Questions

https://sli.do use code: #geecon

How do you picture Philips?

Probably this?

Not this

Philips is a health technology company improving people's health and well-being through meaningful innovation

Our purpose is to improve people’s health and well-being. We aim to improve 2.5 billion lives per year by 2030

Software in Philips

  • 8000+ software professionals

  • Global organisation

  • Regulated medical software

  • 100s millions lines of code

Adopting InnerSource

  • Collaborate at Scale

  • Build on top of GitHub (SaaS)

Improve DevX

  • How do we enable CI/CD?

  • How do we bootstrap?

  • How do we share assets?

  • How do we help with compliance?

Enable CI/CD

with GitHub Actions

on: [push]
jobs:
  check-bats-version:
    runs-on: [ubuntu-latest]
    container: node:16
    steps:
      - uses: actions/checkout@v3
      - run: npx bats -v

But how can we connect

to our network?

hosted runners

self-hosted runners

Why self-hosted?

How to bring same DevX to self-hosted runners?

Manual?

Event based

Scale based on workflow jobs

Serverless

low cost / low maintenance control plane

Treat as Cattle

Secure and no fire fighting

Networking

Bring your own connection

💡 Event based / serverless / cattle / byon 💡

Scalable self-hosted

Serverless contol plane receiving events from GitHub and scale new self-hosted runners using AWS EC2 Spot Instances

Terraform module with out of the box working configuration which can be tailored to for specific use-cases. AWS Lambda's build in TypeScript.

Scale up

  • GitHub sends event App webhook
  • AWS API gateway to get events
  • AWS Lambda verifies event
  • AWS SQS for decoupling / delay
  • AWS Lambda to create EC2 runner
  • GitHub App for API access

Scale Down

  • No event
  • Self terminating ephemeral runners
  • Event bridge trigger to trigger regular scale down checks

📢 DEMO

  • Create cloud resources
  • Configure webhook
  • Run jobs on Linux / Windows

Open Source

✨ ARM | Windows | GHES | Security

❤️ 500+ Pull requests

🏆 Recommended by GitHub

Running at Scale

in Philips

Running at Scale

in Philips

🧑‍💻 4K+ developers

🗃️ 8K+ repositories

🚀 20K+ obs / day

Deployment

  • Deploy runners with the runners
  • Terragrunt to keep our Terraform dry
  • Connect to Philips with AWS Direct Connect
  • Work together with security to change firewall rules

Deployment - Terragrunt












Deployment - OIDC

Can we avoid using keys?

  • Define OIDC provider for GitHub in AWS
  • Create role with trust based on claim
  • Define policies for role

Deployment

Trust

{
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
        "Federated": "arn:aws:iam::<id>:oidc-provider/token.actions.githubusercontent.com"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
        "StringLike": {
            "token.actions.githubusercontent.com:sub": "<claim>"
        }
    }
}

Action

jobs:
  permissions:
    id-token: write

  deploy:
    steps:
      - uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: ${{ inputs.aws_role_to_assume }}
          aws-region: ${{ inputs.aws_region }}

Lessons learned

Speed

  • Caching GitHub runner binary
  • Pre-build AMI
  • Utilize Insance store

CI DOS Attack










We don't own it - It just work - We dont care

Limits

🔥 Mission critical 🔥

🔥 🔥 🔥 🔥 🔥 🔥

🚀 We are back 🚀

Developer Portal

Build an ecosystem, not a wilderness

  • Software Catalogus
  • Bootstrap / Scaffolding
  • TechDocs
  • Plugins

Software Catalogus

Scaffolding

TechDocs

🥲 not 100% serverless

  • ALB to enforce SSO login
  • Fargate to serve Backstage
  • OpenSearch to speed up searches
  • S3 to serve TechDocs

Compliance

  • Assist to do it right - scaffolding
  • Avoid shadow IT - e.g. runners
  • Continuous compliance - rule based
  • Guide - welcome issue new members

Welcome new members













# Resources

resource "website" "github_runners" {
  url = "github.com/philips-labs/terraform-aws-github-runner"
}

resource "website" "github_oidc" {
  url = "github.com/philips-labs/terraform-aws-github-oidc"
}

resource "website" "slides" {
  url = "https://npalm.github.io/2023-04-20-geecon-devx/"
}

resource "contact" "niek" {
  github   = "@npalm"
  linkedin = "in/niekpalm/"
  twitter  = "@niekos77"
}

Questions

https://sli.do use code: #geecon

Thank You




What are we doing here? Philips is a worldwide recognisable brand almost everyone in the world has heard of Philips. But you don't think of software. How do you picture philips?

We build a lot of software in philips We have a lot of different business units that historically have little alignment

InnerSource is key to our software strategy In Philips we combine world class tools to enable teams to focus on meaningful innovation to improve people lives. InnerSource is a development methodology where engineers build proprietary software using best practices from large-scale open source projects.

NOTES

- Scale? - Sustainable? - Maintenance?

Connectivity is abstract of the end solution. You bring the solution to your network and take advantage of it

* GitHub App for events * AWS API gateway to get events * AWS Lambda for event handling * AWS SQS for decoupling * AWS Lambda to scale up * GitHub App for API access * AWS EC2 (Spot) to run jobs * AWS Direct connect for networking * AWS Lambda for scaling down

topics we could cover - PR checks automated - Automated release - Slack - Build a community # Contribution - Support windows - Support ARM - Support GHES - Better docs - Security improvements - Upgrades