GitHub Actions Capstone: Full CI/CD Pipeline Built from Scratch

There is nothing quite like the feeling of pushing code and watching an automated pipeline handle all the work. I’ve been recently diving into DevOps to strengthen my infrastructure skills. To get hands-on, I just finished wiring up my first end-to-end CI/CD pipeline! To make it happen, I built a simple Flask app to use it for testing. Then, I configured the GitHub Actions workflow. Now, whenever code is pushed, the pipeline automatically creates a fresh environment and runs my testing suite. If everything goes green ✅, it builds and pushes a fresh Docker image straight to DockerHub. It was the perfect way to get the fundamentals clear. I am about to start work on a more complex project moving forward. If anyone wants to start learning CI/CD pipeline then you should look at this - https://lnkd.in/g7beecJM You can find the Docker image - https://lnkd.in/ggEGtx9V Fellow devs: What is your best piece of advice for someone who just started their journey into DevOps?? Let me know below! #DevOps #SoftwareEngineering #Docker #GitHubActions #CICD #Python #WebDevelopment #learning #student #engineer

🎉 I Just Built & Ran My First Docker Image – Here’s What I Learned 🐳 Hey everyone, After learning the basics of Docker containers in my previous posts, today I took the next big step. I moved from just using other people’s containers to building and running my own — and it feels amazing! As a Full Stack Developer learning DevOps, this was a real milestone for me. What I Built I created a simple Python Flask web application and packaged it into my very first custom Docker image. Here’s the flow I followed: Created a small Flask app (app.py) that shows a welcome message. Added a requirements.txt file. Wrote my first Dockerfile (using the 80/20 rule – only the important commands). Built the image with: docker build -t python-app-img . Ran the container with: docker run -d -p 5000:5000 python-app-img Opened http://localhost:5000 in my browser — and it worked! ✅ Real-World Value (Why This Matters). In real companies, you can’t keep installing dependencies and configuring servers manually on every machine. With one well-written Dockerfile: Every developer gets the exact same environment No more “It works on my machine” problems Faster onboarding for new team members Consistent and reliable deployments. This small Python app I built today is exactly the kind of practical exercise that helps you understand how production applications are containerized. My Key Takeaway Building your first Docker image is the moment you stop being just a user of technology and start becoming a creator of reliable systems. It’s not complicated once you do it step by step. If you’re also learning Docker or DevOps, tell me — what was your first Docker project? Or what’s the biggest challenge you’re facing right now? I read and reply to every comment. Let’s grow together! 👇 #Docker #Dockerfile #FirstDockerImage #DevOps #LearningInPublic #DockerBeginner #FullStackDeveloper #TechJourney #SystemEngineering #CloudComputing #80_20Rule

CI/CD pipelines play a critical role in today's cloud-native software development cycle. They are the backbone of how developers build, test, and deploy code. But CI/CD security is often overlooked. Blindly. Usually, due to lack of awareness. Not intentionally.  But attackers don't care whether misconfigurations were introduced purposely or not. They simply exploit them. KONTINUERLIG, a GitHub Actions challenge from Hack.lu 2025 that I participated in, is a perfect example of how that plays out. It chained three distinct attack primitives to extract a secret from a private repository. Each one exploiting a misconfiguration pattern you'd find in a real production pipeline. Here's how the chain works: 🔗 Stage 1 - Heredoc Injection via pull_request_target A workflow used pull_request_target + untrusted checkout (classic "pwn request" pattern). By crafting filenames that terminate a bash heredoc prematurely, I injected LD_PRELOAD into the GitHub Actions environment, then leveraged artifact poisoning and Python module shadowing to achieve code execution with pull-requests: write permissions. 🔗 Stage 2 - Docker Build Context Escape >> A second workflow ran docker build ./docker/ with contents: write permissions. A single symlink (ln -s . docker) redirected the build context to the repository root, exposing .git/ inside the container. From there, the embedded GITHUB_TOKEN was used to push arbitrary commits directly to the main branch. 🔗 Stage 3 - Secret Exfiltration via Problem Matchers GitHub Actions redacts secrets in logs - but Problem Matchers execute before the redaction mechanism. By committing a matcher.json to main and using ::add-matcher:: as the commit message (echoed by the workflow), I registered a regex pattern that captured the flag before masking occurred. None of these primitives are exotic. Pull_request_target misuse, overly permissive GITHUB_TOKEN scopes, Docker build context assumptions, and trust in secret redaction as a last line of defense - these show up in production pipelines. Full writeup on my blog (link in the comments section) 👇 #AppSec #hacklu #CICD #GithubActions #OffensiveSecurity #PenetrationTesting #SecDevOps #CTF

