Post on 16-Jul-2015
Exploring the
GitHub ServiceUniverse
All-round carefreeful Software Development with GitHub ServicesCreated by / Björn Kimminich @bkimminich
Follow @bkimminich Tweet 1 Follow @bkimminich 35 Star 1
Björn KimminichDivision Architect & Security Officer @ Lecturer for Software Development @ Member & Contributor @ Master of the (highly recommended)
Kuehne + Nagel (AG & Co.) KGNordakademie gAG
Open Web Application Security ProjectCode School Git Path
DisclaimerThis is not a marketing talk. It is a compilation of personal experience
gathered while working on two of my own public repositories. I amneither affiliated with nor paid or otherwise reimbursed by GitHub or
any other company behind the products mentioned in this presentation.No product evaluation or comparison study of any kind was conducted
prior to choosing the services presented here.Only services that are entirely free for open source projects are
presented in this talk.
AgendaA very brief introduction to GitHub & Showcase repositories & 15 valuable GitHub Services in practical use
GitHubWebHooks Services Hooks
kata-tcg juice-shop
GitHubCollaborative repository hosting service.Git
http://github.com/
You don't trust......cloud service providers with your code?
Fact #1: GitHub offers free hosting of public Git repositories!
You are still......on ?Subversion
Fact #2: Offering a sophisticated web-based graphical interface, GitHub still remains 100% compatible with the git CLI.
Or even...... ?CVS
Fact #3: GitHub supports collaborative development through e.g. forking and pull requests.
Not really......still or ?RCS SCCS
Fact #4: GitHub (optionally) adds an issue tracker, wiki and project page to each repository.
Or seriously......no version control system at all?
Fact #5: Repository statistics and social extras like Feeds, Followers & Favorites are part of GitHub.
WebHooks & Service HooksIndividual & Third Party Service Integration
https://developer.github.com/webhookshttps://github.com/github/github-services
Wait a moment! What are ?WebHooksSimply put: User-defined HTTP callbacks.
More specifically: HTTP POSTs that occur when something happens. So basically a simple event-notification via HTTP POST.
WebHooks on GitHubSubscription to events on GitHub.comUsed to integrate individual applications or toolsInstallation on or Types & payloads mirror the
organization repository levelEvent API
Service Hooks on GitHubService Hooks can only be installed on repositoriesOnly one Service Hook per integratorSupported events depend on service implementationServices come with their own unique configuration
Account Level IntegrationClose integration with GitHub by demanding repo or account accessDo not require any manual setup by the user on the GitHub pageConfigured by the service provider via its own user interface
Integration Chain3rd party does not integrate directly with GitHubInstead integration with APIs of other service providersVery useful in Continuous Integration context. Example:
What way of Integration should I use?GitHub recommends WebHooks for all new integrationsIf required use to manage authorizationThe existing is not accepting any new services
OAuthgithub-service repo
Repository WebHook Event Types
Organization WebHooks send events for all repositories in that organization. New events for repository creation and teammembership are also available on organization-level.
Sending a test payload
The Test Service function triggers the real Service once for the most recent commit!
Kata TCGCode Kata for a two-player trading card game loosely based on
Hearthstone - Heroes of Warcraft
https://github.com/bkimminich/kata-tcg
Sample ImplementationsJava (JUnit, Hamcrest, Mockito)Groovy (Spock)Javascript (Karma, Jasmine)Clojure (work in progress...)
Polyglot BuildMulti-module build using language specific plugins to build & test
all sample implementations in one execution.Gradle
Juice ShopAn intentionally insecure Javascript Web Application
http://bkimminich.github.io/juice-shop/
15 valuable GitHub Servicesin practical use in & kata-tcg juice-shop
NMAPlatform for delivering push notifications from virtually any application
to an Android device.
http://www.notifymyandroid.com/
Install free* NMA Android App
*The number of receivable notifications per day is limited. Unlimited premium account available via in-app purchase.
Enter API Key in NMA Service config
For convenience you can use the same API Key for all your GitHub repositories.
Amazon SNSSimple Notification Service enables applications, end-users, and devices
to instantly send and receive notifications from the cloud.
http://aws.amazon.com/sns/
Configure SNS Service in GitHub
For convenience you can use the same SNS Topic for all your GitHub repositories.
Receiving sexy* JSON email on a push
*If you're not so much into JSON I'm sure you'll find a WebHook subscriber that is...
Travis-CIHosted continuous integration service providing different runtimes for
different languages.
https://travis-ci.org/
SaucelabsAutomated cross-browser and mobile testing in the cloud for CI.
https://saucelabs.com/
Triggering Saucelabs from Travis CI
The secure tokens are your SAUCE_USERNAME and SAUCE_ACCESS_KEY.
CoverallsWorks with continuous integration servers to provide test coverage
history and statistics.
https://coveralls.io/
Setup NMA email* on any coverage drop
For each new API key apikey@nmamail.net that can be used forcustom notifications.
NMA automatically creates an email address
Notification on a ( ) coverage dropforged
CoverityProvides software quality and security testing solutions.
http://www.coverity.com/
Coverity scan setup on a separate branch
Coverity to 1-3 builds/day (and 2-12 builds/week) depending the project's LOC.limits the build submission frequency
CodeclimateAutomated code review for Ruby, JS, and PHP providing feedback on
code quality and test coverage.
https://codeclimate.com/
VersioneyeNotification System for Software Libraries showing outdated
dependencies in different supported project files.
https://www.versioneye.com/
Versioneye Project Overview
Supported Languages: Java - Ruby - Python - PHP - Node.js - JS - Objective-C - Clojure - CSS - R
Graph with all indirect dependencies
shows all the dependencies brought into the JS implementation of kata-tcg by the used testing libraries!This graph
GemnasiumMonitoring of project dependencies and alerts for updates and security
vulnerabilities.
https://gemnasium.com/
David-DMWatching your dependencies.Node
https://david-dm.org/
Automatically discovered Node.js projects
Unfortunately David-DM (v9.0.0) can only discover Node.js projects with a package.json in the repository root folder.
Dependency status with security advisory
A module without security warnings might still contain undiscovered vulnerabilities! On the other hand proven vulnerabilitiesof a module might be irrelevant in the context it is used in.
Security vulnerability details
David-DM cooperates with to determine and link to vulnerabilities.Node Security Project
of Juice ShopHeroku instance
Heroku .offers a free small instance per personal application
Setting up deployment in .travis.yml
By default only a successful build of the master branch triggers a deployment.
DockerOpen platform for distributed applications for developers and
sysadmins.
https://docker.com/
HuBoardLightweight Kanban Board offering instant project management for
GitHub issues.
https://huboard.com/
BountysourceFunding platform for open-source software where users can
create/collect bounties and pledge to fundraisers.
https://www.bountysource.com/
Picking to place a bounty onan issue
Approved and paid bounty for new logo
The official Gitter chatroom of Juice-Shop
Disclaimer: Chatroom might appear more desolated on screenshot than in reality.
GitHub-side of the Gitter-WebHook
With granted repository access Gitter will setup its WebHook on GitHub automatically.
One final takeawayIf the services you are using offer status badges for your README.md...
... use them ......on every occasion ...
Thanks for yourattention!
by Björn Kimminich / kimminich.deThese slides are publicly available on and .GitHub Slideshare
Credits - The HTML Presentation Framework
- Turns text into UML sequence diagrams - The official Octocat gallery
reveal.jsjs-sequence-diagramsGitHub Octodex
Copyright (c) 2015 Björn Kimminich