DevSecOps¶

2025-12-27
in DevSecOps, Automation, Kubernetes
4 min read

The Queue That Deleted Itself

Eight workflows queued. Seven deleted themselves before execution. Zero wasted builds.

2025-12-26
in CI/CD, Code Quality, DevSecOps
3 min read

The Regex That Fixed Everything

Codecov components were configured. Five components, clean breakdown by package.

Codecov dashboard: "No report uploaded" for all components.

Coverage uploaded successfully. Components showed zero coverage.

The paths looked correct.

2025-12-25
in CI/CD, GitHub Actions, DevSecOps
3 min read

One Line: `secrets: inherit`

CODECOV_TOKEN worked perfectly in ci.yml.

Called ci.yml from release.yml as a reusable workflow. Codecov failed:

Error: Token required - not valid tokenless upload

Same token. Same workflow. Different result.

2025-12-24
in Kubernetes, Performance, DevSecOps
4 min read

Zero API Calls: The ConfigMap Pattern That Changed Everything

The workflows were slowing down. Not dramatically. Just... gradually. Week by week.

Then the logs started showing warnings: API rate limit approaching threshold.

100+ workflows per day. Each workflow making 2-3 Kubernetes API calls to read ConfigMaps. That's 200-300 API requests per day. Not sustainable.

2025-12-23
in Supply Chain Security, DevSecOps, Release Engineering
3 min read

The File That Wouldn't Verify: When Security Best Practices Contradict

The provenance file generated perfectly. Build completed. Release uploaded.

slsa-verifier failed:

Error: builder identity not recognized

Same workflow that worked last month. Nothing changed.

Except everything changed.

2025-12-22
in Go, DevSecOps, Developer Tools
3 min read

Go's Boring Security Tooling (And Why That's Perfect)

"What security tools do you use?"

I expected: Snyk. Semgrep. Custom vulnerability scanners. Expensive SaaS subscriptions.

The answer: go test -race.

That's it. That's the security tool.

2025-12-21
in Testing, Quality Assurance, DevSecOps
5 min read

The Coverage That Mattered: When 99% Became a Security Signal

The OpenSSF Best Practices Passing badge doesn't mandate a specific coverage percentage.

We set our bar at 95% minimum. Above even Gold (90%). Self-imposed. Strategic.

We started at 0%. We wanted the Passing badge. But we knew something important: it's easier to build high standards into a young project than retrofit them later. When we go for Gold, 95% would already be habit.

2025-12-20
in DevSecOps, Open Source, Supply Chain Security
3 min read

Sixteen Alerts Overnight: When Permissions Look Fine

The workflows had been running for months. Cosign signing. SBOM generation. Release automation.

Everything worked.

Then OpenSSF Scorecard ran: 16 Token-Permissions alerts.

The code scanning tab filled with warnings. All from one workflow file.

2025-12-18
in DevSecOps, Supply Chain Security, Open Source
3 min read

The Score That Wouldn't Move: Stuck at 8/10

The releases were signed. Checksums published. SBOM generated. Every asset had a Cosign signature.

OpenSSF Scorecard: Signed-Releases 8/10.

Not 9. Not 10. Eight. Stuck.

2025-12-17
in DevSecOps, Open Source, Quality Assurance
3 min read

OpenSSF Best Practices Badge in 2 Hours: The Documentation Gap

Six pull requests. Two hours. OpenSSF Best Practices badge earned.

The readability project passed certification on December 13, 2025. But the work didn't start that day. It started months earlier when we built the infrastructure the badge measures.