Ship It Weekly - DevOps, SRE, Platform and Cloud Engineering News

<p>This is a guest conversation episode of <strong>Ship It Weekly</strong>, separate from the weekly news recaps.</p><p>In this Ship It: Conversations episode, I talk with Stephane Moser about Pipedrive’s move from Jenkins to GitHub Actions, building self-hosted runners on Kubernetes, shifting deployments toward GitOps with Argo CD, and what it actually takes to roll out a big CI/CD change across a large engineering org.</p><p>We talk about why Jenkins had become painful, from Groovy friction to noisy-neighbor problems on shared VMs, why GitHub Actions fit better, how reusable workflows and custom actions helped, why Argo CD beat out Flux for their use case, and how they had to build better observability and internal deployment visibility around GitHub as they scaled.</p><p>The bigger theme here is that this was not just a tooling swap. It was a product and platform migration. Isolation, repeatability, self-service, rollout strategy, and observability mattered just as much as the actual CI/CD tools.</p><p><strong>Highlights</strong></p><p>• Why Jenkins stopped working well for them: Groovy friction, shared VM contention, and poor predictability </p><p>• Replacing CodeShip pull request validation first as the low-blast-radius starting point </p><p>• Using Actions Runner Controller on Kubernetes with EKS and Karpenter for self-hosted runners </p><p>• Why reusable workflows and custom actions helped cut repetition across hundreds of services </p><p>• Choosing Argo CD over Flux, Argo Workflows, Tekton, and even a short Spinnaker attempt </p><p>• Moving from push-based deploys toward GitOps for better isolation and safer credentials handling </p><p>• Building internal observability because GitHub’s workflow visibility was not enough at their scale </p><p>• Dogfooding first, then rolling migration out in batches until teams could self-serve the move </p><p>• What broke when the new system actually worked too well: bot-driven deploy volume, queueing, and fairness </p><p>• The mobile side of the story: Mac minis, unstable runners, GitHub-hosted runners, and a very different migration path </p><p>• How AI sped up parts of the mobile migration and troubleshooting, without making the migration trivial </p><p>• Stephane’s advice for big CI/CD shifts: start small, reduce blast radius, and use your own platform first</p><p><strong>Stephane’s links</strong></p><p>• LinkedIn: <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.linkedin.com/in/moserss/">https://www.linkedin.com/in/moserss/</a> </p><p>• Talk video: <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.youtube.com/watch?v=VrE1dh-1zEY">https://www.youtube.com/watch?v=VrE1dh-1zEY</a> </p><p>• Blog post Part 1: <a target="_blank" rel="noopener noreferrer nofollow" href="https://medium.com/pipedrive-engineering/so-long-jenkins-hello-github-actions-pipedrives-big-ci-cd-switch-03be29c75f63">https://medium.com/pipedrive-engineering/so-long-jenkins-hello-github-actions-pipedrives-big-ci-cd-switch-03be29c75f63</a> </p><p>• Blog post Part 2: <a target="_blank" rel="noopener noreferrer nofollow" href="https://medium.com/pipedrive-engineering/all-aboard-the-github-actions-express-pipedrives-big-ci-cd-switch-part-2-fcacf834afd2">https://medium.com/pipedrive-engineering/all-aboard-the-github-actions-express-pipedrives-big-ci-cd-switch-part-2-fcacf834afd2</a> </p><p>• GitHub: <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/moser-ss">https://github.com/moser-ss</a></p><p><strong>Our links</strong></p><p>More episodes + show notes + links: <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm">https://shipitweekly.fm</a></p><p>On Call Brief: <a target="_blank" rel="noopener noreferrer nofollow" href="https://oncallbrief.com">https://oncallbrief.com</a></p>

