Episode summaries

Ship It Weekly Show Notes

Show notes are the RSS-synced episode summary: what we covered, links to sources, and the structure of each week's news roundup or conversation. This archive lets you skim every episode's notes in one place without opening the player.

Show notes differ from host commentary (editorial takes) and transcripts (spoken dialogue). Use this page when you want the episode outline and outbound links; open the episode for audio, chapters, and the full experience.

What this page is for

What show notes include

Story summaries, source links, lightning-round items, and conversation topics — synced from the podcast feed when each episode publishes.

Skim or dive in

Read notes inline here to compare weeks or find a link you remember. Open the episode page for audio, transcripts, host commentary, and chapters.

Pair with host commentary

Notes summarize what happened; commentary is the host's read on why it mattered. Host commentaries →

Browse episode show notes

This episode of Ship It Weekly is about the developer toolchain becoming part of production. Brian covers GitHub’s critical git push RCE, AI-assisted reverse engineering, prompt injection against AI agents in GitHub workflows, Elementary’s malicious CLI release, GitHub’s merge queue regression, Cal.com going closed source, and Copilot moving toward usage-based billing. Plus: MinIO’s repo archive, Ghostty leaving GitHub, Docker Hardened Images, and Azure DevOps security updates.

Links

GitHub git push RCE https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/

AI-assisted reverse engineering https://www.darkreading.com/application-security/reverse-engineering-ai-unearths-high-severity-github-bug

AI agents + GitHub Actions prompt injection https://www.theregister.com/2026/04/15/claude_gemini_copilot_agents_hijacked/

Elementary malicious CLI release https://www.elementary-data.com/post/security-incident-report-malicious-release-of-elementary-oss-python-cli-v0-23-3

GitHub merge queue regression https://github.blog/news-insights/company-news/an-update-on-github-availability/

Cal.com going closed source https://cal.com/blog/cal-com-goes-closed-source-why

GitHub Copilot billing https://github.blog/news-insights/company-news/github-copilot-is-moving-to-usage-based-billing/

MinIO archived repo https://github.com/minio/minio

Ghostty leaving GitHub https://mitchellh.com/writing/ghostty-leaving-github

Docker Hardened Images https://www.docker.com/blog/why-we-chose-the-harder-path-docker-hardened-images-one-year-later/

Azure DevOps security updates https://devblogs.microsoft.com/devops/one-click-security-scanning-and-org-wide-alert-triage-come-to-advanced-security/

On Call Brief https://oncallbrief.com/

More episodes https://shipitweekly.fm/

Scroll inside the box to read the full show notes.

This episode of Ship It Weekly is about platforms getting sharper about defaults, ownership, and the old paths they are no longer willing to quietly carry forever. Brian covers Kubernetes 1.36 and why it feels more like a cleanup-and-maturity release than a flashy feature dump, Gateway API v1.5 moving more networking behavior into the stable path, AWS Copilot CLI reaching end of support and what that means for teams still sitting on the older “easy” ECS workflow, Airbnb’s alert-development overhaul and why noisy or weak alerts are often a workflow problem long before they become an on-call problem, and Cloudflare’s push to treat scripts, agents, and third-party tools like real identities with real blast radius. He also hits the latest Azure DevOps Server patches and Google’s OTLP metrics support for Cloud Monitoring.

Links

Kubernetes v1.36 release https://kubernetes.io/blog/2026/04/22/kubernetes-v1-36-release/

Gateway API v1.5 https://kubernetes.io/blog/2026/04/21/gateway-api-v1-5/

AWS Copilot CLI end of support https://aws.amazon.com/blogs/containers/announcing-the-end-of-support-for-the-aws-copilot-cli/

Airbnb on alert development https://medium.com/airbnb-engineering/it-wasnt-a-culture-problem-upleveling-alert-development-at-airbnb-01e2290eb0f5

Cloudflare on non-human identities, OAuth visibility, and scoped permissions https://blog.cloudflare.com/improved-developer-security/

Azure DevOps Server April patches https://devblogs.microsoft.com/devops/april-patches-for-azure-devops-server/

OTLP metrics for Google Cloud Monitoring https://cloud.google.com/blog/products/management-tools/otlp-opentelemetry-protocol-for-google-cloud-monitoring-metrics

