Welcome to this week’s edition of the DevOps Bulletin!

GitHub Actions just got called out for a fork-based bypass, letting imposter commits sneak past reviews. Kubernetes, long mocked for struggling with stateful workloads, now has operators that make managing Postgres clusters as easy as deployments. Grab explained how it built an auth system for 180M users, while a nasty bug in Azure Entra ID’s actor tokens let attackers jump tenants and grab Global Admin. Oh, and Tinder shared how its API gateway handles a billion swipes a day.

On the hands-on side: Postgres partitioning best practices, Docker networking made simple, bots writing bad Terraform, attacker persistence in Kubernetes, and a new EnvFiles trick in Kubernetes 1.34. Plus: Vault with OpenBao, caching in Postgres vs Redis, doing infra code reviews like a pro, and even running a full Linux desktop in Docker.

And don’t miss the projects: Kingfisher (secret scanning), GitButler (branch management reimagined), LingoDB (linguistics as 3D data), HexStrike AI (150+ cyber tools for AI agents), Arcane (Docker UI), Alchemist (macOS command helper), and WinApps (Windows apps on Linux).

All this and more in this week’s DevOps Bulletin, don’t miss out!

Newsworthy stories

• What the fork? Imposter commits in GitHub Actions and CI/CD

• Kubernetes finally solves its biggest problem: managing databases

• How Grab built an authentication system for 180+ million users

• Obtaining Azure Global Admin in every Entra ID tenant via Actor tokens

• How Tinder’s API Gateway handles a billion swipes per day

DevOps, stop wasting time on job boards. Jack & Jill are AI Super-Recruiters: Jack finds engineers real jobs, Jill sends companies great-fit DevOps hires. Faster, smarter, cheaper than recruiters — no ghosting, no chaos.

Find your dream job or perfect hire.

Tutorials of the week

• Postgres partitioning best practices

• Bots write bad Terraform, and it’s all your fault

• Docker networking made simple

• Exploring attacker persistence strategies in Kubernetes

• Using an init container to define app environment vars

• Vault on Kubernetes using OpenBao

• Redis is fast - I’ll cache in Postgres

• How to complete infrastructure code reviews like a pro

• I run a whole Linux desktop in Docker just because I can

• The case for a hybrid cache for object stores

Videos of the week

📘 New Book: Practical FinOps

This book is written from years of running FinOps at scale: what worked (and what didn’t) is now in this book.

Projects of the week

• Kingfisher is a blazingly fast tool for secret detection and live validation across files, Git repos, S3, Docker images, Jira, Slack, and Confluence

• Lingo is a high-performance linguistic database that represents language as a 3D spatial structure.

• GitBulter is a git branch management tool, built from the ground up for modern workflows.

• HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting

• Arcane is a modern, easy-to-use way to manage your Docker containers, images, volumes, and networks, all in one place.

• Alchemist is a smart command-not-found handler for macOS that automatically suggests Homebrew packages when you type an unrecognized command.

• Run Windows apps such as Microsoft Office/Adobe in Linux (Ubuntu/Fedora) and GNOME/KDE.

Meme of the week