This week Adam is joined by Abi Noda, founder and CEO of DX to talk about DX AKA DevEx (or the long-form Developer Experience). Since the dawn of software development there has been this push to understand what makes software teams efficient, but more importantly what does it take to understand developer productivity? That’s what Abi has been focused on for the better part of the last 8 years of his career. He started a company called Pull Panda that was acquired by GitHub, spent a few years there on this problem before going out on his own to start DX which helps startups to the fortune 500 companies gather real insights that leads to real improvement.

Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

Tyler Cipriani:

GitHub private repos lull us into lazy thinking.

We cram our secrets into git, then shove it off to the most expansive code forge in the history of humanity, and most of the time: everything’s fine.

But GitHub’s ssh host key leak last week demonstrates that private repos are, at best, private-ish.

Jerod & the gang catch you up on what’s new and poppin’ in the web development world. We go deep on GitHub Copilot X and the latest AI advancements, take a bathroom break while Nick talks about TypeScript 5 & continue the debate about the future of React.

Ned Batchelder:

This package provides one command, watch_gha_runs. It takes a GitHub repo URL and a branch name, and displays the status of the latest GitHub Action runs on that branch. If any of the runs are in progress, it will refresh the display each second with the current status.

If you like, the name can be pronounced, “Watching? Ha!”

This week we’re talking to Rachel Potvin, former VP of Engineering at GitHub about what it takes to scale engineering. Rachel says it’s a game-changer when engineering scales beyond 100 people. So we asked to her to share everything she has learned in her career of leading and scaling engineering.

Nikola Đuza lays out a way you can customize your README to stand out from the crowd:

GitHub supports adding HTML in Markdown, but it is pretty aggressive when removing HTML that can be potentially dangerous to users. Things like scripts, iframes, and similar will get removed or “silenced” to avoid malicious content from being served to users.

Luckily, there’s one way to sneak in some HTML (or a web page) inside the README. You can do it via SVG and foreignObject SVG element.

Sometimes all a project needs is the ability to read/write small amounts of JSON data and have it saved in some persistent storage. Imagine a simple data-model which receives infrequent updates and could be represented as JSON object. It doesn’t demand a full-blown database, but it would be neat to have a way to interact with this data and have it persist across sessions.

This is where gist-database comes in handy, by leveraging the power of the gist api you can easily create a key/value data-store for your project.

This is a perfect solution for low write / high read scenarios when serving static site content with Next.js and using Incremental Static Regeneration to keep your cached content fresh.

This week we’re joined by Christina Warren, Senior Developer Advocate at GitHub, and a true tech and pop culture connoisseur. From her days at Mashable covering the intersections of entertainment and technology, to Gizmodo, to Microsoft, and now her current role at GitHub we talk with Christina about her journey from journalist to developer, and the latest happenings coming out of GitHub Universe.

BTW, we’re planning to get Christina on Backstage in the new year to talk about Plex, MakeMKV, and all things that go into hosting your own media server. Drop a commment on this episode with a +1 if you want to see that happen.

Wait-for-secrets GitHub Action waits for the developer to enter secrets during a workflow run. Developers can enter secrets using a web browser and use them in the workflow.

This seems like a good enough solution to yet another battle between security and usability.

Spotify’s annual “Wrapped” campaign is so successful we’re starting to see it copy/pasted to various other social networks. This GitHub version is by a 3rd-party, though, so they have a lot of API limitations to work around. It’s a cool service, but be prepared to see “Incomplete Data. Please refresh later to finish loading.”

Elaine Atwell says all CTOs urgently need to answer the question: should I allow Copilot at my company?

If you haven’t already figured it out from the title, Elaine’s answer to that question is No. But that might not be the right answer for everyone. In this article, she goes over the case for and against Copilot, and how you can detect whether it’s already in use at your organization.

A couple weeks back, Adam logged some news that linked to githubcopilotinvestigation.com. Well, There’s a new website now: githubcopilotlitigation.com

Matthew Butterick:

By train­ing their AI sys­tems on pub­lic GitHub repos­i­to­ries (though based on their pub­lic state­ments, pos­si­bly much more) we con­tend that the defen­dants have vio­lated the legal rights of a vast num­ber of cre­ators who posted code or other work under cer­tain open-source licenses on GitHub. Which licenses? A set of 11 pop­u­lar open-source licenses that all require attri­bu­tion of the author’s name and copy­right, includ­ing the MIT license, the GPL, and the Apache license.

Is GitHub Copilot an AI parasite trained in the realms of fair use on pub­lic code any­where on the inter­net? Or, is it a much needed automation layer to all the reasons we open source in the first place?

