Welcome to this week’s edition of the DevOps Bulletin!

Cloudflare shared how they run Cloudflare at enterprise scale with IaC, SonarSource dropped a GitHub Actions “zombie workflows” horror story, and Docker released free hardened images. We also dig into how SQLite is tested (it’s insanely thorough), plus a real-world case study on cutting observability spend by ~60%.

On the hands-on side: a full write-up on pwning X, Vercel, Cursor, and Discord via supply-chain, Kubernetes optimization with in-place pod resizing + zone-aware routing, abusing AWS IAM eventual consistency for persistence, AWS Lambda managed instances security notes, securing IAM with Terraform, AWS expert-built workshops, Terraform best practices, and the Azure $50K licensing mistake to avoid. We also cover Depot.dev’s breakdown of misleading “waiting for a runner” errors in GitHub Actions.

This week’s video shows how to move a running Kubernetes pod to a new node without downtime, keeping storage, memory, IP, and TCP connections intact.

Tools of the week include an open-source FinOps data stack, isolated dev environments, multi-cluster Kubernetes control, workflow orchestration for Rails, jq-style data querying for SQL, a fast terminal database client, and a local-first memory engine for AI agents.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Newsworthy stories

• How we manage Cloudflare with Infrastructure as Code

• A GitHub Actions horror story

• Free Docker hardened images

• How SQLite is tested

• How BigPanda cut observability costs by 60% & improved visibility

Troubleshooting GitHub Actions with self-hosted runners

Your GitHub Actions job says “waiting for a runner” but the runner is online and idle. Depot breaks down why error messages mislead you and how workflow permissions, authentication, and security contexts cause failures that look like infrastructure problems. See what’s really breaking your builds.

Tutorials of the week

• How we pwned X, Vercel, Cursor, and Discord through a supply-chain attack

• Kubernetes optimization using in-place Pod resizing and zone-aware routing

• Exploiting AWS IAM eventual consistency for persistence

• Hands-on workshops crafted by AWS experts

• Securing AWS IAM with Terraform

• The $50K licensing mistake every Azure admin must avoid

• Security overview of AWS Lambda managed instances

• 20 Terraform best practices I wish I had learned earlier

Videos of the week

📘 FinOps Tip of the Week

An open source FinOps data stack that turns AWS Cost and Usage Reports into clean, analytics-ready datasets.

If you want more hands-on tips like this, check out my latest book, “Practical FinOps”.

Projects of the week

• Devbox is a command-line tool that lets you easily create isolated development shells.

• A Kubernetes native system to run and manage applications across multiple clusters and clouds from a single control plane.

• Stepped is a Rails engine for orchestrating complex workflows as a tree of actions.

• SQ is a CLI that provides jq-style access to structured data sources, such as SQL databases and document formats like CSV or Excel.

• A terminal-based SQL client that lets you quickly connect to many databases and run queries through a fast, keyboard-driven TUI.

• A local first, self-hosted long-term memory engine for AI systems that gives agents persistent memory beyond simple vector storage.

Meme of the week