exploring the github service universe
TRANSCRIPT
Exploring the
GitHub ServiceUniverse
All-round carefreeful Software Development with GitHub ServicesCreated by / Björn Kimminich @bkimminich
Follow @bkimminich Tweet 1 Follow @bkimminich 35 Star 1
Björn KimminichDivision Architect & Security Officer @ Lecturer for Software Development @ Member & Contributor @ Master of the (highly recommended)
Kuehne + Nagel (AG & Co.) KGNordakademie gAG
Open Web Application Security ProjectCode School Git Path
DisclaimerThis is not a marketing talk. It is a compilation of personal experience
gathered while working on two of my own public repositories. I amneither affiliated with nor paid or otherwise reimbursed by GitHub or
any other company behind the products mentioned in this presentation.No product evaluation or comparison study of any kind was conducted
prior to choosing the services presented here.Only services that are entirely free for open source projects are
presented in this talk.
AgendaA very brief introduction to GitHub & Showcase repositories & 15 valuable GitHub Services in practical use
GitHubWebHooks Services Hooks
kata-tcg juice-shop
GitHubCollaborative repository hosting service.Git
http://github.com/
If you've never heard aboutGitHub before...
You don't trust......cloud service providers with your code?
Fact #1: GitHub offers free hosting of public Git repositories!
You are still......on ?Subversion
Fact #2: Offering a sophisticated web-based graphical interface, GitHub still remains 100% compatible with the git CLI.
Or even...... ?CVS
Fact #3: GitHub supports collaborative development through e.g. forking and pull requests.
Not really......still or ?RCS SCCS
Fact #4: GitHub (optionally) adds an issue tracker, wiki and project page to each repository.
Or seriously......no version control system at all?
Fact #5: Repository statistics and social extras like Feeds, Followers & Favorites are part of GitHub.
WebHooks & Service HooksIndividual & Third Party Service Integration
https://developer.github.com/webhookshttps://github.com/github/github-services
Wait a moment! What are ?WebHooksSimply put: User-defined HTTP callbacks.
More specifically: HTTP POSTs that occur when something happens. So basically a simple event-notification via HTTP POST.
WebHooks on GitHubSubscription to events on GitHub.comUsed to integrate individual applications or toolsInstallation on or Types & payloads mirror the
organization repository levelEvent API
Service Hooks on GitHubService Hooks can only be installed on repositoriesOnly one Service Hook per integratorSupported events depend on service implementationServices come with their own unique configuration
Account Level IntegrationClose integration with GitHub by demanding repo or account accessDo not require any manual setup by the user on the GitHub pageConfigured by the service provider via its own user interface
Integration Chain3rd party does not integrate directly with GitHubInstead integration with APIs of other service providersVery useful in Continuous Integration context. Example:
What way of Integration should I use?GitHub recommends WebHooks for all new integrationsIf required use to manage authorizationThe existing is not accepting any new services
OAuthgithub-service repo
Adding a WebHook to a repository
Repository WebHook Event Types
Organization WebHooks send events for all repositories in that organization. New events for repository creation and teammembership are also available on organization-level.
Service Hook example: Twitter
WebHooks & Services in Settings menu
Adding Twitter as a Service
The Twitter Service configuration
Authorizing GitHub to send tweets
Setting tweet format and trigger branch
Sending a test payload
The Test Service function triggers the real Service once for the most recent commit!
The published push notification tweet
The Showcase Repositories
Kata TCGCode Kata for a two-player trading card game loosely based on
Hearthstone - Heroes of Warcraft
https://github.com/bkimminich/kata-tcg
Sample ImplementationsJava (JUnit, Hamcrest, Mockito)Groovy (Spock)Javascript (Karma, Jasmine)Clojure (work in progress...)
Polyglot BuildMulti-module build using language specific plugins to build & test
all sample implementations in one execution.Gradle
Juice ShopAn intentionally insecure Javascript Web Application
http://bkimminich.github.io/juice-shop/
Technology Stack
Build Setup
15 valuable GitHub Servicesin practical use in & kata-tcg juice-shop
Notifications
NMAPlatform for delivering push notifications from virtually any application
to an Android device.
http://www.notifymyandroid.com/
Install free* NMA Android App
*The number of receivable notifications per day is limited. Unlimited premium account available via in-app purchase.
Generate API Keys for each Notifier
Enter API Key in NMA Service config
For convenience you can use the same API Key for all your GitHub repositories.
Notification on every push to GitHub
Amazon SNSSimple Notification Service enables applications, end-users, and devices
to instantly send and receive notifications from the cloud.
http://aws.amazon.com/sns/
Create global topic in SNS Dashboard
Create Subscriber for SNS Topic
Configure SNS Service in GitHub
For convenience you can use the same SNS Topic for all your GitHub repositories.
Receiving sexy* JSON email on a push
*If you're not so much into JSON I'm sure you'll find a WebHook subscriber that is...