At 2:10 AM, a production error fired: an AttributeError in our GitLab webhook handler. A null position field on a non-inline comment. By 2:13 AM, Bohun had diagnosed it, written a one-line fix with an explanatory comment, and opened a pull request. No one was paged. No one was woken up. Agent Bohun didn't wrap the call in a try/except and move on. It traced the real root cause: GitLab sends position: null for non-inline comments, and Python's dict.get(key, {}) only falls back when the key is missing, not when the value is explicitly None. Fixed in the minimal, correct place, with a comment so the next engineer would understand why. What we're building at OurBase is not an autopilot that removes humans from the loop. It's a teammate who does the careful thinking while you sleep, and hands you something worth reviewing in the morning. Here's to more nights of uninterrupted sleep (and celebratory breakfasts.)

🚀 From Writing Code → To Automating Everything! Recently, I worked on my project WealthLens and took a big step forward — I implemented my first CI/CD pipeline using GitLab. At first, I didn’t even understand why CI/CD is important… but while building it, everything started making sense. Here’s what I learned 👇 🔹 Every push is automatically verified No more “it works on my machine” — GitLab builds, runs, and tests everything automatically. 🔹 Real errors taught me real lessons Faced issues like: Maven not found Wrong environment setup Missing configurations And fixed them step by step. 🔹 Team collaboration became clear Worked with branches, commits, and Merge Requests — just like real companies. 🔹 Confidence boost 🚀 Now I know how real-world development works: Write → Push → Validate → Merge 💡 Biggest takeaway: CI/CD is not just automation… it’s a safety system for your code. 🔗 Project Link: https://lnkd.in/d6HgAD2C Tech Stack: Java | Spring Boot | Python (Flask) | GitLab CI/CD | Git Next step: Deployment 🌐 #CICD #GitLab #JavaDeveloper #SpringBoot #LearningByDoing #FullStackJourney

I built a tool that gives git a memory. Git tells you what changed. It has no idea why. After 6 months on a codebase, you're staring at files like middleware.py and old_auth.py with no idea what feature they belong to, whether anyone still uses them, or if they're safe to delete. I built gitmind to fix that. Every time you commit, a post-commit hook runs a local LLM (Ollama — no API costs, your code never leaves your machine) that analyzes the diff and writes structured metadata directly into your repo: → What changed → Why it likely changed → Which feature it belongs to → Which files are part of that feature Six months later you can ask: what's stale? what's safe to remove? when was auth last touched? And get a real answer. The part I'm most proud of: the tool documented its own development. Every commit I made while building it was analyzed by the LLM and stored in metadata.json. The build log on the docs site was written entirely by the AI — no human wrote a single summary. https://lnkd.in/eusR5TqA It also ships with a local web dashboard (python3 cli/dashboard.py) — feature health cards, a commit frequency chart, and a staleness report with an interactive threshold slider. No npm, no Node.js, just Python. Stack: Python · Ollama · qwen2.5-coder:7b · vanilla JS · GitHub Actions for CI + docs Fully open source. Would love feedback from anyone who's felt the pain of undocumented codebases. 🔗 https://lnkd.in/e92UVU5h #buildinpublic #opensource #devtools #python #llm #git

