example, you may need the runner to get access to a set of secure resources. This post shows how to use OpenID Connect (OIDC) tokens to avoid storing secrets or using long-lived credentials.

You’ve learned about individual secret management techniques, but the real power comes from combining them. In this final post of the series, I’ll show you how to layer multiple approaches to create defense-in-depth security that actually works in practice. Through real-world examples – from GitHub Actions to dev containers – you’ll see how to transform isolated techniques into comprehensive strategies that protect your secrets at every level.

What if you could eliminate static secrets entirely? That’s the promise of modern cloud-native approaches, but they come with their own tradeoffs. In this second post of the series, I’ll take you beyond traditional storage methods to explore federated identities, managed identities, and secret vaults. You’ll learn when each approach makes sense and how to protect yourself from the new attack vectors they introduce.

Every application needs secrets, but keeping them secure while making them available when needed is tricky! In this first post of the series, I’ll walk you through common storage approaches – from simple files to hardware security modules – exploring their strengths, weaknesses, and how to make each one more secure.

GitHub finally let us build custom runner images, and today I’m going to be exploring what that means and how you can use it. I’ll show you how to bake your own images, add pre-job hooks that can setup and validate your environment before your workflow starts, and take advantage of caching to speed up your builds and reduce network egress.