O6 · Design GitHub Actions from Scratch O6 · 从零设计 GitHub Actions
Verified source经核实出处
Prompt: "System Design: Design GitHub Actions from scratch." — Jointaro, 2025-07-31 community report. Credibility C.
Use O5 as the skeleton and add two productization concerns that signal you understand the real shape of GitHub Actions.以 O5 作为骨架,增加两块产品化能力,体现你理解真实形态。
Extra block 1 — Config parsing & versioning加分块 1 — 配置解析与版本化
- Parse
.github/workflows/*.yml; schema-validate on commit.解析.github/workflows/*.yml;commit 时 schema 校验。 - Pin to commit SHA for reproducibility; support version rollback.按 commit SHA 绑定以可复现;支持版本回滚。
- Reject invalid config before producing a run, so UI shows an actionable error.产生 run 之前拒绝非法配置,UI 提示可操作的错误。
Extra block 2 — Event integration & permissions加分块 2 — 事件集成与权限
- Ingest repo webhooks (push, PR); idempotent (dedup by delivery_id).采集 repo webhook(push/PR);幂等(按 delivery_id 去重)。
- Per-run permission token: minimum-scope, time-bounded, audience = runner.每 run 的权限 token:最小 scope、时限制、受众 = runner。
- Secret masking is compulsory — scan runner stdout and log store for any regex match of stored secrets.Secret 脱敏是强制的——扫描 runner stdout 与日志,匹配已存 secret 的 regex。
Architecture sketch架构
flowchart LR E[Repo Events] --> WH[Webhook Ingest] WH --> P[Policy/Permissions] P --> API[CI Control Plane] API --> Q[Queue] --> R[Runner] R --> L[Logs + Secret Masker]
Follow-up they always ask必问追问
How do you ensure a secret never leaks into logs? Answer: secret masking layer, minimum-privilege tokens, short-lived creds, audit trail of access.如何确保 secret 不泄漏到日志?答:脱敏层 + 最小权限 token + 短期凭证 + 访问审计链路。