Continuous Integration
Travis-CIHosted continuous integration service providing different runtimes for
different languages.
https://travis-ci.org/
Last result for each repo & build history
Detailed build log for failure analysis
Build results per pull request
Build results per commit of a PR
Warning about ongoing PR build
Of course there is also a warning when the PR build failed.
Watching the console of the running build
Merging PR with a warm All is well-feeling
Build configuration via .travis.yml file
SaucelabsAutomated cross-browser and mobile testing in the cloud for CI.
https://saucelabs.com/
List of last test run results for juice-shop
Overview of the last failed test run
Live screencast of ongoing e2e test run
Triggering Saucelabs from Travis CI
The secure tokens are your SAUCE_USERNAME and SAUCE_ACCESS_KEY.
Quality Assurance
CoverallsWorks with continuous integration servers to provide test coverage
history and statistics.
https://coveralls.io/
Coveralls repository dashboard
Coverage of latest builds of a repo
Coverage per file for specific build
Drilldown into file coverage
Integration into PR overview screen
Passing test results to Coveralls
Setup NMA email* on any coverage drop
For each new API key [email protected] that can be used forcustom notifications.
NMA automatically creates an email address
Notification on a ( ) coverage dropforged
CoverityProvides software quality and security testing solutions.
http://www.coverity.com/
Coverity's Analysis Dashboard
Details on a specific issue
Coverity scan setup on a separate branch
Coverity to 1-3 builds/day (and 2-12 builds/week) depending the project's LOC.limits the build submission frequency
CodeclimateAutomated code review for Ruby, JS, and PHP providing feedback on
code quality and test coverage.
https://codeclimate.com/
Quality overview in Codeclimate Feed
Quality metrics and test coverage per file
Code smells identified by Codeclimate
Coverage details show a missed function
Automatically open issues for code smells
Refactoring issue created by Codeclimate
Dependency Management
VersioneyeNotification System for Software Libraries showing outdated
dependencies in different supported project files.
https://www.versioneye.com/
Versioneye Project Overview
Supported Languages: Java - Ruby - Python - PHP - Node.js - JS - Objective-C - Clojure - CSS - R
Dependency details on project level
Graph with all indirect dependencies
shows all the dependencies brought into the JS implementation of kata-tcg by the used testing libraries!This graph
GemnasiumMonitoring of project dependencies and alerts for updates and security
vulnerabilities.
https://gemnasium.com/
Dependency status overview for all repos
Outdated Jasmine test dependencies
Email with security alert
David-DMWatching your dependencies.Node
https://david-dm.org/
Automatically discovered Node.js projects
Unfortunately David-DM (v9.0.0) can only discover Node.js projects with a package.json in the repository root folder.
Dependency status with security advisory
A module without security warnings might still contain undiscovered vulnerabilities! On the other hand proven vulnerabilitiesof a module might be irrelevant in the context it is used in.
Security vulnerability details
David-DM cooperates with to determine and link to vulnerabilities.Node Security Project
Continuous Deployment
of Juice ShopHeroku instance
Heroku .offers a free small instance per personal application
Application status dashboard
Heroku supports Ruby, Node.js, Python, Java, and PHP.
Application deployment history
Setting up deployment in .travis.yml
By default only a successful build of the master branch triggers a deployment.
DockerOpen platform for distributed applications for developers and
sysadmins.
https://docker.com/
Activated Docker Service Hook on GitHub
The Dockerfile of Juice Shop
Collaboration
HuBoardLightweight Kanban Board offering instant project management for
GitHub issues.
https://huboard.com/
Kanban Board based on GitHub issues
DnD for priorization and process flow
Simple creation and tagging of story cards
Authorizing access to GitHub repos
Let HuBoard setup the GitHub integration
Service Hook generated by HuBoard
BountysourceFunding platform for open-source software where users can
create/collect bounties and pledge to fundraisers.
https://www.bountysource.com/
Overview of issues to place bounties on
Picking to place a bounty onan issue
Placing a 10$ bounty for a new logo
The new bounty in the Activity feed
Issue augmented with bounty information
Developer starting to work on issue
Developer claims bounty for closed issue
Approved and paid bounty for new logo
The official Gitter chatroom of Juice-Shop
Disclaimer: Chatroom might appear more desolated on screenshot than in reality.
Activity sidebar populated via WebHooks
GitHub-side of the Gitter-WebHook
With granted repository access Gitter will setup its WebHook on GitHub automatically.
One final takeawayIf the services you are using offer status badges for your README.md...
... use them ......on every occasion ...
...because they are just cool !
Thanks for yourattention!
by Björn Kimminich / kimminich.deThese slides are publicly available on and .GitHub Slideshare
Q&A
Credits - The HTML Presentation Framework
- Turns text into UML sequence diagrams - The official Octocat gallery
reveal.jsjs-sequence-diagramsGitHub Octodex
Copyright (c) 2015 Björn Kimminich