GitHub Engineering

GitHub EngineeringJan 8, 2026

Why AI is pushing developers toward typed languages

Why it matters: As AI-generated code becomes more prevalent, type systems provide a critical safety net by catching the high volume of errors (94%) introduced by LLMs. This shift ensures reliability and maintainability in projects where developers no longer write every line of code manually.

AI-generated code increases the volume of unvetted logic, making type-driven safety nets essential for maintaining software reliability.
A 2025 study found that 94% of LLM-generated compilation errors are type-check failures, which static typing can catch automatically.
TypeScript has overtaken Python and JavaScript as the most used language on GitHub, driven by AI-assisted development and framework defaults.
Type systems serve as a shared contract between developers and AI agents to ensure scaffolding and boilerplate conform to project standards.
Growth in typed languages extends beyond TypeScript to include Luau, Typst, and traditional languages like Java, C++, and C#.

#mlp #frontend #culture

Read original

GitHub EngineeringDec 30, 2025

Agentic AI, MCP, and spec-driven development: Top blog posts of 2025

Why it matters: The shift from AI as autocomplete to autonomous agents marks a major evolution in productivity. Understanding agentic workflows, MCP integration, and spec-driven development is essential for engineers to leverage the next generation of AI-native software engineering.

GitHub Copilot introduced Agent Mode, enabling real-time code iteration and autonomous error correction directly within the IDE.
The new Coding Agent automates the full development lifecycle from issue assignment and repository exploration to pull request creation.
Agent HQ provides a unified ecosystem allowing developers to integrate agents from multiple providers like OpenAI and Anthropic into GitHub.
Model Context Protocol (MCP) support and the GitHub MCP Registry simplify how AI agents interact with external tools and data sources.
Spec-driven development emerged as a key methodology, using the Spec Kit to make structured specifications the center of agentic workflows.
The year featured critical industry reflections, including Git's 20th anniversary and security lessons learned from the Log4Shell breach.

#mlp #security #culture

Read original

GitHub EngineeringDec 29, 2025

Bugs that survive the heat of continuous fuzzing

Why it matters: Continuous fuzzing isn't a 'set and forget' solution. Engineers must actively monitor coverage, instrument dependencies, and supplement automated testing with manual audits to catch logic-based vulnerabilities that automated tools often miss.

Continuous fuzzing through OSS-Fuzz is not a silver bullet and requires active human oversight to maintain coverage and create new fuzzers.
Low fuzzer counts and poor code coverage, such as GStreamer's 19%, leave significant portions of codebases vulnerable to undetected bugs.
External dependencies often lack instrumentation, creating blind spots where fuzzers cannot receive feedback or explore deep execution paths.
Standard fuzzing techniques excel at finding memory corruption but frequently miss complex logic bugs, such as sandbox escapes in Ghostscript.
Enrollment in automated security tools can create a false sense of security if developers stop performing manual audits and monitoring build health.

#security

Read original

GitHub EngineeringDec 26, 2025

WRAP up your backlog with GitHub Copilot coding agent

Why it matters: GitHub Copilot coding agents can significantly reduce technical debt and backlog bloat. By applying the WRAP framework, engineers can delegate repetitive tasks to AI, allowing them to focus on high-level architecture and complex problem-solving.

The WRAP framework (Write, Refine, Atomic, Pair) provides a structured approach to using GitHub Copilot coding agents for backlog management.
Effective issue writing requires treating the agent like a new team member by providing context, descriptive titles, and specific code examples.
Custom instructions at the repository and organization levels help standardize code quality and enforce specific patterns across projects.
Large-scale migrations or features should be decomposed into small, atomic tasks to ensure pull requests remain reviewable and accurate.
The human-agent pairing model leverages human strengths in navigating ambiguity and understanding 'why' while the agent handles execution.

#mlp #culture

Read original

GitHub EngineeringDec 23, 2025

Strengthening supply chain security: Preparing for the next malware campaign

Why it matters: Supply chain attacks like Shai-Hulud exploit trust in package managers to automate credential theft and malware propagation. Understanding these evolving tactics and adopting OIDC-based trusted publishing is critical for protecting organizational secrets and downstream users.

The Shai-Hulud campaign evolved from simple credential theft to sophisticated multi-stage attacks targeting CI/CD environments and self-hosted runners.
Attackers utilize malicious post-install scripts to exfiltrate secrets, including npm tokens and cloud credentials, to enable automated self-replication.
The malware employs environment-aware payloads that change behavior when detecting CI contexts to escalate privileges and bypass detection.
npm is introducing 'staged publishing,' which requires MFA-verified approval before packages go live to prevent unauthorized releases.
Security roadmaps include bulk OIDC onboarding and expanded support for CI providers to replace long-lived secrets with short-lived tokens.
Engineers are advised to use the --ignore-scripts flag during installation and adopt phishing-resistant MFA to mitigate credential-adjacent compromises.

