Tyler Cipriani:

GitHub private repos lull us into lazy thinking.

We cram our secrets into git, then shove it off to the most expansive code forge in the history of humanity, and most of the time: everything’s fine.

But GitHub’s ssh host key leak last week demonstrates that private repos are, at best, private-ish.

Ned Batchelder:

This package provides one command, watch_gha_runs. It takes a GitHub repo URL and a branch name, and displays the status of the latest GitHub Action runs on that branch. If any of the runs are in progress, it will refresh the display each second with the current status.

If you like, the name can be pronounced, “Watching? Ha!”

Nikola Đuza lays out a way you can customize your README to stand out from the crowd:

GitHub supports adding HTML in Markdown, but it is pretty aggressive when removing HTML that can be potentially dangerous to users. Things like scripts, iframes, and similar will get removed or “silenced” to avoid malicious content from being served to users.

Luckily, there’s one way to sneak in some HTML (or a web page) inside the README. You can do it via SVG and foreignObject SVG element.

Sometimes all a project needs is the ability to read/write small amounts of JSON data and have it saved in some persistent storage. Imagine a simple data-model which receives infrequent updates and could be represented as JSON object. It doesn’t demand a full-blown database, but it would be neat to have a way to interact with this data and have it persist across sessions.

This is where gist-database comes in handy, by leveraging the power of the gist api you can easily create a key/value data-store for your project.

This is a perfect solution for low write / high read scenarios when serving static site content with Next.js and using Incremental Static Regeneration to keep your cached content fresh.

Wait-for-secrets GitHub Action waits for the developer to enter secrets during a workflow run. Developers can enter secrets using a web browser and use them in the workflow.

This seems like a good enough solution to yet another battle between security and usability.

Spotify’s annual “Wrapped” campaign is so successful we’re starting to see it copy/pasted to various other social networks. This GitHub version is by a 3rd-party, though, so they have a lot of API limitations to work around. It’s a cool service, but be prepared to see “Incomplete Data. Please refresh later to finish loading.”

Elaine Atwell says all CTOs urgently need to answer the question: should I allow Copilot at my company?

If you haven’t already figured it out from the title, Elaine’s answer to that question is No. But that might not be the right answer for everyone. In this article, she goes over the case for and against Copilot, and how you can detect whether it’s already in use at your organization.

A couple weeks back, Adam logged some news that linked to githubcopilotinvestigation.com. Well, There’s a new website now: githubcopilotlitigation.com

Matthew Butterick:

By train­ing their AI sys­tems on pub­lic GitHub repos­i­to­ries (though based on their pub­lic state­ments, pos­si­bly much more) we con­tend that the defen­dants have vio­lated the legal rights of a vast num­ber of cre­ators who posted code or other work under cer­tain open-source licenses on GitHub. Which licenses? A set of 11 pop­u­lar open-source licenses that all require attri­bu­tion of the author’s name and copy­right, includ­ing the MIT license, the GPL, and the Apache license.

Is GitHub Copilot an AI parasite trained in the realms of fair use on pub­lic code any­where on the inter­net? Or, is it a much needed automation layer to all the reasons we open source in the first place?

When I first wrote about Copi­lot, I said “I’m not wor­ried about its effects on open source.” In the short term, I’m still not wor­ried. But as I reflected on my own jour­ney through open source—nearly 25 years—I real­ized that I was miss­ing the big­ger pic­ture. After all, open source isn’t a fixed group of peo­ple. It’s an ever-grow­ing, ever-chang­ing col­lec­tive intel­li­gence, con­tin­u­ally being renewed by fresh minds. We set new stan­dards and chal­lenges for each other, and thereby raise our expec­ta­tions for what we can accom­plish.

Amidst this grand alchemy, Copi­lot inter­lopes. Its goal is to arro­gate the energy of open-source to itself. We needn’t delve into Microsoft’s very check­ered his­tory with open source to see Copi­lot for what it is: a par­a­site.

The legal­ity of Copi­lot must be tested before the dam­age to open source becomes irrepara­ble. That’s why I’m suit­ing up.

What are your thoughts on this investigation and “poten­tial law­suit” against GitHub Copi­lot?

This nifty little web app lets you tour the history of a file on GitHub. The coolest part about it is that you don’t have to download or install anything! Just change the github.com part of the URL with github.githistory.xyz and you’re in action!

I logged upptime a couple years ago, but every time it crosses my path I’m so impressed by how stinkin’ clever the setup is that I just had to share it again.

GitHub will archive all projects under the Atom org on December 15, 2022. Why?

Atom has not had significant feature development for the past several years, though we’ve conducted maintenance and security updates during this period to ensure we’re being good stewards of the project and product. As new cloud-based tools have emerged and evolved over the years, Atom community involvement has declined significantly. As a result, we’ve decided to sunset Atom so we can focus on enhancing the developer experience in the cloud with GitHub Codespaces.

Atom was co-founder and long-time CEO Chris Wanstrath’s baby. We first heard its story from project lead Nathan Sobo on The Changelog back in 2017. Here’s what he had to say about the end of Atom’s era:

As Atom’s sun sets, Zed’s sun is rising. We’re not done here.

