GitHub Actions Is Slowly Killing Your Engineering Team - Ian Duncan

You click the step that failed. The page hitches. You scroll. There is a pause, a held breath, and then the logs appear, slowly, like a manuscript being revealed one line at a time to a supplicant who has not yet proven worthy. That’s three or four clicks just to see the error, and every one of them loads a new page with its own loading spinner, and none of them are fast. You are navigating a bureaucracy. You are filling out forms at the DMV of CI. And then the log viewer itself. I have used every CI system known to man, and the GitHub Actions log viewer is the only one that has *crashed my browser*. Not once. Repeatedly. Reliably. Open a long build log, try to search for an error, and Chrome will look you in the eye and die. This is the log viewer for the most popular CI system in the world. This is the tool you are expected to use to understand why your build failed. It cannot survive contact with its own output. … Or a different run. Or a page you don’t recognize. The back button in the GitHub Actions UI is a roulette wheel. You will land somewhere. It will not be where you wanted to go. You will click the back button again. You will land somewhere else. Eventually you give up and type the PR URL from memory or go find it in your browser history, which is now 80% GitHub Actions URLs, a fact that will haunt you when you look at it later. … ## ”But the Marketplace!” Ah yes, the GitHub Actions Marketplace. The npm of CI. A bazaar of community-maintained actions of varying quality, most of which are shell scripts with a `Dockerfile` and a dream. Every time you type `uses: some-stranger/cool-action@v2`, you’re handing a stranger access to your repo, your secrets, and your build environment. Yes, you can pin to a SHA. Nobody does. And even if you do, you’re still running opaque code you didn’t write and probably haven’t read, in a context where it has access to your … *can* bring your own runners to GitHub Actions. Self-hosted runners exist. You can set up your own machines, install Nix, configure your environment exactly how you want it. And this does solve the compute problem. Your builds will be faster. Your caches will be warm. But you’ll still be writing GitHub Actions YAML. You’ll still be fighting the expression syntax and the permissions model and the marketplace and the log viewer that crashes your browser. You’ve upgraded the engine but you’re still driving the car that catches fire when you turn on the radio. … `workflow_call` trigger was. That person was happy. The `GITHUB_TOKEN` permissions model is a maze. `permissions: write-all` is a hammer, fine-grained permissions are a puzzle, and the interaction between repository settings, workflow settings, and job-level settings will make you want to lie down on the floor. I once spent an entire day on token permissions. I will never get that day back. It’s gone. I could have learned to paint. I could have called my mother. I could have mass-tested a new CI system. Anything.