When I first wrote about Copi­lot, I said “I’m not wor­ried about its effects on open source.” In the short term, I’m still not wor­ried. But as I reflected on my own jour­ney through open source—nearly 25 years—I real­ized that I was miss­ing the big­ger pic­ture. After all, open source isn’t a fixed group of peo­ple. It’s an ever-grow­ing, ever-chang­ing col­lec­tive intel­li­gence, con­tin­u­ally being renewed by fresh minds. We set new stan­dards and chal­lenges for each other, and thereby raise our expec­ta­tions for what we can accom­plish.

Amidst this grand alchemy, Copi­lot inter­lopes. Its goal is to arro­gate the energy of open-source to itself. We needn’t delve into Microsoft’s very check­ered his­tory with open source to see Copi­lot for what it is: a par­a­site.

The legal­ity of Copi­lot must be tested before the dam­age to open source becomes irrepara­ble. That’s why I’m suit­ing up.

What are your thoughts on this investigation and “poten­tial law­suit” against GitHub Copi­lot?

This nifty little web app lets you tour the history of a file on GitHub. The coolest part about it is that you don’t have to download or install anything! Just change the github.com part of the URL with github.githistory.xyz and you’re in action!

In this episode, we’ll be further exploring PRs. Check out The art of the PR: Part 1 if you haven’t yet. What is it that makes a PR a good PR? How do you consider PRs in an open source repo? How do you vet contributions from people who aren’t a part of the repository? How does giving feedback and encouragement fit in to the PR process? We’ll be debating the details, and trying to help our fellow gophers perfect the art of the PR. We are joined by the awesome Anderson Queiroz, hosted by Natalie Pistunovich & Angelica Hill.

In this episode, we will be exploring PRs. What makes a good PR? How do you give the best PR review? Is there such thing as too small, or big of a PR? We’ll be debating the details, and trying to help our fellow gophers perfect the art of the PR. We are joined by three wonderful guests Jeff Hernandez, Sarah Duncan, and Natasha Dykes. Hosted by Angelica Hill & Natalie Pistunovich.

I logged upptime a couple years ago, but every time it crosses my path I’m so impressed by how stinkin’ clever the setup is that I just had to share it again.

GitHub will archive all projects under the Atom org on December 15, 2022. Why?

Atom has not had significant feature development for the past several years, though we’ve conducted maintenance and security updates during this period to ensure we’re being good stewards of the project and product. As new cloud-based tools have emerged and evolved over the years, Atom community involvement has declined significantly. As a result, we’ve decided to sunset Atom so we can focus on enhancing the developer experience in the cloud with GitHub Codespaces.

Atom was co-founder and long-time CEO Chris Wanstrath’s baby. We first heard its story from project lead Nathan Sobo on The Changelog back in 2017. Here’s what he had to say about the end of Atom’s era:

As Atom’s sun sets, Zed’s sun is rising. We’re not done here.

Connor Sears, founder and CEO of Rewatch, joins Adam to share the journey of creating Rewatch. What began inside of GitHub to help them thrive and connect is now available to every product team on the planet. Rewatch lets teams save, manage, and search all their video content so they can collaborate async and with greater flexibility. We talk about where the tool’s inspiration came from (spoiler alert, inside GitHub it was called GitHub TV which you’ll hear during the show), how teams leverage video to reduce the constraints of communication, how Connor and his co-founder knew they had product-fit and how they grew the team and product, and of course the flip side of that — we talk about some of Connor’s failures along the way, and knowing when it’s the right time to take a big swing.

Mike Hanley on GitHub’s blog:

The software supply chain starts with the developer. Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain…

Today, as part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.

This is a big step in the right direction and their new(ish) 2FA for GitHub Mobile feature helps make the burden not as cumbersome as it might be otherwise.

A tragic tale, but one worth sharing because we can all learn from their mistake:

Due to an unfortunate sequence of events, I accidentally made the project’s repository private for a moment. And GitHub cascade-deleted our community that took 10 years to build.

Whoops! This reminds me of the time I thought it’d be cute to set JSPartyFM’s Twitter birth date to the day our first episode shipped, which immediately resulted in the account being suspended for being too young.

Sounds like GitHub isn’t up for restoring their stars, so if you were following HTTPie before, you’ll want to head over there and give ’em a re-star.

Install via gh extension install dlvhdr/gh-dash. Customize ~/.config/gh-dash/config.yml.

HUBFS is a file system for GitHub and Git. Git repositories and their contents are represented as regular directories and files and are accessible by any application, without the application having any knowledge that it is really accessing a remote Git repository. The repositories are writable and allow editing files and running build operations.

So if you hubfs mnt (on macOS/Linux), it will set up a file hierarchy inside /mnt that follows this pattern: / owner / repository / ref / path. Cool idea! It is affected by GitHub’s API rate limiting and I’m not sure if/how it syncs (commits) back to the remote repos…

Simey de Klerk recenty dove head-first into our transcripts repo and coded up a super-cool feature that’s been on Jerod’s wishlist for awhile now. So, of course, we invited him Backstage to tell the tale!