#security #dist

Read original

GitHub EngineeringDec 23, 2025

5 podcast episodes to help you build with confidence in 2026

Why it matters: These insights help engineers navigate the 2026 landscape by focusing on AI standards, sustainable open-source practices, and privacy-centric design. Understanding these trends is crucial for building resilient, future-proof software in an era of rapid technological shifts.

The Model Context Protocol (MCP) provides an open standard for AI systems to interact with tools consistently, improving interoperability and trust.
Modern AI and open-source tools have lowered the barrier for DIY development, enabling engineers to build purpose-built personal tools with less overhead.
Open source sustainability requires more than just funding; it depends on community health, communication, and institutional support like the Sovereign Tech Fund.
Data from the 2025 Octoverse report highlights the dominance of TypeScript and the rapid adoption of AI-assisted workflows across millions of developers.
The Home Assistant project demonstrates the viability of privacy-first, local-control architectures in a cloud-dominated IoT landscape to avoid vendor lock-in.

#culture #security #mlp

Read original

GitHub EngineeringDec 22, 2025

This year’s most influential open source projects

Why it matters: These projects represent the backbone of modern developer productivity. By automating releases, simplifying backend infrastructure, and building independent engines, they empower engineers to bypass boilerplate and focus on high-impact innovation within the open source ecosystem.

Appwrite provides a comprehensive backend-as-a-service (BaaS) platform with APIs for databases, authentication, and storage to reduce development boilerplate.
GoReleaser automates the Go project release lifecycle, handling packaging and distribution for major tools including the GitHub CLI.
Homebrew remains the essential package management standard for macOS and Linux, facilitating environment bootstrapping and DevOps automation.
Ladybird is an independent browser being built from scratch in C++, aiming for high performance and privacy without relying on existing engines like Chromium.
The featured projects highlight a growing trend toward developer-centric tools that prioritize automation and independent engineering craft.

#culture #sre

Read original

GitHub EngineeringDec 12, 2025

The future of AI-powered software optimization (and how it can help your team)

Why it matters: This article introduces "Continuous Efficiency," an AI-driven method to embed sustainable and efficient coding practices directly into development workflows. It offers a practical path for engineers to improve code quality, performance, and reduce operational costs without manual effort.

"Continuous Efficiency" integrates AI-powered automation with green software principles to embed sustainability into development workflows.
This approach combines LLM-powered Continuous AI for CI/CD with Green Software practices, aiming for more performant, resilient, and cost-effective code.
It addresses the low priority of green software by enabling near-effortless, always-on optimization for efficiency and reduced environmental impact.
Implemented via Agentic Workflows in GitHub Actions, it allows defining engineering standards in natural language for scalable application.
Benefits include declarative rule authoring, semantic generalizability across languages, and intelligent remediation like automated pull requests.
Pilot projects demonstrate success in applying green software rules and Web Sustainability Guidelines, yielding measurable performance gains.

#mlp #sre #finops

Read original

GitHub EngineeringDec 11, 2025

Let’s talk about GitHub Actions

Why it matters: The article details how GitHub Actions' core infrastructure was re-architected to support massive scale and deliver crucial features. This ensures improved reliability, performance, and flexibility for developers using CI/CD pipelines, addressing long-standing community requests.

GitHub Actions underwent a significant re-architecture of its core backend services to handle massive growth, now processing 71 million jobs daily.
This re-architecture improved performance, scalability, and reliability, laying the foundation for future feature development.
Key quality-of-life improvements recently shipped include support for YAML anchors to reduce workflow duplication.
Non-public workflow templates enable consistent, private CI scaffolding across organizations.
Reusable workflow limits were increased, allowing for more modular and deeply nested CI/CD pipelines.
The cache size limit per repository was removed, addressing a pain point for large projects with heavy dependencies.

#sre #dist

Read original

GitHub EngineeringDec 11, 2025

GitHub Availability Report: November 2025

Why it matters: This report highlights common infrastructure challenges like rate limiting, certificate management, and configuration errors. It offers valuable insights into incident response, mitigation strategies, and proactive measures for maintaining high availability in complex distributed systems.

GitHub experienced three incidents in November 2025, affecting Dependabot, Git operations, and Copilot services.
A Dependabot incident was caused by hitting GitHub Container Registry rate limits, resolved by adjusting job rates and increasing limits.
All Git operations failed due to an expired TLS certificate for internal service-to-service communication, mitigated by certificate replacement and service restarts.
A Copilot outage for the Claude Sonnet 4.5 model resulted from a misconfiguration in an internal service, which was resolved by reverting the change.
Post-incident actions include adding new monitoring, auditing certificates, accelerating automation for certificate management, and improving cross-service deploy safeguards.

#sre #dist

Read original

Page 5 of 8

Prev 1...3 4 5 6 7 8 Next