Github from Microsoft JDConf

Presented by: Byron Walker and Trent Jones

General note: I didn’t get much out of this . The font/resolution was too small/blurry for the demo even full screen and I had some “distractions” at my end. I’m sure it was recorded and in theory I can go back and watch it one day. The demo was fine though. I got the idea. Felt kinda commercial like. And was shorter than I expected. Listed as 25 minutes; was 15. And only half was demo. The other half felt like doc reading. Oh well. My notes:

Dependabot

  • Enable in settings: Dependabot alerts
  • Get security alerts on dependencies
  • See in email or in UI
  • Can make pull requeests

Codespaces

  • containerized
  • web based VS Code. Or connect from standalone VS code

GitHub Actions

  • Showed .yaml edited in codespace to create CI
  • Supports running tasks in parallel
  • Many OSS workflows that can reuse

GitHub Packages

  • Showed docker package from repo
  • Supports docker, npm, maven, nuget

github – one of your dependencies has a security vulnerability

Yesterday, I committed a new project to github. I wasn’t paying attention and made a (mental) typo in typing the jackson-databind version number. I typed 2.2.3 instead of 2.10.3. The former is an old version with security vulnerabilities.

This meant I got to try out a new feature I had only read about – github informing you about the security issue in a dependency. Looking at the repo, I saw a nice yellow box – “We found potential security vulnerabilities in your dependencies. Only the owner of this repository can see this message”

GitHub also created a pull request offering to “Bump jackson-databind from 2.2.3 to 2.9.10.3”. I chose not to accept the pull request and choose the later version I intended – 2.10.3.

After pushing that change, the yellow box went away. GitHub even noticed that I updated the pom.xml and closed the pull request with the message “Looks like com.fasterxml.jackson.core:jackson-databind is up-to-date now, so this is no longer needed.”.

I then went into my gmail and deleted the 18 emails with the subject “One of your dependencies has a security vulnerability.” All of these emails arrived within two hours after I committed. That’s way too many notifications!

getting started with gitlab

CodeRanch is talking about moving to Git for our source code. Some of the moderators expressed a preference for GitLab. I’ve used GitHub, but not GitLab so decided to try it out with one of my personal projects. Looking at it, GitLab has built in CI so I want to see if i can switch to that and get off Jenkins for my pet project.

Signing up for GitLab

You can register with a new account for GitLab or use your credentials for other services including Google, Twitter, GitHub and BitBucket. It feels weird to me to sign in for a version control system with the credentials for another version control system so I created a new account.

While signing up, it automatically imported my gravatar. I had an old picture on there so fixed that. I then added some basic information to my GitLab profile

I set up an SSH key to make it easy to commit from my home computer:

  1. Settings
  2. SSH Keys
  3. Paste in key

I also set up two factor:

  1. Settings
  2. Account
  3. The very first option is “Enable two factor authentication”
  4. It uses Google Authenticator which is my first choice of two factor. They also supply backup codes.

Migrating a repository from GitHub

GitLab has a page about migrating from GitHub. The most important pre-requisite is to make sure each committer to the GitHub project has an account on GitLab. Conveniently, I am the only person who has ever committed to this project!

I then migrated in:

  1. Create a personal access token on GitHub just for this migration
  2. Click “Create a project”
  3. Choose “Import a project” tab
  4. Enter personal access token for github and choose “List your repositories”. Note that this lists both your personal repositories and all of these for GitHub organizations you have access to
  5. Click “Import” on the row next to the repository to migrate. (There’s also an “Import all” on top. I’m not looking to migrate all my repositories though!). Nothing appeared to happen for a minute. I must have missed a status warning. But then the page refreshed and had a “done” checkbox.
  6. Delete the personal access token from GitHub. I don’t like to leave extra access laying around enabled

I confirmed the same number of commits (including the latest), branches and tags are all there.

Jenkins integration

I’ve been running this job on Jenkins each night to check for changes. Since this is a public repository, accessing it for polling is easy and worked on the first shot. While I’d like to switch to GitLab CI, I’m going with incremental progress. GitLab has a good page on interacting with Jenkins.

I temporarily made this a private project to re-test. I confirmed that I could commit and that Jenkins failed to pull. Then I tried to set up Jenkins to be able to interact with project.

When using my own account, I can set up a token with read access to all my projects, but not a specific one. I think I’d have to create an extra account on GitLab for Jenkins if I wanted it to have only access to specific projects. Since this is just an experiment, I’ll use my own token for now.

Failing with the GitLab plugin

  1. Installed the GitLab plugin on Jenkins
  2. In GitLab, went to Settings > Access Tokens
  3. Created a token with read_repository permissions
  4. In Jenkins, manage > Configure System
  5. Add a GitLab Connection. I like that it uses Jenkins Credentials for securing the token
  6. Click “Test Connection”
  7. Using https://gitlab.com/boyarsky gives Client error: HTTP 401 Unauthorized
  8. Using https://gitlab.com/ gives Client error: HTTP 403 Forbidden

I noticed that the Jenkins GitLab plugin is not well supported. The primary committer wrote that he doesn’t use GitLab daily anymore and this affects his time spent on this project.

At this point, I gave up and just set up polling. I created a credential with the username boyarsky and the password as my personal access token. (That I set up while attempting to get GitLab working.) This worked on the first shot.

Now time to start looking at GitLab Ci…