Sameer Ahmed’s Post

#100DaysOfDevOps - Day Forty - Six Today I continued working on the GitHub Actions version of my CI pipeline. The focus was on moving from the workflow skeleton into actual execution, one stage at a time, while testing and troubleshooting along the way. What I worked on today: ✅ created the .github/workflows/ci.yaml file ✅ pushed it to GitHub and confirmed the workflow was triggered ✅ verified that the checkout stage worked ✅ observed how GitHub Actions provisions a runner automatically ✅ added the backend test stage ✅ set up Python on the runner ✅ installed pip ✅ confirmed the backend test/lint stage ran successfully After that, I moved into the image build stage and started setting up: Docker-related steps GitHub secrets for Docker authentication environment variables for image names and tags That part came with multiple errors, including: wrong field names wrong action version invalid Docker tag formatting mismatched secret references And honestly, I’m glad it happened that way. Because one thing this journey keeps reinforcing is: CI/CD is not learned by only watching clean demos. It is learned by writing, testing, failing, correcting, and understanding why the workflow failed. So even though the image build stage is still being resolved, today still felt like strong progress because the earlier stages are now working, and the workflow is taking shape properly. Big takeaway: The deeper skill is not avoiding errors, it is learning how to read them and move forward with clarity. YouTube Video Link: https://lnkd.in/eDVKJz8d #DevOps #100DaysOfDevOps #GitHubActions #CICD #ContinuousIntegration #Docker #Automation #GitHub #YAML #PlatformEngineering #CloudEngineering #LearningInPublic #TechdotSam

There is nothing quite like the feeling of pushing code and watching an automated pipeline handle all the work. I’ve been recently diving into DevOps to strengthen my infrastructure skills. To get hands-on, I just finished wiring up my first end-to-end CI/CD pipeline! To make it happen, I built a simple Flask app to use it for testing. Then, I configured the GitHub Actions workflow. Now, whenever code is pushed, the pipeline automatically creates a fresh environment and runs my testing suite. If everything goes green ✅, it builds and pushes a fresh Docker image straight to DockerHub. It was the perfect way to get the fundamentals clear. I am about to start work on a more complex project moving forward. If anyone wants to start learning CI/CD pipeline then you should look at this - https://lnkd.in/g7beecJM You can find the Docker image - https://lnkd.in/ggEGtx9V Fellow devs: What is your best piece of advice for someone who just started their journey into DevOps?? Let me know below! #DevOps #SoftwareEngineering #Docker #GitHubActions #CICD #Python #WebDevelopment #learning #student #engineer

CI/CD pipelines play a critical role in today's cloud-native software development cycle. They are the backbone of how developers build, test, and deploy code. But CI/CD security is often overlooked. Blindly. Usually, due to lack of awareness. Not intentionally.  But attackers don't care whether misconfigurations were introduced purposely or not. They simply exploit them. KONTINUERLIG, a GitHub Actions challenge from Hack.lu 2025 that I participated in, is a perfect example of how that plays out. It chained three distinct attack primitives to extract a secret from a private repository. Each one exploiting a misconfiguration pattern you'd find in a real production pipeline. Here's how the chain works: 🔗 Stage 1 - Heredoc Injection via pull_request_target A workflow used pull_request_target + untrusted checkout (classic "pwn request" pattern). By crafting filenames that terminate a bash heredoc prematurely, I injected LD_PRELOAD into the GitHub Actions environment, then leveraged artifact poisoning and Python module shadowing to achieve code execution with pull-requests: write permissions. 🔗 Stage 2 - Docker Build Context Escape >> A second workflow ran docker build ./docker/ with contents: write permissions. A single symlink (ln -s . docker) redirected the build context to the repository root, exposing .git/ inside the container. From there, the embedded GITHUB_TOKEN was used to push arbitrary commits directly to the main branch. 🔗 Stage 3 - Secret Exfiltration via Problem Matchers GitHub Actions redacts secrets in logs - but Problem Matchers execute before the redaction mechanism. By committing a matcher.json to main and using ::add-matcher:: as the commit message (echoed by the workflow), I registered a regex pattern that captured the flag before masking occurred. None of these primitives are exotic. Pull_request_target misuse, overly permissive GITHUB_TOKEN scopes, Docker build context assumptions, and trust in secret redaction as a last line of defense - these show up in production pipelines. Full writeup on my blog (link in the comments section) 👇 #AppSec #hacklu #CICD #GithubActions #OffensiveSecurity #PenetrationTesting #SecDevOps #CTF