𝗦𝗽𝗲𝗻𝘁 𝘁𝗵𝗲 𝗹𝗮𝘀𝘁 𝘄𝗲𝗲𝗸 𝗱𝗲𝗯𝘂𝗴𝗴𝗶𝗻𝗴 𝗮 𝗽𝗿𝗼𝗱𝘂𝗰𝘁𝗶𝗼𝗻 𝗶𝘀𝘀𝘂𝗲 𝘁𝗵𝗮𝘁 𝗰𝗮𝗺𝗲 𝗱𝗼𝘄𝗻 𝘁𝗼 𝗼𝗻𝗲 𝘁𝗵𝗶𝗻𝗴 — 𝗮 𝗽𝗼𝗼𝗿𝗹𝘆 𝘄𝗿𝗶𝘁𝘁𝗲𝗻 𝗗𝗼𝗰𝗸𝗲𝗿𝗳𝗶𝗹𝗲. 𝗦𝗼 𝗵𝗲𝗿𝗲 𝗮𝗿𝗲 𝘁𝗵𝗲 𝗗𝗼𝗰𝗸𝗲𝗿 𝗯𝗲𝘀𝘁 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀 𝗜 𝘄𝗶𝘀𝗵 𝘀𝗼𝗺𝗲𝗼𝗻𝗲 𝗵𝗮𝗱 𝘁𝗼𝗹𝗱 𝗺𝗲 𝗲𝗮𝗿𝗹𝗶𝗲𝗿: 𝟭. 𝗨𝘀𝗲 𝗮 𝘀𝗽𝗲𝗰𝗶𝗳𝗶𝗰 𝗯𝗮𝘀𝗲 𝗶𝗺𝗮𝗴𝗲 𝘁𝗮𝗴, 𝗻𝗲𝘃𝗲𝗿 :𝗹𝗮𝘁𝗲𝘀𝘁  latest can silently change between builds. Pin your version — node:20.12-alpine, python:3.12-slim. Your future self will thank you. 𝟮. 𝗢𝗿𝗱𝗲𝗿 𝘆𝗼𝘂𝗿 𝗹𝗮𝘆𝗲𝗿𝘀 𝗳𝗿𝗼𝗺 𝗹𝗲𝗮𝘀𝘁 𝘁𝗼 𝗺𝗼𝘀𝘁 𝗳𝗿𝗲𝗾𝘂𝗲𝗻𝘁𝗹𝘆 𝗰𝗵𝗮𝗻𝗴𝗲𝗱  COPY package.json first → RUN npm install → then copy the rest of your code. This keeps your dependency layer cached and builds stay fast. 𝟯. 𝗥𝘂𝗻 𝗮𝘀 𝗮 𝗻𝗼𝗻-𝗿𝗼𝗼𝘁 𝘂𝘀𝗲𝗿  By default, containers run as root. That's a security risk. Add: RUN adduser --disabled-password appuser USER appuser 𝟰. 𝗨𝘀𝗲 .𝗱𝗼𝗰𝗸𝗲𝗿𝗶𝗴𝗻𝗼𝗿𝗲  Stop shipping node_modules, .git, test files, and .env into your images. A bloated image is a slow image — and a leaky one. 𝟱. 𝗠𝘂𝗹𝘁𝗶-𝘀𝘁𝗮𝗴𝗲 𝗯𝘂𝗶𝗹𝗱𝘀 𝗮𝗿𝗲 𝗮 𝗴𝗮𝗺𝗲 𝗰𝗵𝗮𝗻𝗴𝗲𝗿  Build your code in one stage, copy only the final artifact to a clean runtime image. I've seen image sizes go from 1.2GB → 80MB just from this one change. 𝟲. 𝗢𝗻𝗲 𝗽𝗿𝗼𝗰𝗲𝘀𝘀 𝗽𝗲𝗿 𝗰𝗼𝗻𝘁𝗮𝗶𝗻𝗲𝗿  Don't run your app + cron + nginx in a single container. Separate concerns. Use docker-compose or orchestration for that. 𝟳. 𝗛𝗘𝗔𝗟𝗧𝗛𝗖𝗛𝗘𝗖𝗞 𝗶𝘀 𝗻𝗼𝘁 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹 𝗶𝗻 𝗽𝗿𝗼𝗱  HEALTHCHECK --interval=30s --timeout=5s CMD curl -f http://localhost:8080/health || exit 1 If you're not doing this, your orchestrator doesn't know if your app is actually alive.  • 𝗦𝗺𝗮𝗹𝗹 𝗶𝗺𝗽𝗿𝗼𝘃𝗲𝗺𝗲𝗻𝘁𝘀 𝗶𝗻 𝗗𝗼𝗰𝗸𝗲𝗿𝗳𝗶𝗹𝗲𝘀 𝗰𝗮𝗻 𝘀𝗮𝘃𝗲 𝗵𝗼𝘂𝗿𝘀 𝗶𝗻 𝗽𝗿𝗼𝗱𝘂𝗰𝘁𝗶𝗼𝗻. #Docker #DevOps #SoftwareEngineering #Backend #CloudNative

