GitHub Engineering

Adding Community & Safety checks to new features

With the continuous shipping nature at GitHub, it’s easy for the most well-intentioned feature to accidentally become the vector of abuse and harassment. The Community & Safety engineering team focuses on building community management tools and maintaining user safety, but we also review new features our colleagues have written to ensure there are no accidental abuse vectors. Similar to Application Security reviews, these Community & Safety reviews hopefully catch any potential problems before they go out, in order to minimize impact on marginalized folks, reduce spam, and encourage healthy communities.

New and improved two-factor lockout recovery process

The Recover Accounts Elsewhere feature lets you associate your GitHub account with your Facebook account. This will help us recover your account for certain two-factor authentication lockout scenarios. For example, you may become locked out of your GitHub account because you have lost your phone or U2F key, changed phones without re-enrolling, or have otherwise lost the ability to use your phone or token without a usable backup.

GitHub's post-CSP journey

Last year we shared some details on GitHub’s CSP journey. A journey was a good way to describe it, as our usage of Content Security Policy (CSP) significantly changed from our initial release nearly four years ago to where we ended up last year. It wasn’t until then that we felt our policy was relatively stable and, while we were not foolish enough to call it “done,” we found the policy was refined enough to focus on protections beyond what CSP offered.

Moving persistent data out of Redis

Historically, we have used Redis in two ways at GitHub:

Orchestrator at GitHub

GitHub uses MySQL to store its metadata: Issues, Pull Requests, comments, organizations, notifications and so forth. While git repository data does not need MySQL to exist and persist, GitHub’s service does. Authentication, API, and the website itself all require the availability of our MySQL fleet.

Older posts