Cross-Cutting Tools Deep Dive · 2 of 6

GitHub — Where Code Lives in Public

Founded 2008, acquired by Microsoft in 2018. GitHub turned Git from a developer tool into a social platform: a profile, a follower graph, a pull-request inbox, and a CI runner. Most open source lives here. Most companies use it for private code too.

Pull RequestsActionsIssuesCopilotCodespaces
← Back to Cross-Cutting Tools
What's in the Box

The Surface Area

Basic Concepts

  • Repositories — public or private Git hosts with a web UI for browsing, searching, and editing.
  • Pull requests — the proposal-review-merge unit of work. Comments, suggested changes, required reviewers, status checks.
  • Issues & Projects — bug tracking, discussion threads, kanban-style boards tightly linked to PRs.
  • Actions — built-in CI/CD. YAML workflows triggered by events; runners hosted by GitHub or self-hosted.
  • Packages, Container Registry, Pages, Releases — adjacent product surfaces for shipping artifacts and docs.
  • Codespaces — cloud dev environments backed by VS Code. Copilot — AI pair programmer.
The PR Workflow

How Work Lands

Branch
Push
Open PR
CI checks
Review
Merge / squash / rebase

Branch protection rules enforce required reviews, passing checks, and signed commits before merge. Merge queue serializes merges so each PR is tested against the exact state of main it will land on — no more "green PR breaks main" surprises.

Actions

CI/CD Built In

Workflows live in .github/workflows/*.yml. They react to events (push, pull_request, schedule, workflow_dispatch, ...) and run jobs on Linux, Windows, or macOS runners. The marketplace has thousands of pre-built actions — checkout, setup-node, deploy-to-cloud — that you compose like Lego.

  • Reusable workflows let you DRY up shared CI logic across repos.
  • OIDC tokens let runners authenticate to AWS/GCP/Azure without long-lived secrets.
  • Self-hosted runners for heavy jobs, GPU work, or on-prem network access — but you own the security.
Tradeoffs

What to Watch Out For

  • Vendor lock-in is real. Actions, Issues, Projects, Packages — all proprietary formats. Migrating off is doable but costs weeks.
  • Issues are lightweight by design. Teams that need rich workflows often pair GitHub with Linear or Jira and just sync IDs.
  • Action supply chain. Pin third-party actions to a SHA, not @v1. A compromised action runs with your secrets.
  • Public forks see your secrets … almost. By default, secrets aren't passed to PRs from forks. Read the docs before changing that.
  • Costs scale with minutes and storage. Self-hosted runners or Linux-only matrices cut bills fast.
Continue

Other Cross-Cutting Tools

← Git GitLab → Bitbucket → Azure DevOps → ↑ Back to Cross-Cutting Tools