I rely a lot on dependabot to keep my projects up to date; however, there are some things that dependabot doesn’t yet know about. In any project there is a bunch of additional tooling that makes our lives easier, those tools all deserve to be updated to latest and greatest too! We’ve been using updatecli for that and it’s been very useful in managing updates to things that don’t get revisited that often (like pre-commit hook versions via the yaml plugin)

The github terraform provider is ace; I’ve been using it to manage my personal github repos and also my organisation ones (well, the ones I have sufficient rights to manage at least), however, one thing did strike me as I was down the rabbit hole - I can’t easily change the permissions model for workflow actions on an individual basis; I can cascade them from an organisational perspective, but not on an individual repository basis (this is true as of the github terraform provider 5.28.1). That’s something I wanted to do and since terraform is infinitely flexible I was sure that I could do something tricksy with one of the other providers without having to write my own.

GNU Make has been around for an awfully long time, and I’ve recently starting reverting back to it because I’ve been doing a lot of terraform. It’s still incredibly useful even though I’m not actually building anything locally. I hadn’t really thought about make for a long time (since not writing any C in anger), and I’ve forgotten everything that I ever knew about make. It’s a bit like riding a bike though, you’re not better than the next person, but what you are is just quicker at constructing the right search term and understanding the results because you have the memory trigger from a different era.

CodeQL is the successor to LGTM; I was hoping for a seamless transition to CodeQL, but sadly that wasn’t to be. A lot of the things that I had been previously been doing like @SuppressWarnings("lgtm[ignore-this-weak-crypto]") were being ignored, and I’ve been ignoring the security code scanning alerts as well. It’s taken a while, but now I’ve actually embarked on a journey where I am in the process of using it for some additional projects and I wanted to make sure that I have the feature set that I’m used to :- being able to suppress alerts in the code, not in an external tool. This is important because the code will always exist for the lifetime of the product but tools come and go.

I’m running kubernetes at home; it seemed like an amusing thing to do at the time. I have been using helm charts to install the things. As helm charts are updated then the underlying docker images are updated; so as a downstream consumer of the helm charts I just have to worry about whether the helm chart maintainer has lost interest / abandoned the charts. The charts from k8s-at-home have been archived in github which means they are effectively abandoned. Consequently I decided to migrate to terraform to manage my kubernetes infrastructure at least for those charts.

I now have to concern myself with when third-party docker images are updated and published.