Our engineering team is making the switch from Bitbucket to GitHub and facing a few critical challenges due to the changes in how GitHub manages projects compared to Bitbucket. We have about 70 repositories, so we're looking for advice on managing this transition effectively, especially since we're not organization-level admins. Here are the four areas we need help with: 1. **Managing Secrets and Credentials:** In Bitbucket, we used Jenkins to store our secrets, but now we need a secure way to handle cloud keys and database credentials with GitHub Actions. What's the best method for storing high-value secrets—should we use GitHub organization secrets or a vault like HashiCorp or AWS Key Vault? How can we securely fetch these secrets in our GitHub Actions? 2. **Best Practices for Using JFrog:** We rely on JFrog for package management and security scanning. What's the best way to integrate JFrog with GitHub Actions and securely pass tokens to our build pipelines? 3. **Managing a Large Number of Repositories:** In Bitbucket, we had a single project folder that made managing permissions across our repositories straightforward. How can we enforce consistent rules across our numerous repositories in GitHub without admin control? Is utilizing Configuration as Code (CaC) tools like Terraform the way to go for managing settings? 4. **Monitoring Build Health and Performance:** We're looking for ways to track not just build success or failure, but also the overall stability and performance over time. What tools or services do you recommend for monitoring CI/CD performance with GitHub Actions? Do people typically export this data to monitoring systems or use GitHub-specific tools? Any insights from those who have undergone this migration process would be greatly appreciated! Thanks!
1 Answer
When migrating, I found it helpful to utilize Terraform to get a list of repositories that our team has admin access to. You can set your initial security settings through Terraform modules efficiently. A few challenges I faced during the move included developers adapting to the new code review process since the interface is pretty different. Performance was a concern transitioning from on-prem Bitbucket to GitHub Cloud, and we ended up getting swamped with Dependabot alerts that we had to turn off for a bit. Plus, the simplicity of CODE OWNERS didn't match our previous experience with Bitbucket plugins.
Yeah, the GitHub UI can be pretty rough... The code review process feels non-intuitive at times, especially with searching workflows. For risk management, we're using tools like Renovate to manage dependencies regularly. Code Owners is definitely a letdown—Bitbucket had such better customization options!