Note di Matteo

Ieri: il control plane GitHub Actions costa $0.002/min anche con runner self-hosting.

Oggi (Jared Palmer):

We’re postponing the announced billing change for self-hosted GitHub Actions. The 39% price reduction for hosted runners will continue as planned (on January 1)

We missed the opportunity to gather feedback from the community ahead of this move. That's a huge L. We'll learn and do better in the future.

Actions is critical infrastructure for millions of developers and we're committed to making it a world‑class compute product. Although we gave away 11.5 billion build minutes (~$184 million) to support OSS last year, Actions itself is not free. There are real, web-scale costs associated with the service and behind the control plane (for logs, artifacts, caching, redis, egress, engineering, support, etc) for both hosted and self-hosted runners. We eventually need to find a way to price it properly while also partnering and fostering the rest of the ecosystem. However, we clearly missed some steps here, and so we’re correcting course.

You all trust Actions with your most important workflows, and that trust comes with a responsibility we didn't live up to. The way forward is to listen more, ship with the community, and raise the bar together.

Interesting:

Today we are going public with the developer preview of exe.dev, a new VM hosting service. We will keep the service open for new users as long as our capacity lasts. Try it out with:

ssh exe.dev

Mega refactoring di GitHub Actions:

In early 2024, the GitHub Actions team faced a problem. The platform was running about 23 million jobs per day, but month-over-month growth made one thing clear: our existing architecture couldn’t reliably support our growth curve. In order to increase feature velocity, we first needed to improve reliability and modernize the legacy frameworks that supported GitHub Actions.

The solution? Re-architect the core backend services powering GitHub Actions jobs and runners.

Since August, all GitHub Actions jobs have run on our new architecture, which handles 71 million jobs per day (over 3x from where we started). Individual enterprises are able to start 7x more jobs per minute than our previous architecture could support.

Nuovi prezzi più bassi:

Ma compare una fee di $0.002/min per i self-hosted runner.

I provider alternativi di hosted runner provano a spinnarla positivamente. Blacksmith.sh:

In the past, our customers have asked us how GitHub views third-party runners long-term. The platform fee largely answers that: GitHub now monetizes Actions usage regardless of where jobs run, aligning third-party runners like Blacksmith as ecosystem partners rather than workarounds.

Depot invece l'ha presa male.

PAGAMENTO ONLINE Il pagamento potrà essere effettuato entro la mezzanotte del giorno prima della visita.

Cioè? Fino al giorno prima o fino a due giorni prima? Perché scrivere in modo evidentemente ambiguo?

Postmortem di Railway, la creazione di un indice PostgreSQL ha tirato giù tutto:

A routine change to this Postgres database introduced a new column with an index to a table containing approximately 1 billion records. This table is critical in our backend API’s infrastructure, used by nearly all API operations.

The index creation did not use Postgres’ CONCURRENTLY option, causing an exclusive lock on the entire table. During the lock period, all queries against the database were queued behind the index operation. [...] Manual intervention attempts to terminate the index creation failed.

Le misure:

We’re going to introduce several changes to prevent errors of this class from happening again:

• In CI, we will enforce CONCURRENTLY usage for all index creation operations, blocking non-compliant pull requests before merge.
• PgBouncer connection pool limits will be adjusted to prevent overwhelming the underlying Postgres instance's capacity.
• Database user connection limits will be configured to guarantee administrative access during incidents, ensuring maintenance operations remain possible under all conditions.

A conspicuous part of Let’s Encrypt’s history is how thoroughly our vision of scalability through automation has succeeded.

In March 2016, we issued our one millionth certificate. Just two years later, in September 2018, we were issuing a million certificates every day. In 2020 we reached a billion total certificates issued and as of late 2025 we’re frequently issuing ten million certificates per day. We’re now on track to reach a billion active sites, probably sometime in the coming year.

(LE)

AWS Bedrock (managed AI inference) perde clienti grossi per carenza di capacità hw e latenza peggiore:

Customers using Anthropic’s Claude models through Bedrock opted to switch to Anthropic’s own platform or Google Cloud because of “ongoing capacity, latency, and feature parity issues,” according to the July AWS document. Companies such as Figma, Intercom, and Wealthsimple were among those migrating their workloads “due to one or several of these challenges.

Thomson Reuters also chose Google Cloud over Bedrock for its CoCounsel AI product after finding AWS’s service was 15% to 30% slower and lacked key government compliance certifications, the document showed.

Sull'architettura di GitHub:

The current architecture is indeed suboptimal. We are in the process of decoupling the monolith and now about to accelerate an incremental migration to a modern frontend stack. This will allow us to have higher velocity and better DX. I’ll post more soon when we officially get started.

The current problem is that we are not fully migrated yet to azure + the rails app calls out to a react rendering service in a waterfall. Then there are then quite a few data and client side react paradigms (react router, a custom router, relay, and some react query more recently).

In new arch, we’ll have decoupled modern frontend with parallel data fetching and move from styled components to tailwind

(Jared Palmer)

Devo dire utile questa "comunicazione" dell'INPS:

"Ho letto" cosa?

