01:42 - Rin’s Superpower: Writing, Public Speaking, and Being Neurodivergent + Awesome!

02:18 - GitHub Actions

• Concurrent Actions


• CICD (Continuous Improvement, Continuous Deployment)


• Security
  
  
  
  
  • Trivy
  
  
  • Building Secure Open Source Communities From the Ground Up
  
  
  • Camunda Community Hub
    
    
    
    
    • community-action-maven-release
    
    
  
  

07:47 - Improving Developer Experience

• Kubernetes Community Contributor Experience Special Interest Group


• Contributing Code
  
  
  
  
  • Kubernetes.dev
  
  

11:33 - Neurodivergence + Autistic Burnout

• A Vulnerable Tale About Burnout - Julia Simon


• CNCF Slack


• Articles From Rin


• John K. Sawers: Hacking Your Emotional API


• CPTSD


• EMDR

17:04 - Mentoring and Reviewing for Kubernetes

• KubeCon + CloudNativeCon

20:49 - Open Source Contribution

• Paying Maintainers


• Getting Hired Based on Contributions


• Getting Started with DevOps/DevSecOps Contributing
  
  
  
  
  • MiniKube
  
  
  • The Diana Initiative
  
  
  • Trivy
  
  


• Auditing

29:04 - Mentoring (Cont’d)

• Pod Mentoring


• Ruby Central Scholarship Program

32:46 - Evaluating Open Source Projects: Tips For Newbies

• Contributor Licence Agreements (CLAs)


• Codes of Conduct (CoCs)


• Evaluate the Community

Reflections:

John: Technical Mentorship vs Social Mentorship.

Mando: Providing a welcoming sense of community for people with non-traditional backgrounds.

Rin: Being intentional about helping others, but also helping others means helping yourself.

John 2: The distinction between technical and autistic burnout.

This episode was brought to you by @therubyrep of DevReps, LLC. To pledge your support and to join our awesome Slack community, visit patreon.com/greaterthancode

To make a one-time donation so that we can continue to bring you more content and transcripts like this, please do so at paypal.me/devreps. You will also get an invitation to our Slack community this way as well.

Transcript:

PRE-ROLL: Software is broken, but it can be fixed. Test Double’s superpower is improving how the world builds software by building both great software and great teams. And you can help! Test Double is hiring empathetic senior software engineers and DevOps engineers. We work in Ruby, JavaScript, Elixir and a lot more. Test Double trusts developers with autonomy and flexibility at a remote, 100% employee-owned software consulting agency. Looking for more challenges? Enjoy lots of variety while working with the best teams in tech as a developer consultant at Test Double. Find out more and check out remote openings at link.testdouble.com/greater.

JOHN: Welcome to Greater Than Code. I'm John Sawers and I'm here with Mando Escamilla.

MANDO: Hi, John. Thanks. And I am here with our friend, Rin Oliver.

RIN: Hi, everyone. Thank you so much for having me. I really appreciate it. It's great to be here with you all.

MANDO: We're happy to have you, man.

Rin is a Technical Community Builder at Camunda. They enjoy discussing all things open source with a particular focus on improving hiring pipelines in the technology industry for those that are neurodivergent and improving the developer experience for new and returning open source contributors.

So Rin, we like to start off each of our episodes mostly the same way, which is to ask our new friend, what is your superpower and how did you arrive to it?

RIN: I’m solid at writing, pretty solid writing, and I've been writing since I was a kid. I'm somehow really good at public speaking and I never used to be good at that. That was just through repetition. Other than that, being neurodivergent and being awesome is another superpower.

[laughter]

MANDO: Absolutely.

RIN: Yeah, I would say writing and public speaking and generally just being awesome. In terms of programming languages, I'm still kind of learning a bunch of different things. I'm enjoying DevSecOps and I really enjoy GitHub Actions so CICD.

MANDO: Cool.

I think this might be the first time I've ever heard someone they enjoy GitHub Actions.

RIN: Oh, I think they're great.

MANDO: Oh, I mean, so I love them as well and I shouldn't say that. I should take that back because I very much enjoyed GitHub Actions for the first, I don't know, two, or three weeks that I was using them. [laughs] And then I started hitting the problems of trying to share bits and pieces of my jobs across other jobs and that became a non-stop frustration.

RIN: Do you mean by concurrent actions where you use a different piece of action and another action kind of thing?

MANDO: I don't know about concurrent necessarily, but more just like, I want to be able to run this reusable step across multiple different actions.

RIN: They fixed that. We had that problem, too. They fixed that very recently back in August and you can now use the uses and with keywords and action repeatedly. You don't have to have it just – you can have the uses word define more than once.

MANDO: Really?

RIN: Yeah.

MANDO: Huh. Man. All right. Well, this podcast – [overtalk]

RIN: Made your day.

MANDO: Just covered the price of admission [inaudible] guy. Thank you.

RIN: I know, right. You're welcome.

[laughter]

MANDO: Yeah. The solution that I had before was to pull that stuff out into some bash script, or…

RIN: That's what we did, too. We've got it in bash script right now, but we might go back in and refactor it so we can have that uses keyword come back in. Just do it that way. Yeah, but now you can do that.

MANDO: That’s great.

RIN: Yeah, they just fixed that in a patch back in August, early September.

MANDO: Oh man. That's fantastic.

RIN: Yeah. The words you're looking for is concurrent actions. That's what they call those.

MANDO: That's what they call it? Okay. Well, fantastic. That's great to hear.

RIN: I know, right?

MANDO: So what kinds of things are you doing with GitHub Actions? Like, is it just CICD, or are you doing other things with it as well?

RIN: It is mostly just CICD, but another thing that I've been working on along with our infra team was bringing in security into that CICD function in that we brought in Aqua Security Trivy to scan the automatic releases that we were doing using GitHub Actions for critical vulnerabilities before they could automatically release. So we brought Trivy in with a bash script and it says, “Hey, if you have a critical CVE, you cannot do that release. Go back, do not pass Go, do not collect your $100.”

MANDO: No, that's awesome. That's fantastic.

RIN: Yeah. I just gave a presentation about it a couple weeks ago at DevX Day, which was a KubeCon, cloud data con co-located events. So that was pretty cool. I will link you all the slides if you'd like.

MANDO: So was it doing actual scanning of the thing of the output artifact, or was it –? Can you go a little bit deeper into I guess, what you all were doing specifically around security scanning as part of your pipeline?

RIN: Specifically? So what we had Trivy doing was scanning that output artifact and flagging it for CVs and if it didn't return them, it would upload them to Trivy in SARIF format so that people could review them, the retainers could review those and be like, “Hey, here's that?” And they wouldn't be able to automatically release until they'd resolved that.

MANDO: Got you. What were these output artifacts like? Were they like Java JARs, or –?

RIN: They are. They are mainly Java JARs. Yes, th