Past episode where we talked about Cloudflare Mesh AWS Interconnect GA, Cloudflare Mesh, GitLab 19, EKS Auto Mode, and OpenTelemetry Config — Ship It Weekly episode cover artEpisode 34Apr 17, 2026⏱️ 15:00AWS Interconnect GA, Cloudflare Mesh, GitLab 19, EKS Auto Mode, and OpenTelemetry ConfigEpisode: AWS Interconnect GA, Cloudflare Mesh, GitLab 19, EKS Auto Mode, and OpenTelemetry Config

This week’s On Call Brief https://www.tellerstech.com/on-call-brief/2026-W16/

On Call Brief: https://oncallbrief.com/

More episodes and show notes https://shipitweekly.fm/

Scroll inside the box to read the full show notes.

This is a guest conversation episode of Ship It Weekly, separate from the weekly news recaps.

In this Ship It: Conversations episode, I talk with Stephane Moser about Pipedrive’s move from Jenkins to GitHub Actions, building self-hosted runners on Kubernetes, shifting deployments toward GitOps with Argo CD, and what it actually takes to roll out a big CI/CD change across a large engineering org.

We talk about why Jenkins had become painful, from Groovy friction to noisy-neighbor problems on shared VMs, why GitHub Actions fit better, how reusable workflows and custom actions helped, why Argo CD beat out Flux for their use case, and how they had to build better observability and internal deployment visibility around GitHub as they scaled.

The bigger theme here is that this was not just a tooling swap. It was a product and platform migration. Isolation, repeatability, self-service, rollout strategy, and observability mattered just as much as the actual CI/CD tools.

Highlights

• Why Jenkins stopped working well for them: Groovy friction, shared VM contention, and poor predictability

• Replacing CodeShip pull request validation first as the low-blast-radius starting point

• Using Actions Runner Controller on Kubernetes with EKS and Karpenter for self-hosted runners

• Why reusable workflows and custom actions helped cut repetition across hundreds of services

• Choosing Argo CD over Flux, Argo Workflows, Tekton, and even a short Spinnaker attempt

• Moving from push-based deploys toward GitOps for better isolation and safer credentials handling

• Building internal observability because GitHub’s workflow visibility was not enough at their scale

• Dogfooding first, then rolling migration out in batches until teams could self-serve the move

• What broke when the new system actually worked too well: bot-driven deploy volume, queueing, and fairness

• The mobile side of the story: Mac minis, unstable runners, GitHub-hosted runners, and a very different migration path

• How AI sped up parts of the mobile migration and troubleshooting, without making the migration trivial

• Stephane’s advice for big CI/CD shifts: start small, reduce blast radius, and use your own platform first

Stephane’s links

• LinkedIn: https://www.linkedin.com/in/moserss/

• Talk video: https://www.youtube.com/watch?v=VrE1dh-1zEY

• Blog post Part 1: https://medium.com/pipedrive-engineering/so-long-jenkins-hello-github-actions-pipedrives-big-ci-cd-switch-03be29c75f63

• Blog post Part 2: https://medium.com/pipedrive-engineering/all-aboard-the-github-actions-express-pipedrives-big-ci-cd-switch-part-2-fcacf834afd2

• GitHub: https://github.com/moser-ss

Our links

More episodes + show notes + links: https://shipitweekly.fm

On Call Brief: https://oncallbrief.com

Scroll inside the box to read the full show notes.

This episode of Ship It Weekly is about networking, ingress, and private access moving further up into the platform layer. Brian covers AWS Interconnect going generally available, Cloudflare Mesh, GitLab 19.0 breaking changes around Gateway API and bundled services, EKS Auto Mode networking, and OpenTelemetry declarative config reaching stability. He also hits containerd security patches, GitHub’s new Code Security risk assessment, and AWS guidance on securing AI agents with MCP. (Amazon Web Services, Inc.)

