Pete Wagner

bonus: most of my tweets are "i built a thing + screenshot" shiptalkers.dev/compare?github…

@ibuildthecloud Is this for AI chat? Or the Kube thing? I mentioned my DIY chat frontend before, here's a screenshot. Rendered markdown inside some rounded borders, and a pulsing spinner while the bot is generating a response. Functional garbage.

I finally took some time and read the docs for charm.sh. I think I can actually use this. Maybe this will be the first TUI framework I can leverage. Everything else I always get so lost in the details.

my PR to trivy made its way to trivy-action, so now my SBOM dependency diffs include the golang stdlib for any detected binaries. neat. github.com/aquasecurity/t…

if you're trying the shiny new `gh attestation verify` with reusable workflows, don't get sniped into debugging the CLI like I did: github.com/cli/cli/issues…

@StackLokHQ I appreciate that `gh` is the only binary I'm willing to trust without seeing a signature in Rekor first. I think moving the magic from GoReleaser (the common thread in the "good" projects I mentioned) to the GitHub platform will let me verify more and configure less.

@StackLokHQ My interest is from my verifying Debian proxy. Projects like Trivy, SOPS, and GoReleaser provide attestations via cosign sign-blob, so I have a service that let's me "apt-get" updates as long as I trust their signer. The config file explains it best: gist.github.com/thepwagner/52d…

Early adopters of github attestions: github.com/search?q=path%… (shout out @StackLokHQ !) I don't see anyone signing a .deb yet, I was hoping to adapt some `cosign verify-blob` based stuff.

@ibuildthecloud Rolling your own with charm libs isn't too bad - mine is a Bubbles Viewport+TextInput. Add Glamour to style the markdown, a few borders, ship it. It's still as un-fun as writing UI code, but at least it's Golang.

What's a good terminal based chat program that talks to openai chat completion? Something slick. I really like charm.sh mods but it doesn't really chat it's for scripting.

@gudmundur Do you see value in an LLM for this, or is there too much domain knowledge? I've been fiddling with markdown timelines in an LLM as a rubber duck on steroids, I'd say it's only 25% gibberish .

Very important corollary to this, pair with someone while doing the work. Talk through every step, what the thinking is, agree on what is about to be done.

When going through operations of systems, whether during incidents or doing one-off things, I’ve found that it’s critical to maintain a timeline of what’s about to be done, how it went, and what steps are taken to deal with or mitigate the results.

@lorenc_dan I built this ~2 years ago: github.com/thepwagner/git… - I used rego as the policy language otherwise it's pretty similar.

Sick of managing GitHub PATs? Check out octo-sts! chainguard.dev/unchained/the-… "In short: GitHub didn’t expose an STS, so we went ahead and built one."

@ibuildthecloud I did a thing that drops an LLM agent into a simulated world (a 10x10 grid with randomly distributed "food") and let it issue commands to survive. Local models could barely speak JSON and I had to hand-feed them tokens (e.g. to "move_west", prompt: "there is food to the west")

OpenAI is pretty smart, the others models are just doing cosplay.

How can a ski hill be open with a small amount of natural snow? Snowmakers go BRRRRR.

I wanted this enough to build it again: a service to generate Debian repositories in-memory from a bunch of debs. It can source packages directly from GitHub release assets and verify Rekor records produced by cosign sign-blob.

Until you pin your dependencies George, Festivus is not over

i spilled making a pourover and knew i had exactly 23.5g of coffee to clean up off the counter. ever catch yourself napkin mathing literal napkin math.

@marccampbell I've scripted rotations: have a bot that generates tokens from a GitHub app and stores them as a secret for each repository to use: github.com/thepwagner/sec… Now I host a service that issues tokens to workflows as needed via Rego policy: github.com/thepwagner/git…

How are you managing proactively rotating GitHub tokens in CI pipelines? We have a lot of narrowly scoped tokens, and the expiration & rotation process feels too manual still. Any recommendations?

more tech clutter tips: "does this SPARC? joy"

the SSD rule of thumb is literal: once you have several thumbdrives larger than a 2.5" SSD, that SSD is probably waste.

@jessfraz I’m convinced this will be the new typo-squatting. Nobody fat fingers what they copy/paste from GPT, so squat packages that bots will assume exist.

I asked ChatGPT how I would do something in Rust and it hallucinated an entire crate existing that basically handled the entire thing. Queue song: "Wouldn't it be nice".

"this is man chmod(1), i wanted man chmod(2)" - statement dreamed up by the utterly Deranged