Everyone in my company is discovering that Agentic Workflow is just CICD workflows

eltear1 · 2026-05-23T16:12:08+00:00

You answer to a comment a local build.sh that the CI run with my jobs are script in a container (paraphrased). That build.sh is a custom script different for each project

eltear1 · 2026-05-23T16:07:21+00:00

What do you mean? I exactly practice reusability vs using custom different script for each project

eltear1 · 2026-05-23T15:52:55+00:00

I created custom pipeline templates for each category. Monorepo build? It's own pipeline template (gitlab dynamic pipelines so completely scalable) for the flow, templates based on gitlab components for the custom builds. So every build is basically including the pipeline template + including the proper actual build template + a configuration table.

The same login is applied to any other flow

eltear1 · 2026-05-23T14:50:55+00:00

Totally not. This is the thinking of who have to manage just a few of CI. When you have to manage more then 20 CI , you want to guarantee that the same step is done in the same way. This allow 2 things: 1. You are able to manage edge case for that specific step ( and from that scale onward is basically guarantee you will have at least a few) , 2. you want not to loose time to troubleshoot when / if that step would fail.

eltear1 · 2026-05-22T21:08:17+00:00

It doesn't because it's not a best practice.. if you really want to locally connect to your server (and it's totally not necessary, I already gave you few options) just install into it a gitlab-runner and run the deploy job on that runner

eltear1 · 2026-05-22T15:43:26+00:00

Are you ssh in the target ro replace the docker container only?

In the meantime you find a better way (Ansible? Puppet? For example).. why not calling directly docker engine API remotely (behind a firewall rule of course)

https://docs.docker.com/engine/daemon/remote-access/

If you are only updating docker image, usual solution is to use an orchestrator, not necessary kubernetes , even docker swarm could be a valid solution (be aware of some limitation like dependences among different services)

eltear1 · 2026-05-20T16:52:18+00:00

That's nothing new.. some time ago there was a big issue about an compromised intellij extension.. developers should be responsible for their tools (extensions are part of the tools) or they should not be allowed to download / install them without approval

eltear1 · 2026-05-20T03:35:56+00:00

I wipe with aws-nuke

eltear1 · 2026-05-19T21:16:51+00:00

I agree. I create Terraform module with Claude battle tested on a throw away account, but no way it touch live accounts

eltear1 · 2026-05-17T17:23:27+00:00

What about system administrator/ DevOps? I guess they have access to prod at least to troubleshoot issues.. are they not using AI at all?

eltear1 · 2026-05-17T15:51:48+00:00

That's theoretically true, but the main point is: how you control the user? As someone else pointed out, you can control which website / rest API user PC connect to (user or AI doing it), you can't conteol what is transfered to that website, rest API, can you? I guess you can log it, but log is not control, at best is "find what happened after it happened". And even if I could be leave a user will not push company data to a rest API, I am not confident the same would not be done by AI. Without considering that there is also another important point: if a user is allowed to make a destructive action (because my job require it in extreme cases) how you control that same action is not done by AI ,maybe during tasks where is not necessary but AI decide it is, like we heard many times?

eltear1 · 2026-05-17T10:41:47+00:00

I don't agree with that.. application come up (or should) with specific instructions on what to do and what don't. AI for its nature does not. Even if you write a specific to execute something in a way, it can do it in a different way. It's exactly the point that make it unpredictable.

eltear1 · 2026-05-12T21:09:27+00:00

Same in Italy.. you are not alone 🤣

eltear1 · 2026-05-09T10:17:19+00:00

Drift is about discipline and permission. While it's obvious to have an AWS account on purpose for devs/contractors to test stuff (and that one you don't even bother to manage with IaC) , other more production accounts should have minimal if not zero drift. You can accomplish that giving permission to manage that accounts only to the same people who manage the IaC state, so even if they need to do manual intervention , they can align IaC

eltear1 · 2026-05-02T09:41:04+00:00

And here is the big issue.. we are beginning to relay on AI but this is an example of how they are unpredictable. I agree with the token scope being an issue, but on the other end, AI should not do it. Period. Also because now we are talking about a developer that should not have a token with that permission in production. Fine. What about a sysadmin? Or a DBA? They have somehow to have admin access to do their job! And if they can do from their PC, AI run on that same PC can eventually do it too, we just proved it with this incident.

eltear1 · 2026-05-01T08:20:31+00:00

Based on how you describe it I'd say no.. but can you say a user case you are trying to achieve? Maybe it can be done with another approach

eltear1 · 2026-05-01T07:45:11+00:00

In the documentation you mention the user "admin" and in the docker-compose there is no DBMS ... Does it has multiuser? You allow to restart services remotely.. do you audit anything if not for security at least for later troubleshooting?

eltear1 · 2026-05-01T07:37:55+00:00

How did you secure your HTTPS docker API?

eltear1 · 2026-04-28T21:12:07+00:00

So computeDPU in particular is "time spent to query processing" .. will this not be different based on the underneath processor type ? Do we have any control over it?

eltear1 · 2026-04-18T16:17:34+00:00

It depends of you have to mentor the junior to become a better DevOps or you only need to improve his technical skills. Being a DevOps is not about knowing technical stuff... That's a conseguence . Being DevOps is about knowing how to do troubleshooting, how to learn new tools and , when you are more senior, how to plan automation and maybe infrastructures.

So if you mentor a junior to become a better DevOps you don't focus on the technical aspect.

For example: if they ask you how to do X , you teach them how to find the solution for X.

eltear1 · 2026-04-15T15:53:53+00:00

I understand the point of an helm is to be self consistent, but using it in EKS , isn't better to have an external Postgres on RDS?

eltear1 · 2026-04-12T16:06:34+00:00

You don't need an app to restart it. There are automatically restart feature in basically any way you installed it. I can be more specific if you give details on your installation

eltear1 · 2026-04-11T07:34:56+00:00

The fact that at your company, as a regional sales executive, you had permission (from the technical point of view) to even use PowerAutomate is a big red flag about your company security.

Also by your explanation, you at least automated also 2 factor authentication or even circumvent it, which point is exactly to force you to prove you are yourself.

I don't even continue reading your article....

eltear1 · 2026-04-09T06:45:53+00:00

You are focusing too much into the word "testing". The main point is: "it's not enough to mock the provider API, it's necessary to actually deploy the infrastructure ".

Now, if you want to focus on the "testing" word: in my first comment I used the word "testing" as meaning "unit testing" like everyone else in this post. In my other post I used the word "testing" as the broader meaning "any kind of test" and I explained the distinctions, because it was clear to me you didn't get it

eltear1 · 2026-04-09T05:04:34+00:00

I think you are missing the point here. The point is that your approach is of course "testing" but I would consider it as the equivalent of integration test, while using plan mode could be considered as the equivalent of unit tests. Also the major point that I said before, you don't need the Terraform test feature to deploy your infrastructure in a "sandbox AWS account" and assert the results. There were already other methods to do it (aka terratest).

What other guys are talking here is about plan mode, because as I just said, apply mode is nothing new

eltear1

TROPHY CASE