<p>This episode of <strong>Ship It Weekly</strong> is about networking, ingress, and private access moving further up into the platform layer. Brian covers AWS Interconnect going generally available, Cloudflare Mesh, GitLab 19.0 breaking changes around Gateway API and bundled services, EKS Auto Mode networking, and OpenTelemetry declarative config reaching stability. He also hits containerd security patches, GitHub’s new Code Security risk assessment, and AWS guidance on securing AI agents with MCP. (<a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/aws/aws-interconnect-is-now-generally-available-with-a-new-option-to-simplify-last-mile-connectivity/?utm_source=chatgpt.com">Amazon Web Services, Inc.</a>)</p><p><strong>Links</strong></p><p>AWS Interconnect GA and last mile connectivity <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/aws/aws-interconnect-is-now-generally-available-with-a-new-option-to-simplify-last-mile-connectivity/">https://aws.amazon.com/blogs/aws/aws-interconnect-is-now-generally-available-with-a-new-option-to-simplify-last-mile-connectivity/</a></p><p>Cloudflare Mesh <a target="_blank" rel="noopener noreferrer nofollow" href="https://blog.cloudflare.com/mesh/">https://blog.cloudflare.com/mesh/</a></p><p>GitLab 19.0 breaking changes <a target="_blank" rel="noopener noreferrer nofollow" href="https://about.gitlab.com/blog/a-guide-to-the-breaking-changes-in-gitlab-19-0/">https://about.gitlab.com/blog/a-guide-to-the-breaking-changes-in-gitlab-19-0/</a></p><p>EKS Auto Mode networking <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/containers/navigating-enterprise-networking-challenges-with-amazon-eks-auto-mode/">https://aws.amazon.com/blogs/containers/navigating-enterprise-networking-challenges-with-amazon-eks-auto-mode/</a></p><p>OpenTelemetry declarative config reaches stability <a target="_blank" rel="noopener noreferrer nofollow" href="https://opentelemetry.io/blog/2026/stable-declarative-config/">https://opentelemetry.io/blog/2026/stable-declarative-config/</a></p><p>containerd security releases <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/containerd/containerd/releases">https://github.com/containerd/containerd/releases</a></p><p>GitHub Code Security risk assessment for organizations <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/changelog/2026-04-08-code-security-risk-assessment-available-for-organizations/">https://github.blog/changelog/2026-04-08-code-security-risk-assessment-available-for-organizations/</a></p><p>AWS secure AI agent access patterns using MCP <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/security/secure-ai-agent-access-patterns-to-aws-resources-using-model-context-protocol/">https://aws.amazon.com/blogs/security/secure-ai-agent-access-patterns-to-aws-resources-using-model-context-protocol/</a></p><p>This week’s On Call Brief <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/on-call-brief/2026-W16/">https://www.tellerstech.com/on-call-brief/2026-W16/</a></p><p>More episodes and show notes <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm/">https://shipitweekly.fm/</a></p>

<p>In this <strong>Ship It Weekly</strong> special, Brian breaks down Claude Mythos Preview and Project Glasswing, and why this story matters beyond normal AI launch hype.</p><p>Anthropic is treating Mythos like a real security inflection point, not just a better coding model. Project Glasswing is their coordinated effort to get early access into the hands of defenders, critical software maintainers, and major infrastructure organizations before similar capability becomes more broadly available. If OpenClaw was about agents becoming a new control plane, this episode is about what happens when finding ways into messy environments and control planes starts getting faster too.</p><p>We walk through the practical angle for DevOps, cloud, platform, and infra teams: exploit timelines may be compressing, platform debt becomes attacker leverage, and the boring work most orgs treat like cleanup suddenly looks a lot more like frontline security work. We also zoom out to the business side, including why banks, regulators, and government officials are already paying attention.