Mike Hanley on GitHub’s blog:

The software supply chain starts with the developer. Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain…

Today, as part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.

This is a big step in the right direction and their new(ish) 2FA for GitHub Mobile feature helps make the burden not as cumbersome as it might be otherwise.

A tragic tale, but one worth sharing because we can all learn from their mistake:

Due to an unfortunate sequence of events, I accidentally made the project’s repository private for a moment. And GitHub cascade-deleted our community that took 10 years to build.

Whoops! This reminds me of the time I thought it’d be cute to set JSPartyFM’s Twitter birth date to the day our first episode shipped, which immediately resulted in the account being suspended for being too young.

Sounds like GitHub isn’t up for restoring their stars, so if you were following HTTPie before, you’ll want to head over there and give ’em a re-star.

Install via gh extension install dlvhdr/gh-dash. Customize ~/.config/gh-dash/config.yml.

HUBFS is a file system for GitHub and Git. Git repositories and their contents are represented as regular directories and files and are accessible by any application, without the application having any knowledge that it is really accessing a remote Git repository. The repositories are writable and allow editing files and running build operations.

So if you hubfs mnt (on macOS/Linux), it will set up a file hierarchy inside /mnt that follows this pattern: / owner / repository / ref / path. Cool idea! It is affected by GitHub’s API rate limiting and I’m not sure if/how it syncs (commits) back to the remote repos…

If you’re using GitHub as your version control system of choice then GitHub Apps can be incredibly useful for many tasks including building CI/CD, managing repositories, querying statistical data and much more. In this article we will walk through the process of building such an app in Go including setting up the GitHub integration, authenticating with GitHub, listening to webhooks, querying GitHub API and more.

GitHub’s all new code search is in technology preview (sign up here for early access) and this 5-minute video does a great job of providing a rundown on how it works and why you’ll probably want to try it asap.

What if we could contribute to a project without having to create a pull request? Imagine all we have to do is to create an issue. Yes, you can with GitHub Actions and the new GitHub Issue Forms. Let’s get to it!

I created a GitHub action that auto-formats Changelog’s episode transcripts. Here’s how.

Thomas Dohmke will be CEO of GitHub. He served as GitHub’s Chief Product Officer, and according to his LinkedIn bio — Thomas led the acquisition of GitHub at Microsoft and the acquisitions of Dependabot, Semmle, and npm.

This morning, I shared the following post with Hubbers in response to Nat’s announcement about his next adventure. I am thrilled to take on the role of CEO to build the next phase of GitHub for our global community of software developers.

Exiting as CEO, Nat Friedman shared his thanks in a post titled “Thank you, GitHub”.

This morning, I sent the following post to the GitHub team. TL;DR: I’m moving on to my next adventure, and Thomas Dohmke (currently Chief Product Officer) will be GitHub’s next CEO. I will become Chairman Emeritus, which fulfills my lifelong ambition of having a title in Latin. My heartfelt thanks to every Hubber and every developer who makes GitHub what it is, every day.

The news is in the headline on this one, but here’s a bit more meat from the article:

Using rigorous and detailed scientific analysis, the study concluded that upon testing 1,692 programs generated in 89 different code-completion scenarios, 40 percent were found to be vulnerable.

The FSF is funding white papers on “philosophical and legal questions around Copilot”. In their post announcing the fund, Donald Robertson states:

The Free Software Foundation has received numerous inquiries about our position on these questions. We can see that Copilot’s use of freely licensed software has many implications for an incredibly large portion of the free software community. Developers want to know whether training a neural network on their software can really be considered fair use. Others who may be interested in using Copilot wonder if the code snippets and other elements copied from GitHub-hosted repositories could result in copyright infringement. And even if everything might be legally copacetic, activists wonder if there isn’t something fundamentally unfair about a proprietary software company building a service off their work.

One thing is for sure: there are many open questions that need answering. How we (as a community / industry) go about answering those questions is much less clear. But it’ll probably take place on blogs, forums, GitHub Issues, and even court rooms over the next decade.

One of our awesome Changelog++ members scratched their own itch:

When you upgrade to Changelog++ you’re given access to ad-free versions of episodes however they’re only available in one giant bucket feed instead of through individual show feeds. Though only around 5 new podcast episodes are published weekly, if you’re coming in as a new listener you’ll have a long backlog list with over one thousand shows. It’s easier to sift through older episodes when they’re organized by show, so that’s what this project provides: individual show feeds.

I love grassroots initiatives like this, but it’s motivating me to bring Changelog++ onsite so we can bake the functionality right in to our platform…

Commit groups sounds interesting to me. Anyone reading this familiar with Git innards? Is this doable?

You know the “group” facility of vector graphics programs? You draw a couple of shapes, you group them together, and then you can apply transformations to the entire group at once, operating on it as if it were an atomic thing. But when need arises, you can “ungroup” it and look deeper.

I’d love to see that same idea applied to Git commits. In Git, a commit group might just be a named and annotated range of commits: feature-a might be the same as 5d64b71..3db02d3. Every Git command that currently accepts commit ranges could accept group names. I envision groups to have descriptions, so that git log, git blame, etc could take –grouped or –ungrouped options and act appropriately.