**3 PRs merged into GitHub's spec-kit here's my open-source journey so far** Over the past week, I've had 3 pull requests merged into github/spec-kit an open-source specification framework. --- 🔹 PR #1: Documentation fix (Mar 31) Found that AGENTS.md was out of sync with the actual agent configuration. Several agents were missing from the docs. Synced everything up so developers aren't confused when onboarding. --- 🔹 PR #2: Community catalog extension (Apr 1) Added the fix-findings extension to spec-kit's community catalog, making it discoverable and installable for all users. --- 🔹 PR #3: argument-hint frontmatter for Claude Code (Apr 3) This was the big one. When users typed slash commands like /speckit-plan in Claude Code, there was no hint about what input the command expects. I built a post-processing pipeline that injects argument-hint into YAML frontmatter for all 9 Claude Code skill commands. Now users instantly see prompts like "Describe the feature you want to specify" right inline. This PR went through: ✅ Multiple rounds of code review with the maintainer ✅ A rebase when upstream merged a major architecture change ✅ 6 targeted tests The maintainer's feedback genuinely improved the final code. --- 📌 What this journey taught me: 💡 Start small (docs fix), build trust, then take on bigger features 💡 Code review isn't criticism it's collaboration 💡 Open source rewards consistency and quality over speed --- 🚀 Currently working on PR #4 adding Table of Contents to generated markdown documents. --- #OpenSource #GitHub #Python #AI #ClaudeCode #SoftwareEngineering #SpecKit #WomenInTech

The Git Problem Everyone Knows. At some point, every project ends up looking like this: - fix stuff - update code - final version - bug fix - changes And somehow… nobody really knows what happened. I used to do this too. It works when you’re alone, but as soon as a project grows, it becomes a real problem. You lose clarity, you lose history, and debugging becomes painful. That’s when I discovered Conventional Commits. Instead of writing random messages, each commit follows a structure: - fix(auth): resolve login crash when password is empty - feat(ui): add loading spinner to login button - refactor(api): simplify user validation logic Now, in one line, I know: - what changed - where it changed - why it changed It seems like a small detail, but it completely changes how you read and understand a project. To make it easier to apply, I also use Commitizen, which guides commit creation and enforces the standard. Clean history is not a luxury. It’s part of building reliable systems. To see the full blog post: https://lnkd.in/exgJ4_mP #KubeCraft #DevOps #Git #BestPractices #DevSecOps

Let’s talk about the "It works on my machine" curse. 🖥️🙄 We’ve all been there. You spend hours perfecting your code, push it to staging, and… boom. It crashes because of a missing dependency or a slight version mismatch in the environment. That’s where Docker changed the game for me. 🐳 If you’re still on the fence about containerization, here’s why it’s a total sanity-saver: • Consistency is King: Docker packages your code with everything it needs to run. If it works in your container, it’ll work in production. Period. • No More Dependency Hell: Need Python 3.11 for one project but 3.9 for another? Run them in separate containers and stop messing with your system PATH every twenty minutes. • Onboarding in Seconds: Instead of a 10-page "How to Set Up Your Dev Environment" PDF, new teammates just run docker-compose up and get to work. It’s not just a buzzword; it’s about reclaiming your time so you can actually focus on building cool stuff instead of debugging infrastructure. How has Docker (or containerization in general) changed your workflow? Or are you still a "bare metal" purist? Let’s chat in the comments! 👇 #SoftwareEngineering #Docker #DevOps #CodingLife #WebDevelopment #TechCommunity