Oui oui baguette 😂

Vercel ha pagato 750mila dollari di bug bounty per 15 bypass WAF contro React2Shell durante il weekend.

Dati Black Friday di Shopify:

This Black Friday Cyber Monday, the scale of global commerce surged. At peak, we processed 11TB of logs per minute.

Shopify’s edge (post-CDN) averaged 312 million requests per minute across BFCM, peaking at 489 million requests per minute.

At peak, our global Kubernetes fleet ran over 3.18 million CPU cores.

Powered largely by MySQL 8, our database fleet sustained 53.8 million queries per second and 4.28 billion row operations per second at peak 🌐

Kafka + Flink powered real-time experiences for merchants and buyers.

Flink processed over 150 MB per second and streaming analytics latency improved 103x since BFCM 2024, supercharged by our migration to Flink SQL.

Our CDN [Cloudflare] served 183 million requests per minute, with 97.8% from cache for fast responses. At peak, we ran 23.2 million async jobs per minute.

(Shopify Engineering)

→ Merchants’ sales globally were $14.6 billion, up 27% from last year

→ 81 million shoppers bought from Shopify-powered brands

→ 15,800+ entrepreneurs made their first sale

→ 136+ million packages tracked in the Shop App

→ 2.2 trillion edge requests

→ Processed and served 90 PB of data from our infrastructure

→ Handled 14.8 trillion database queries and 1.75 trillion database writes

(Tobi Lutke)

Six months after its release, Claude Code has reached $1B in annual run-rate (ARR) revenue. It took ChatGPT 9 months to get to this milestone after its launch, and 2 years for Cursor. With Claude Code, Anthropic may have set the record for fastest-growing product revenue.

(The Pragmatic Engineer)

Strana e rara frecciatina di Akamai a Cloudflare:

As I write this, another cloud provider is experiencing their third outage this quarter. While frequently lauded for innovation, today’s IT teams responsible for mission-critical applications for their customers are learning yet another painful lesson about the true cost of unreliability.

In un articolo sull'affidabilità, in cui effettivamente Akamai è essenzialmente leader (o forse la scarsa trasparenza rinforza quell'idea).

Il 30% dello streaming Netflix è in AV1. Prima Android (2020):

When we first set out to bring AV1 streaming to Netflix members, Android was the ideal starting point. Android’s flexibility allowed us to quickly integrate a software AV1 decoder using the efficient dav1d library, which was already optimized for ARM chipsets in mobile devices.

Poi TV e roba Apple:

Smart TVs depend on hardware decoders for efficient high-quality playback. We worked closely with device manufacturers and SoC vendors to certify these devices, ensuring they are both conformant and performant. This collaborative effort enabled our AV1 streaming to TV devices in late 2021. Shortly thereafter, we expanded AV1 streaming to web browsers (in 2022) and continued to broaden device support. In 2023, this included Apple devices with the introduction of AV1 hardware support in the new M3 and A17 Pro chips.

Nei browser il 40% degli stream sono con dav1d.

(Netflix)

Il postmortem del nuovo disservizio di Cloudflare, durato 25 minuti: la causa è di nuovo una configurazione distribuita globalmente senza rollout progressivo:

This second change of turning off our WAF testing tool was implemented using our global configuration system. This system does not perform gradual rollouts, but rather propagates changes within seconds to the entire fleet of servers in our network and is under review following the outage we experienced on November 18.

Unfortunately, in our FL1 version of our proxy, under certain circumstances, the second change of turning off our WAF rule testing tool caused an error state that resulted in 500 HTTP error codes to be served from our network.

Almeno stanno lavorando a una soluzione definitiva che non tiri giù tutto con un click:

Before the end of next week we will publish a detailed breakdown of all the resiliency projects underway, including the ones listed above. While that work is underway, we are locking down all changes to our network in order to ensure we have better mitigation and rollback systems before we begin again.

Utile sempre ricordare gli unici tre esiti possibili per una startup VC-funded:

1. andare molto bene e quotarsi in borsa;
2. essere acquisiti da un'azienda più grande che raramente prosegue la visione originale;
3. fallire e chiudere perché non si è raggiunta una profitability tale da poter ripagare l'investimento (che magari era esagerato).

Viva le aziende bootstrapped.

Ok, Limitless è stata acquisita da Meta e chiuderà tutto tra un anno. Si spiega.

Chiude Rewind e Limitless esce silenziosamente dai mercati dove la privacy conta qualcosa con un update della privacy policy. Nessuna menzione di chi ha comprato l'hardware e non può più usarlo.

Metodo strano di chiudere un servizio (Rewind) dopo aver promesso non avrebbe chiuso. Era stato promesso anche il cloud e2ee ("we built Confidential Cloud in such a way that only you can decrypt your data. Your employer, we as software providers, and the government cannot decrypt your data without your permission, even with a subpoena to do so."), poi la frase è semplicemente sparita dal sito. C'era la HIPAA compliance, ora non c'è più.

ChatGPT (5.1) è diventato/tornato più colloquiale ("per evitare mille ... ovunque"):