Aug 16, 2019 newsletter

GitHub Actions now supports automated continuous integration and continuous deployment

GitHub Actions is an API for cause and effect on GitHub, helping developers build robust workflows directly inside their code repositories. Workflows work with any platform, including Linux, Windows, and macOS, and can be run on virtual machines or containers. Actions are simply YAML files and have access to GitHub and public APIs to expand their functionality. GitHub Actions is currently in beta and will be generally available in early November, but users can join the beta today.

Developers can now automate continuous integration and continuous deployment workflows through GitHub Actions, an important step in making the Actions platform more powerful. Developers can trigger builds via Actions on other CI tools, like CircleCI. Actions, however, also has a rich ecosystem of Actions from LaunchDarkly, mabl, Code Climate, and GitKraken.

When you enable Actions, GitHub will recommend Actions workflows that are appropriate for your project. Recommending automations has two important effects. First, recommendations drive greater adoption that bring more of the development workflow into the GitHub sphere of influence, helping strengthen the GitHub platform. Second, smarter GitHub recommendations solidify GitHub’s reputation as a developer-friendly tool that will help developers write more powerful code.

GitHub Actions are also code, so forking a repository will also fork any related Actions. For developers hoping to extend existing projects or templates, Actions’ seamless integration to the source code makes it easier to build and run new projects, aiding in discovery across the GitHub developer ecosystem. GitHub is already a major catalyst for code sharing and is home to much of the world’s open source software, but adding Actions helps package projects more neatly, so that code and its deployment are bundled into portable, reproducible repositories.

GitHub promises to remain an open platform that will continue to integrate with any existing CI/CD tools, but with millions of developers and tens of millions of repositories, GitHub is likely to quickly become a heavyweight in the development automation space. Actions is a perfect funnel for many of GitHub’s other ambitions; package registries, too, will face greater competition as GitHub Actions makes it easy to publish and consume packages from the new GitHub Package Registry. GitHub is building symbiotic products that strengthen each other, with openness and convenience as the primary adoption accelerators.

Vulnerability scanning expands to containers in the cloud

Google announced the general availability of Cloud Security Scanner for Google Kubernetes Engine (GKE) and Compute Engine. The new scanner will detect vulnerabilities in web applications and provide remediation recommendations that developers can choose to fix before fully deploying their application. Potential vulnerabilities include mixed content using HTTP and HTTPS, JavaScript libraries with known security issues, cross-site scripting attacks, and misconfigured repositories containing source code that may be publicly accessible.

Microsoft Azure has a similar service called Web Vulnerability Scanning for Azure App Service that is powered by Tinfoil Security, a third party security platform for developers and operations teams. Unlike Azure’s offering, Google Cloud does not use a third party for its security scanning. Both, however, are working to bring smarter security to their respective cloud platforms, reigning in one of the more complex segments in the software supply chain.

Security tech stacks are becoming increasingly robust, with dozens of automated tests occurring at each stage of development by different tools that operate at specific phases. Code repository platforms watch hosted code, modular plugins make intelligent code recommendations, and cloud providers analyze deployed applications. Cloud providers, however, offer notoriously complex and patchy security solutions. By expanding vulnerability scanning to its container services, Google is ensuring its security measures are as broadly applicable as possible. Whether using Google’s App Engine or Kubernetes Engine, developers can expect a consistent security filter across cloud products.

While security is becoming increasingly automated for developers, it is also following an increasingly multilayered approach. Any changes to code, dependencies, or deployments are analyzed by services natively integrated into tools developers already use today, with security services often overlapping in functionality. Security checkpoints at each phase of development are fortunately less intrusive as they become more automated but are proliferating rapidly. As the development world shifts to continuous integration and continuous development, expect a rapid rise in continuous security.

China's AI brain drain could have a powerful impact on the future of data-driven development

According to a recent analysis of China’s AI ecosystem by MarcoPolo, a think-tank focused on China’s economic growth, a significant outflow of AI researchers is threatening to hamper China’s AI ambitions. While the number of Chinese AI researchers has increased tenfold over the last decade, most are heading overseas to other AI superpowers.

Papers accepted to NeurIPS, a prominent AI conference, that were authored by researchers from China increased from roughly from 100 to 1,000 between 2009 and 2019. Most of that growth occurred following China’s release of its AI strategy in 2017, as second-tier schools jumpstarted AI specializations and programs en masse.

Roughly three-quarters of the Chinese authors, however, work outside China. Furthermore, 85% of those currently working outside China are employed in the US, usually at tech giants or prominent research universities. The US has benefited greatly from the influx of Chinese researchers, despite political and economic attempts to minimize collaboration.

The strength of any AI ecosystem is typically measured based on four inputs: talent, data, capital, and hardware. Already flush with data, capital, and hardware, the US receives a steady supply of much-needed talent from China.

While software development has spread globally and open source artificial intelligence is becoming more accessible to developers, AI research has become increasingly centralized. Cutting-edge machine learning models largely depend on proprietary services operated by US-based technology giants — Google, Microsoft, and Amazon. With an influx of new AI researchers from abroad, these companies seem likely to maintain a foothold as the preeminent machine learning centers of the developer world, forcing the rest of the cloud ecosystem to gravitate toward them.

Small bytes


  • Divjoy is a sleek React codebase generator [DIVJOY]
  • GitHub Issues - Solved Instantly helps you find solutions in GitHub faster by highlighting the best response [GITHUB ISSUES]
  • StoryTime enables developers to easily simulate debugger-like visuals to tell or read a story about pieces of code [STORYTIME]
  • Minimal stylesheet is a simple CSS file under 1kb [MINIMAL STYLESHEET]
  • TypeLighter.js is the world's lightest yet most powerful JS TypeWriter out there [TYPELIGHTER]
  • Cordless is a powerful Discord terminal client to keep up with the community [CORDLESS]
  • Mc.js is an open source Minecraft clone built with ThreeJS, ReactJS, GraphQL, and NodeJS [GITHUB]
  • Remote-jobs is a list of semi to fully remote-friendly companies in tech [GITHUB]
Never miss the big news

Every week, our team will send you three of the most important stories for developers, including our analysis of why they matter. Software development changes fast, but src is your secret weapon to stay up to date in the developer world.

Featured articles
Made with by Software. Read more about our mission.