Git diffs tell you what changed, but they don't tell you why. We see the final code but lose the tries and struggle that led there. I've added a feature to tbdflow to capture those tries: the Intent Log. The idea is simple (but ambitious), use `tbdflow +` to drop breadcrumbs as you work. When you change approach, reject an alternative, or figure something out: log it.  Later when you commit, the notes get injected into the commit message automatically. The same rules apply for humans and genies alike. Full write-up here: https://lnkd.in/dEKY2ZCs #DevOps #TrunkBasedDevelopment #SoftwareEngineering #tbdflow #tbd

Just built a fully automated CI/CD pipeline from scratch - no clicks, no manual deploys. 🚀 Every push to main now: ✅ Runs pytest automatically ✅ Builds a Docker image ✅ Pushes to Docker Hub (tagged with commit SHA for traceability) ✅ Deploys to the cloud via webhook Broken code never reaches production - the deploy job is gated behind the test job, so if tests fail, nothing ships. Stack: FastAPI · Docker · GitHub Actions · Docker Hub · Render The part that surprised me most was how much there is to configure across multiple platforms - GitHub secrets, Docker access tokens, Render webhooks, CORS - before it all clicks into place and just works. Live Endpoint: https://lnkd.in/egqPR-it GitHub: https://lnkd.in/eq-bTeKr #Python #Docker #DevOps #GitHub #GitHubActions #CI #CD #SoftwareEngineering #100DaysOfCode

We cut our deployment time from 47 minutes to 9 minutes using GitHub Actions. Here is what actually moved the needle. Not the flashy stuff. The boring stuff. 1. We stopped running the full test suite on every commit. Using pytest -k with changed-file detection, we ran only relevant tests. Saved ~11 minutes immediately. 2. We parallelised Docker layer caching properly. We were using cache, but pulls were still sequential in our workflow. Fixing that shaved off another 6–7 minutes. 3. We removed a manual approval gate that had been sitting in our pipeline since a production incident in 2022. No one on the team of 5 engineers could explain why it still existed. 4. We built a shared base image for our microservices instead of each service installing the same ~350MB of dependencies separately. The bottleneck in your pipeline is almost never where you think it is. Profile it first. Then fix it. What is the biggest time sink in your current pipeline? #CICD #DevOps #PlatformEngineering #GitHubActions #Docker

My pipeline encountered a failure before it even began. The code was correct, and the YAML was configured properly, but I overlooked something entirely different. I developed a CI/CD quality gate for LevelUp Bank, which automatically blocks any pull request to the main branch if the README.md or .gitignore files are missing. Each merge generates a structured JSON audit log sent directly to AWS CloudWatch, organized into beta and prod log groups. Unit tests are executed first, ensuring that nothing is logged until the tool itself is verified. However, when I triggered the beta workflow for the first time, it failed immediately due to a single line of error: the beta environment did not exist in the repository settings. It wasn't broken code or a misconfigured secret; it was simply a settings page I had never accessed. After navigating to Settings, then Environments, I created the beta and prod environments and re-ran the workflow, which passed in seconds. This experience taught me an important lesson: the best automation fails without the necessary environment in place. It's crucial to build the code and then verify everything the code requires to function correctly. These are two distinct checklists, and I had only completed one. The full code and setup guide is available on GitHub; the link is in the first comment. What is your best "it was not even the code" moment? Share below. #DevOps #GitHubActions #AWS #CloudWatch #PlatformEngineering #CICD #Python #LearningInPublic #CloudEngineering #SoftwareEngineering #LevelUpInTech #TechCommunity

