Hello. I'm Hiraki-ba from the Productivity Improvement Team at Cybozu Inc.

Our Productivity Improvement Team holds an internal meeting every Wednesday called "Productivity Weekly," where we share topics related to improving developer productivity discovered during the week.
This article summarizes those topics.

This is the 60th issue. Past articles can be found here.

news 📺

Share GitHub Actions within your enterprise | GitHub Changelog

https://github.blog/changelog/2022-01-21-share-github-actions-within-your-enterprise/

In GitHub Actions, actions placed in internal repositories can now be shared within an Enterprise/Organization^[1].

Previously, since they couldn't be shared, you had to place them in public repositories, in each individual repository, or use Reusable workflows.

This change makes it easier to create internal actions, which is great for increasing reusability.

GitHub Actions: Reusable workflows can be referenced locally | GitHub Changelog

https://github.blog/changelog/2022-01-25-github-actions-reusable-workflows-can-be-referenced-locally/

Referencing local Reusable workflows in GitHub Actions has become simpler.

Previously, even within a local repository, you had to specify a ref just like when referencing other repositories, which wasn't very user-friendly (especially during development) (Reference).

Now that the ref specification is no longer required, it's easier to develop and use Reusable workflows. I'd like to use them in the right places.

Toggle outlier values - Track CircleCI Updates

https://circleci.com/changelog/#toggle-outlier-values

In CircleCI Insights, you can now exclude data outliers in the "Most Recent Workflow Runs" graph.

Insights is a feature that allows you to analyze metrics such as execution time, success rate, and credit usage for workflows, jobs, and tests. It helps you investigate which workflows or jobs are unstable.

Actual Insights screen

Insights has a feature called "Most Recent Workflow Runs" that displays recent workflow execution times in a bar graph. Now, by allowing the exclusion of outliers in "Most Recent Workflow Runs," the graphs can be made easier to read.

Enabling Hide X detected outliers (X being a number) in the panel will exclude the outliers.

Graph including outliers

Graph excluding outliers

New Insights public APIs - Track CircleCI Updates

https://circleci.com/changelog/#new-insights-public-apis

APIs have been added to CircleCI Insights.

You can retrieve time-series data such as workflow and job execution times, as well as a list of flaky tests. There is also detailed API documentation, so the barrier to usage seems low.

With the addition of APIs to Insights, it becomes possible to monitor for the presence of flaky tests and notify Slack when they are detected, or periodically store job execution times^[2] for use in analysis.

Audit log streaming is generally available | GitHub Changelog

https://github.blog/changelog/2022-01-20-audit-log-streaming-is-generally-available/

The feature to automatically stream GitHub Enterprise audit logs to services like Amazon S3 (Audit log streaming) is now generally available (GA).

Audit log streaming is a feature that debuted as a public beta last September, allowing for the near-real-time transfer of audit logs and Git events^[3] to external services. Enterprise administrators can configure this at the enterprise level.

Reference: Audit log streaming is now in public beta | The GitHub Blog

You often want to check logs of permissions or configuration changes when something happens, but since GitHub's Audit log only stores data for 90 days, there was an issue where they might not be available when you wanted to see them. Being able to stream Audit logs to external object storage is great because it allows you to control the retention period yourself.

Secure your GitHub account with GitHub Mobile 2FA | The GitHub Blog

https://github.blog/2022-01-25-secure-your-github-account-github-mobile-2fa/

GitHub's two-factor authentication can now be performed via GitHub Mobile.

Data shows that setting up 2FA significantly reduces the risk of account takeover. For those who haven't enabled 2FA, it's now possible on mobile, so please enable it right away.

Allow to upload .svg files to Markdown | GitHub Changelog

https://github.blog/changelog/2022-01-21-allow-to-upload-svg-files-to-markdown/

You can now attach (upload) SVG files to Markdown in GitHub Issues, comments, and more. Previously, to display an SVG in an Issue or comment, you had to upload the SVG somewhere beforehand and paste the URL.

This makes it much easier to share SVGs in Issues and comments. It's a nice improvement.

know-how 🎓

Reducing security risk in open source software with GitHub Actions and OpenSSF Scorecards V4 | The GitHub Blog

https://github.blog/2022-01-19-reducing-security-risk-oss-actions-opensff-scorecards-v4/

This article discusses running Scorecards—which scores whether an OSS project is secure against supply chain attacks—using GitHub Actions and visualizing it as Code Scanning alerts.

Scorecards^[4] is a project and tool developed by the OpenSSF^[5] that allows for an easy assessment of whether a project is secure against supply chain attacks.

