Introduction

You may have noticed something different about your trusted weekly tech digest: I've changed its name! Previously called “Building Async and Cloud Native organizations”, but from this edition forward, the newsletter will be known as "MindByte Weekly Pulse: Your Guide to GitHub, Azure, and .NET".

Why the change, you may ask? As my readership has grown and evolved, so too has my vision. I realized that the new name better reflects the content I'm passionate about delivering to you every week—curated insights into GitHub, Azure, and .NET—while emphasizing the steady, pulse-like rhythm of our weekly dispatches.

This change is more than just cosmetic; it signifies my renewed commitment to serving you as effectively and engagingly as possible. Rest assured, you can still expect the same quality content, delivered to your inbox with the same reliability.

Thank you for being a part of my journey and for your continued support.

Pulse of the week

This week, AI keeps going strong not only with Copilot, which will soon be in all Microsoft products, but also in Azure OpenAI. Creating AI powered solutions will be easier than ever.

GitHub Digest

RepoJacking

GitHub repositories are potentially vulnerable to a threat known as "RepoJacking", which could enable attackers to launch wide-scale supply chain attacks, according to research by AquaSec's security team, 'Nautilus'. Their analysis of 1.25 million GitHub repositories revealed around 2.95% might be susceptible to RepoJacking. If extrapolated to GitHub's entire repository base, this could potentially impact about 9 million projects.

RepoJacking involves a malicious actor registering a username and creating a repository formerly used by an organization that has since changed its name. As a result, projects relying on the dependencies of the attacked project unknowingly fetch dependencies and code from the attacker-controlled repository, which might contain malware. Even though GitHub is aware of this threat and has implemented some defenses, AquaSec warns that these defenses can be easily bypassed and are incomplete.

Cases of potential exploitation were found in repositories managed by Google and Lyft, highlighting the pervasive risk of RepoJacking. The report concludes with a call for project owners to limit the resources they fetch from external repositories and to maintain control of repositories of old brands or acquired entities to prevent dependency hijacking attacks.

GitHub Issues and Project got some nice changes

The latest update introduces several enhancements to make your workflow more efficient and accessible. Copying table cells now maintains rich text formatting like bold, inline code, and links, supporting seamless data transfer across various applications. The browser tab title bar now displays the Issue name, View name, and Project name in sequence.

The API in Projects received an update, allowing you to filter the options array by name when using GraphQL, making the API's response easier to parse.

Tasklists also got a revamp, with better drag and drop discoverability, added separators between items, and improved accessibility. The update also introduces a feature to bulk add tasklist issues to projects with a single click and a quick way to add any issue to your project from the projects side panel. These features are designed to enhance your project management experience on the platform.

Larger hosted runners

The introduction of larger runners brings game-changing upgrades:

Enhanced Linux and Windows machine capacities: With machine sizes supporting up to 64 vCPUs, 256 GB of RAM, and 2 TB of SSD storage, development teams now have significantly more resources at their disposal for on-demand CI/CD jobs and other workflows. Even better, larger runners only charge by the job minute for both private and public repositories, without consuming any included minutes.

Increased security with Static IP addresses: For Enterprise Cloud customers, the option to assign a static IP address range to their larger runner instances is now available. This delivers a constant IP address range that can be added to your allow list, granting secure access to your internal systems. Coupled with GitHub's IP allow list, this simultaneously enables hosted actions runners and IP allow listing.

Controlled access to larger runners: Administrators now have the ability to regulate access to larger machine sizes and manage concurrency. This helps in establishing spending boundaries and ensures efficient use of resources.

Improve your GitHub Copilot skills

When using generative AI coding tools like GitHub Copilot, the way you craft your prompt has a significant impact on the output generated. Specifically, three best practices for prompt crafting with GitHub Copilot include:

1. Setting the stage with a high-level goal when you have a blank file or empty codebase, to provide context to GitHub Copilot about what you want to build or accomplish.

2. Making your ask simple and specific. Break down your problem into discrete steps and let GitHub Copilot generate code after each step, rather than asking it to generate a large chunk of code all at once.

3. Providing GitHub Copilot with examples, as learning from examples is as useful for AI as it is for humans.

Coding Corner

Apply some DevOps to your Infrastructure

That your code can benefit from DevOps is hopefully not new, but what about your infrastructure?

How can you validate (or test) that your Bicep or Terraform is okay? That you are not introducing vulnerabilities into your scripts, or even know what the new cost will be?

What are ETags?

Both the ETag and the Last-Modified headers are very useful if you want to handle optimistic concurrency in your system. The Last-Modified supports, unfortunately only a second precision, so the ETag is an excellent alternative and is supported by, for example, CosmosDB.

Read Peter's blog on ETags and what to expect in the response codes.

OpenAPI

Do you use OpenAPI to publish your API definitions? You likely use a tool to generate the specification from your code, but what if you want to create one from scratch?

This can be useful when you want to mock an endpoint. You do need to think about your data structures:

To trunk or not to trunk

What is your preference; working from branches or directly in the trunk (the main or master branch)?

Although it is so easy to create branches, there is also merit in working directly in the main branch. Trisha tells you about some of the advantages:

Azure Updates & Insights

OpenAI and your own data

Chatting with OpenAI is not that difficult, and you can easily provide some prompts to help it understand more context, but there is a limit. You needed to train and fine tune additional data sources.

With the new preview in Azure OpenAI, you can connect data from any source and use it directly in your conversations. For example; connect it to your internal wiki and HR documents and build a portal for your employees so they can interact and ask questions like they are talking to HR.

.NET Nook

Confused about async?

Regardless if you are going for an interview, the below page discusses some nice async/await issues everybody should be aware of.

Closing Thoughts

As we navigate this exciting new age of software development, I'm eager to hear about your experiences.

If you've enjoyed this newsletter, consider subscribing if you haven't already. That way, you won't miss out on future editions where we delve deeper into the technological advancements shaping our world.

Keep coding, experimenting, and sharing your stories. Looking forward to connecting in the next edition!