🚀 From Writing Code → To Automating Everything! Recently, I worked on my project WealthLens and took a big step forward — I implemented my first CI/CD pipeline using GitLab. At first, I didn’t even understand why CI/CD is important… but while building it, everything started making sense. Here’s what I learned 👇 🔹 Every push is automatically verified No more “it works on my machine” — GitLab builds, runs, and tests everything automatically. 🔹 Real errors taught me real lessons Faced issues like: Maven not found Wrong environment setup Missing configurations And fixed them step by step. 🔹 Team collaboration became clear Worked with branches, commits, and Merge Requests — just like real companies. 🔹 Confidence boost 🚀 Now I know how real-world development works: Write → Push → Validate → Merge 💡 Biggest takeaway: CI/CD is not just automation… it’s a safety system for your code. 🔗 Project Link: https://lnkd.in/d6HgAD2C Tech Stack: Java | Spring Boot | Python (Flask) | GitLab CI/CD | Git Next step: Deployment 🌐 #CICD #GitLab #JavaDeveloper #SpringBoot #LearningByDoing #FullStackJourney

Most Docker tutorials stop at docker run. That’s exactly where production problems begin. I learned this the hard way. A base image CVE sitting in production, not caught by the pipeline, flagged hours later in an audit. The image had been running fine. The vulnerability hadn’t. I just didn’t know. That experience changed how I think about container delivery. It’s not enough to build an image that works. It needs to be minimal, verified, signed, and scanned, before it ever touches a registry. So I built a reference project that codifies exactly that. Here’s what I changed after that audit: Distroless final image. No shell, no package manager, ~4MB. The base image CVE that got us? No longer possible. There’s almost nothing left to exploit. Trivy scans every image before push. The pipeline fails on HIGH/CRITICAL, not a Slack notification you’ll read tomorrow. Not advisory. A hard stop. SBOM generated at build time. Image signed with cosign keyless signing. No private key to manage, signature tied to the GitHub Actions OIDC identity. You can prove exactly what was built and who built it. The CI/CD pipeline does two different things depending on context: On PRs: source scan, build amd64 locally, scan the loaded image. No registry push. No packages: write on untrusted code. On main/tags: multi-arch build, push, scan the exact digest (not the tag, tags are mutable), sign. One deliberate trade-off I documented: Release runs two builds, validation and publish. Slower. But the permission separation is clean, and clean pipelines don’t surprise you at 2am. Every decision has an ADR. Every operational scenario has a runbook entry. Because the person debugging this might be me. → https://lnkd.in/dUMiQCta If you’re building container delivery pipelines, what does your image scanning gate look like? Before push, after push, or both? #Docker #DevOps #CICD #PlatformEngineering #Security #Kubernetes

I learned something new today!! This diagram helped me understand how modern applications actually move from code → production using tools like Jenkins and Docker. Here’s the flow in simple terms: ▪️ 1. Pull Code Jenkins fetches code from GitHub ▪️ 2. Verify Basic checks to ensure everything is correct ▪️ 3. Build Images Docker builds application images ▪️ 4. Push to DockerHub Images are stored in a central registry ▪️ 5. Deploy Containers are started using Docker Compose ▪️ 6. Cleanup Unused images are removed to save space What I realized: CI/CD is not just automation — it’s about making deployments fast, consistent, and reliable. This is where development meets real-world production systems If you're learning backend or full stack, understanding pipelines like this is a game changer. What part of CI/CD do you find most confusing? 🤔 #DevOps #Jenkins #Docker #CICD #BackendDevelopment #FullStack #SoftwareEngineering #CodingJourney