</p><p>Chapters</p><ul><li>Why This Episode Exists</li><li>OpenClaw Callback</li><li>What Actually Happened</li><li>Don’t Get Gullible, Don’t Get Lazy</li><li>What Changes If This Is Even Half True</li><li>Why Business People Should Care</li><li>What This Means for DevOps, Cloud, and Platform</li><li>Boring Work Just Got Promoted</li><li>The Uncomfortable Takeaway</li><li>What I’d Do Right Now</li></ul><p><strong>Links from this episode</strong></p><p>Claude Mythos Preview</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://red.anthropic.com/2026/mythos-preview/">https://red.anthropic.com/2026/mythos-preview/</a></p><p>Project Glasswing</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.anthropic.com/project/glasswing">https://www.anthropic.com/project/glasswing</a></p><p>AI cyber threats: open letter to business leaders</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.gov.uk/government/publications/ai-cyber-threats-open-letter-to-business-leaders/ai-cyber-threats-open-letter-to-business-leaders-html">https://www.gov.uk/government/publications/ai-cyber-threats-open-letter-to-business-leaders/ai-cyber-threats-open-letter-to-business-leaders-html</a></p><p>AI-boosted hacks with Anthropic’s Mythos could have dire consequences for banks</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.reuters.com/legal/litigation/ai-boosted-hacks-with-anthropics-mythos-could-have-dire-consequences-banks-2026-04-13/">https://www.reuters.com/legal/litigation/ai-boosted-hacks-with-anthropics-mythos-could-have-dire-consequences-banks-2026-04-13/</a></p><p>ECB to quiz bankers about risks of Anthropic's new AI model, source says</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.reuters.com/world/ecb-warn-bankers-about-new-anthropic-model-risks-source-says-2026-04-15/">https://www.reuters.com/world/ecb-warn-bankers-about-new-anthropic-model-risks-source-says-2026-04-15/</a></p><p>Related episode: OpenClaw special</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/ship-it-weekly/special-openclaw-security-timeline-and-fallout-cve-2026-25253-one-click-token-leak-malicious-clawhub-skills-exposed-agent-control-panels-and-why-local-ai-agents-are-a-new-devops-sre-control-plane/">https://www.tellerstech.com/ship-it-weekly/special-openclaw-security-timeline-and-fallout-cve-2026-25253-one-click-token-leak-malicious-clawhub-skills-exposed-agent-control-panels-and-why-local-ai-agents-are-a-new-devops-sre-control-plane/</a></p>

<p>This episode of <strong>Ship It Weekly</strong> is about the interface layer becoming the story. Brian covers Amazon S3 Files and why it feels more like a managed filesystem layer in front of S3 than “S3 is EFS now,” including how it relates to the old s3fs and FUSE-style approach. He also digs into 36 malicious npm packages posing as Strapi plugins, the uglier follow-on to the Trivy incident he discussed previously, Kubernetes Ingress2Gateway 1.0 and the push toward Gateway API, and Kubernetes Agent Sandbox as a sign that newer AI-style workloads are starting to reshape the platform itself.</p><p><strong>Links</strong></p><p>Amazon S3 Files</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/aws/launching-s3-files-making-s3-buckets-accessible-as-file-systems/">https://aws.amazon.com/blogs/aws/launching-s3-files-making-s3-buckets-accessible-as-file-systems/</a></p><p>Malicious npm packages posing as Strapi plugins</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html">https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html</a></p><p>Trivy follow-on incident discussion</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/aquasecurity/trivy/discussions/10425">https://github.com/aquasecurity/trivy/discussions/10425</a></p><p>RoseSecurity on Trivy / typosquatting angle</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html">https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html</a></p><p>Earlier episode covering the first Trivy incident</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/ship-it-weekly/aws-bahrain-uae-data-center-issues-amid-iran-strikes-argocd-vs-flux-gitops-failures-github-actions-hackerbot-claw-attacks-trivy-roguepilot-codespaces-prompt-injection-block-ai-remake/">https://www.tellerstech.com/ship-it-weekly/aws-bahrain-uae-data-center-issues-amid-iran-strikes-argocd-vs-flux-gitops-failures-github-actions-hackerbot-claw-attacks-trivy-roguepilot-codespaces-prompt-injection-block-ai-remake/</a></p><p>Kubernetes