GitHub Actions and CI/CD Workflows
GitHub Actions is what happens when CI/CD lives next to the code it is shipping. The pull request, the workflow, the runner, and the deployment environment all share one identity surface and one audit log. That is its real advantage — not the YAML, which is mediocre, but the integration model. The articles in this collection treat Actions as the execution layer for delivery, not as a yet-another-CI to be measured against Jenkins.
A central theme is workflow design that survives growth. A single on: push workflow with twelve inline steps is fine for week one and a liability by month six. Reusable workflows, composite actions, and the discipline of putting actual logic into scripts that the workflow merely calls turn Actions into something a platform team can maintain. The articles cover where that line should sit, when a composite action earns its keep, and where matrix builds quietly become a billing problem.
OIDC federation to Azure gets specific attention because it is the single biggest security upgrade most teams have not yet adopted. Long-lived secrets in repository settings are an audit finding waiting to happen. Federated credentials, scoped to a branch or environment, remove the secret entirely. Articles cover the App Registration setup, the trust subject format that actually matches, and the failure modes when the environment name on the workflow side does not match the federation condition.
Security gates belong inside the workflow rather than next to it. Dependency review, CodeQL, secret scanning, and required-status-check policies are most useful when they fail loudly on the PR rather than on a separate dashboard nobody checks. Articles cover how to wire those gates so they block bad merges without becoming the kind of friction that teams route around with admin overrides.
Expect opinions on caching strategies that actually accelerate rather than just consume storage, self-hosted runners that introduce more operational burden than they save, and the slow-burn cost of workflows that nobody quite understands but everybody is afraid to touch.
Stop Deploying Garbage to Production
I’ve watched “senior engineers” deploy code with failing tests because “we need to ship.” I’ve seen secrets hardcoded in workflows, vulnerabilities ignored with || true, and production deployments without a single approval gate.
Then the same teams act surprised when they get breached. Or fail an audit. Or both.
Security gates aren’t process overhead—they’re the bare minimum that separates professional engineering from reckless gambling with customer data. Here’s exactly how to build GitHub Actions pipelines that actually protect your systems.
Your Incident Response Plan Is a Lie. Here's How to Fix It.
.NET 10 Testing: Microsoft Finally Fixed the Test Runner (Mostly)
Microsoft.Testing.Platform, bringing SDK-integrated testing with faster discovery, consistent behavior across environments, and explicit configuration contracts. But it requires .NET 10, breaks old test adapters, and demands CI pipeline discipline. Here’s what actually changes, who should migrate now, and who should wait.
dependamerge-action
In software development, dependencies are inevitable - any project worth its salt relies on various libraries, frameworks, or packages. However, as I found in my own work, managing these dependencies can be an onerous task. Constant updates, new vulnerabilities, and endless manual approvals were draining my time and focus. What if, I thought, these processes could be automated? This thought led to the creation of dependamerge, a GitHub Action designed to free developers from the drudgery of manual dependency maintenance and let us get back to what we do best: building great software.