Skip to content

DispatchesΒΆ

Why You Should Pin GitHub Actions to Commit Hashes

If you have used GitHub Actions, you have almost certainly written something like this:

steps:
  - name: Checkout
    uses: actions/checkout@v6
  - name: Setup Go
    uses: actions/setup-go@v6

It works. It is clean. It is also handing the keys to your CI pipeline to a tag pointer that anyone with push access to those repositories can move at any time, for any reason, without your knowledge.

This post covers what is actually happening when you write @v..., why it matters, and how to fix it in a way that is sustainable long-term. No conspiracy theories required: just a clear-eyed look at how Git references work and what a supply chain attack actually looks like in practice.

Automate a Ubuntu Server Daily Build on a VMware Desktop Hypervisor

tenthirtyam/packer-vmware-desktop-ubuntu-daily automates the build of a baseline Ubuntu Server virtual machine on VMware Fusion 13 or later, or VMware Workstation 17 or later, from the latest Ubuntu daily release using Packer and cloud-init.

Run ./ubuntu-daily.sh and the pipeline discovers the current daily ISO, validates the SHA256 checksum, performs a fully unattended installation via cloud-init autoinstall, takes a snapshot, and cleans up. The output is a ready-to-use Ubuntu Server virtual machine, named by build date and architecture, accessible over SSH.

Under That Kind of Sky

The area of South Georgia I came from did not announce itself as haunted. It called itself ordinary. It was made of fence lines, gravel, ditches, heat, livestock, debt, prayer, rust, and long stretches of road that seemed to vanish into weather. Nothing in it asked to be mythologized. Still, looking back, it feels touched by something darker than hardship alone. Not a ghost story exactly, but a place where ruin had a pulse and memory seemed to live in the ground.

Bulk Delete GitHub Actions Workflow Runs

GitHub Actions accumulates workflow run history quickly. After a few months of active development, a busy repository can have thousands of runs: every push, every pull request, every scheduled job. Most of those runs are no longer useful, but the GitHub web interface only lets you delete one run at a time. If you want to clean up a large backlog, you need a different approach.

This post covers a one-liner that bulk-deletes all workflow runs for a repository using the GitHub CLI (gh) and jq.

CODEOWNERS: Automating Code Review Ownership

Most projects have a moment when someone merges a change to a critical file without the right people ever seeing it. Not because anyone meant to skip the review, but because nothing in the workflow made it obvious who should have been asked. A security-sensitive configuration file, a shared library that dozens of services depend on, a public API contract: all of them can drift in the wrong direction when ownership is implied rather than explicit.

A CODEOWNERS file solves that problem. It maps paths and patterns in your repository to the people and teams responsible for reviewing them. When someone opens a pull request or merge request that touches those paths, the platform automatically requests a review from the designated owners. No manual assignment required, no institutional knowledge needed, and no way to merge without the right sign-off if you enforce it with branch protection.

This post covers what a CODEOWNERS file is, how to construct one, and how to use it effectively in your repositories.