The article explains how to display these Scorecards results within GitHub's Code Scanning alerts. Actually, a template is provided in the GitHub Actions Workflow templates, so it's easy to set up (though you need to issue a Personal Access Token).

When I tried it, a massive number of alerts were displayed

Opening the details reveals the steps to take for resolution

The images above show an example of it in use. It's convenient that you can immediately see how to address issues when they are checked via Code Scanning.

While it is intended for OSS, it's a tool worth using even for non-OSS projects to improve security.

Automatically using a different email address for company repositories in Git - I want to go to space

https://yoshiori.hatenablog.com/entry/2022/01/24/213448

This article explains how to switch Git's user.email based on the directory.

It seems to be a technique using the includeIf setting in .gitconfig to switch configuration files loaded under specific directories (or perhaps overwrite settings?). Detailed configuration steps are provided in the article.

I also didn't know about includeIf, so I was managing it by running git config --local user.email <email address> in specific repositories. This seems especially useful in cases where, for example, only organizational email addresses can be used on GitHub Enterprise Server. includeIf looks like it could be used for various convenient purposes beyond just user.email.

Automation of Terraform for AWS | Mercari Engineering

https://engineering.mercari.com/blog/entry/20220124-automation-of-terraform-for-aws/

This is a case study of automating AWS account creation at Mercari.

The article explains how AWS accounts are partitioned within Mercari, challenges related to account creation, and the configuration of the CI/CD environment (automation of account creation, audit log collection pipelines, suppression of high-privilege theft risks, and reduction of impact scope).

Rather than just automating, they have implemented a configuration that avoids using access keys and secrets in case credentials are stolen, and they carefully explain why they made those choices. I found this article to be very helpful for both the CI/CD environment configuration and the mindset for reducing risk when managing AWS multi-account operations.

tool 🔨

Trying out the new test framework Vitest with React | DevelopersIO

https://dev.classmethod.jp/articles/intro-vitest/

This article explores Vitest, a new framework that could potentially replace Jest^[6]. Vitest is a test framework that runs in the Vite^[7] environment. Like Vite, it operates at high speed.

The article explains the setup of the Vite environment, Vitest setup, test execution, and speed comparisons. Since the environment setup is described in detail, you can try it out yourself immediately. Looking at the test code, the usability seems quite similar to Jest. It also compares the speed with Jest in a table, showing just how fast Vitest is.

In fact, the official documentation's "Getting Started" section includes a link to try it online (StackBlitz). When I tried it, I was surprised by its speed. It made me want to try it on a larger codebase.

As mentioned in the article, it is currently under development, so it is best to use it only for trial purposes. It is definitely something to keep an eye on.

https://twitter.com/antfu7/status/1468233216939245579

tfaction - Building a nice Terraform Workflow with GitHub Actions

https://zenn.dev/shunsuke_suzuki/articles/tfaction-introduction

This is an introductory article by the author of tfaction, an action for implementing typical Terraform workflows on GitHub Actions.

suzuki-shunsuke/tfaction is a collection of actions related to Terraform. The article provides an overview, the requirements defined by tfaction, the features (actions) provided by tfaction, a link to the setup method, and examples.

Due to the diverse nature of Terraform use cases, the author explains that it is not applicable to every scenario but rather an action suite for cases that meet the requirements defined by tfaction (which are detailed in the article). However, since it is not a single monolithic action but rather separate actions for different purposes, it seems possible to use only specific parts.

Beyond being feature-rich, I am personally happy that it is designed with monorepos in mind and includes features like failing if a Renovate change causes a plan diff. Although it is still under development, it looks like an action worth using.

koneta 🍘

This is a section for sharing topics from Productivity Weekly that I want to mention but do not have the energy for a full write-up, or topics where there is not much else to say beyond a brief comment.

• DevToys: An open-source desktop app aggregating various mini-tools to support developers' daily tasks | Kachibito.net
  • An app packed with convenient tools, like a Swiss Army knife for developers.
  • However, it is for Windows only.
    • There is an Issue for cross-platform support.
    • According to the author, they created it because no similar tool existed for Windows. Cross-platform support is not entirely out of the question.
  • Similar tools suggested by the author:
    • DevBox - Offline tools for developers
    • DevUtils.app - Offline Toolbox for Developers

Afterword

I was distracted by Yu-Gi-Oh Master Duel, so the post ended up being late. I managed to reach Platinum smoothly using Virtual World and Timelords, but as soon as I hit Platinum, the competition became so strong that I took a direct attack. Man, time just melts away—it is not good.

The Productivity Improvement Team at Cybozu conducts activities to improve the development productivity of our internal engineers. If you are interested in the team, click the link below!
https://note.com/cybozu_dev/n/n1c1b44bf72f6