Links

AWS Interconnect GA and last mile connectivity https://aws.amazon.com/blogs/aws/aws-interconnect-is-now-generally-available-with-a-new-option-to-simplify-last-mile-connectivity/

Cloudflare Mesh https://blog.cloudflare.com/mesh/

GitLab 19.0 breaking changes https://about.gitlab.com/blog/a-guide-to-the-breaking-changes-in-gitlab-19-0/

EKS Auto Mode networking https://aws.amazon.com/blogs/containers/navigating-enterprise-networking-challenges-with-amazon-eks-auto-mode/

OpenTelemetry declarative config reaches stability https://opentelemetry.io/blog/2026/stable-declarative-config/

containerd security releases https://github.com/containerd/containerd/releases

GitHub Code Security risk assessment for organizations https://github.blog/changelog/2026-04-08-code-security-risk-assessment-available-for-organizations/

AWS secure AI agent access patterns using MCP https://aws.amazon.com/blogs/security/secure-ai-agent-access-patterns-to-aws-resources-using-model-context-protocol/

This week’s On Call Brief https://www.tellerstech.com/on-call-brief/2026-W16/

More episodes and show notes https://shipitweekly.fm/

Scroll inside the box to read the full show notes.

In this Ship It Weekly special, Brian breaks down Claude Mythos Preview and Project Glasswing, and why this story matters beyond normal AI launch hype.

Anthropic is treating Mythos like a real security inflection point, not just a better coding model. Project Glasswing is their coordinated effort to get early access into the hands of defenders, critical software maintainers, and major infrastructure organizations before similar capability becomes more broadly available. If OpenClaw was about agents becoming a new control plane, this episode is about what happens when finding ways into messy environments and control planes starts getting faster too.

We walk through the practical angle for DevOps, cloud, platform, and infra teams: exploit timelines may be compressing, platform debt becomes attacker leverage, and the boring work most orgs treat like cleanup suddenly looks a lot more like frontline security work. We also zoom out to the business side, including why banks, regulators, and government officials are already paying attention.

Chapters

  • Why This Episode Exists
  • OpenClaw Callback
  • What Actually Happened
  • Don’t Get Gullible, Don’t Get Lazy
  • What Changes If This Is Even Half True
  • Why Business People Should Care
  • What This Means for DevOps, Cloud, and Platform
  • Boring Work Just Got Promoted
  • The Uncomfortable Takeaway
  • What I’d Do Right Now

Links from this episode

Claude Mythos Preview

https://red.anthropic.com/2026/mythos-preview/

Project Glasswing

https://www.anthropic.com/project/glasswing

AI cyber threats: open letter to business leaders

https://www.gov.uk/government/publications/ai-cyber-threats-open-letter-to-business-leaders/ai-cyber-threats-open-letter-to-business-leaders-html

AI-boosted hacks with Anthropic’s Mythos could have dire consequences for banks

https://www.reuters.com/legal/litigation/ai-boosted-hacks-with-anthropics-mythos-could-have-dire-consequences-banks-2026-04-13/

ECB to quiz bankers about risks of Anthropic's new AI model, source says

https://www.reuters.com/world/ecb-warn-bankers-about-new-anthropic-model-risks-source-says-2026-04-15/

Related episode: OpenClaw special

Special: OpenClaw Security Timeline and Fallout: CVE-2026-25253 One-Click Token Leak, Malicious ClawHub Skills, Exposed Agent Control Panels, and Why Local AI Agents Are a New DevOps/SRE Control Plane (OpenAI Hires Founder) — Ship It Weekly episode cover artEpisode 20Feb 17, 2026⏱️ 18:49Special: OpenClaw Security Timeline and Fallout: CVE-2026-25253 One-Click Token Leak, Malicious ClawHub Skills, Exposed Agent Control Panels, and Why Local AI Agents Are a New DevOps/SRE Control Plane (OpenAI Hires Founder)Episode: Special: OpenClaw Security Timeline and Fallout: CVE-2026-25253 One-Click Token Leak, Malicious ClawHub Skills, Exposed Agent Control Panels, and Why Local AI Agents Are a New DevOps/SRE Control Plane (OpenAI Hires Founder)

Scroll inside the box to read the full show notes.

This page is for you if…

  • You want episode outlines without listening first
  • You are looking for a link or source mentioned on the show
  • You compare weekly news roundups side by side
  • You share episode summaries with teammates who prefer reading
Scroll to Top