Marcin Antkiewicz marcinantkiewicz

Note:

Default GH token does not allow reads from other repos. I use GH App to auth the action.
GH search API has vicious rate limits, 3s sleep is not enough, or I am getting labelled as a bot. WTF Microsoft?
This will open one issue, listing all the images, in a table |repo|dockerfile|image|. It should process multi-stage dockerfiles.
the way it finds dockerfiles is dumb - find anything with dockerfile in name, find FROM line... works fine on my computer. I

name: List docker images
on:
  schedule:
    - cron: '0 8 * * *' # 8am utc/midnight-late night in the US

Allow user access something, run command, using their github public ssh key.
Note: using command= enables interesting security footguns

COMMAND='command="free",restrict'
GH_USER=username
KEYS=$(curl -s https://github.com/$GH_USER.keys)

{
 echo "# https://github.com/$GH_USER"

Articles about eDNS

Resolving Google using two different IP address will provide two different results.

Print secret name of secrets that do not have the versionAliases attribute

gcloud secrets list --format=json | jq '.[] | select( has("versionAliases")|not)|.name'

	---
	- name: install llm cli and plugins
	hosts: localhost
	connection: local
	gather_facts: no
	vars:
	llm_plugins:
	- llm-openrouter
	- llm-mlx

	# Players
	# KSA - k8s service account
	# GSA - GCP service account
	# metadata server - runs on cluster nodes where pods with Workload Identity are dispatched, will respond to requests directed to 169.254.169.254.
	# workload identity - modifies behavior of the metadata server. Transparently to the SA, it will return GCP STS tokens issued to the impersonated GCP role.
	# Note: - when WI is enabled but not configured properly, the metadata server will fail (silently?) when it does not find annotation etc.
	#
	# request flow
	# 1. pod requests credentials from the metadata server
	# 2. metadata server checks if the pod is using workload identity, and identifies the KSA

	# docker needs the container toolkit to be able to make nvidia drivers available in the containers and probably more.
	# - you will need nvidia drivers too. https://github.com/NVIDIA/nvidia-container-toolkit
	# - model directory will need some IOPS to load them, dedicated NVME is both fast and naturally limits the sprawl
	# - in GPU stats you will see both (G)raphics and (C)ompute jobs. LLM-related tooling only controls the C jobs.

	# -- once Ollama container is running
	#
	# this should produce help output
	$ docker exec -it ollama ollama

	# 1. save as `eslint_prettier-vuln-checker.sh`
	# 2. this find `package-lock.json` files in the `IdeaProjects` folder in the home dir, adjust as needed:
	# `find ~/IdeaProjects/ -type f -name package-lock.json -exec bash eslint_prettier-vuln-checker.sh {} \;`
	# this takes a while to run, add `-print` avove to see all the lockfiles it finds
	#


	#!/usr/bin/env bash

	PACKAGE_VERSION_PAIRS=(

	#! /usr/bin/env sh

	while getopts sf:p ARG
	do
	case "${ARG}" in
	s) SHORT_LIST=1;;
	f) FILEPATH=${OPTARG};;
	p) PULL=1;;
	*) echo "\nReads GCP cloudbuild config, lists secrets contained in the file\n\nUsage: $(basename $0) [-s] -f filename\n -s short output, do not display google secrets path\n -f cloudbuild config to read\n -p list values for the secrets from GCP, in a format ready to be exported into bash\n\n" && exit 1;
	esac