Ingress2Gateway 1.0</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://kubernetes.io/blog/2026/03/20/ingress2gateway-1-0-release/">https://kubernetes.io/blog/2026/03/20/ingress2gateway-1-0-release/</a></p><p>Kubernetes Agent Sandbox</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://kubernetes.io/blog/2026/03/20/running-agents-on-kubernetes-with-agent-sandbox/">https://kubernetes.io/blog/2026/03/20/running-agents-on-kubernetes-with-agent-sandbox/</a></p><p>Fortinet FortiClient EMS emergency patch</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.fortiguard.com/psirt/FG-IR-26-099">https://www.fortiguard.com/psirt/FG-IR-26-099</a></p><p>Karpathy post</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/karpathy/status/2036487306585268612">https://x.com/karpathy/status/2036487306585268612</a></p><p>ProofShot</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/AmElmo/proofshot">https://github.com/AmElmo/proofshot</a></p><p>More episodes and show notes</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm">https://shipitweekly.fm</a></p><p>On Call Briefs</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://oncallbrief.com">https://oncallbrief.com</a></p>

<p>This is a guest conversation episode of <strong>Ship It Weekly</strong>, separate from the weekly news recaps.</p><p>In this Ship It: Conversations episode, I talk with David Chute, founder and CEO of Roadie, about internal developer portals, Backstage, automation, and how IDPs may evolve as AI agents become more common in engineering workflows.</p><p>We talk about the difference between a platform and a portal, the three common problems IDPs usually try to solve, why discoverability tends to be the first pain teams feel, and why a lot of orgs should start with automation before trying to perfect a service catalog. We also get into self-hosted Backstage vs managed options, and how teams should think about adoption, data models, and time to value.</p><p>The bigger theme is the one I found most interesting: IDPs may be shifting away from dashboard-heavy “single pane of glass” thinking and toward becoming context layers for workflows, terminals, and eventually agents.</p><p></p><p><strong>Highlights</strong></p><p>• The difference between an internal developer platform and an internal developer portal</p><p>• The three common IDP problem areas: discoverability, automation, and guardrails</p><p>• Why discoverability is usually the first pain teams feel</p><p>• Why adoption is often more of a human problem than a technical one</p><p>• Catalog completeness vs team ownership</p><p>• Why a lot of teams should start with automation first</p><p>• Self-hosted Backstage vs SaaS tradeoffs: extensibility, control, lock-in, and time to value</p><p>• Why IDPs may move from dashboards to context delivery for humans and agents</p><p>• Why AI helps teams build faster, but does not solve the problem of building the right thing</p><p>• David’s advice for platform and DevEx teams: talk to your internal users first</p><p></p><p><strong>David’s links</strong></p><p>• LinkedIn: <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.linkedin.com/in/davidtuite/">https://www.linkedin.com/in/davidtuite/</a></p><p></p><p><strong>Roadie / Backstage</strong></p><p>• Roadie: <a target="_blank" rel="noopener noreferrer nofollow" href="https://roadie.io/">https://roadie.io/</a> </p><p>• Backstage: <a target="_blank" rel="noopener noreferrer nofollow" href="https://backstage.io/">https://backstage.io/</a></p><p></p><p><strong>Stuff mentioned</strong></p><p>• Workday </p><p>• Backstage </p><p>• GitHub </p><p>• GitLab </p><p>• Bitbucket </p><p>• Azure DevOps </p><p>• Argo CD </p><p>• LaunchDarkly </p><p>• CircleCI </p><p>• DORA metrics </p><p>• MCP-style context for agents</p><p></p><p><strong>Our links</strong></p><p>More episodes + show notes + links: <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm">https://shipitweekly.fm</a></p><p>On Call Brief: <a target="_blank" rel="noopener noreferrer nofollow" href="https://oncallbrief.com">https://oncallbrief.com</a></p>