10 Ways GitHub Uses eBPF to Bolster Deployment Safety

When GitHub runs on GitHub, a single outage can snowball into a deployment nightmare. That's the reality of hosting your own source code—what we call a circular dependency. But thanks to eBPF, GitHub has found a clever way to break that cycle. In this article, we'll walk through the ten key insights behind GitHub's eBPF-powered approach to deployment safety, from identifying dependency pitfalls to implementing kernel-level guardrails.

1. The Circular Dependency Dilemma

GitHub hosts all its source code on its own platform, making it both the developer and the primary user. This creates a unique vulnerability: if github.com goes down, engineers can't access the code needed to fix it. Imagine a MySQL outage that prevents release data from loading—deploy scripts suddenly can't pull the tools they need. eBPF offers a way to monitor and block these dangerous calls before they cause a chain reaction.

2. Why Traditional Mitigation Falls Short

GitHub already maintains a code mirror and pre-built assets for rollbacks, but that's not enough. Deployment scripts can still introduce new circular dependencies, like fetching a binary from GitHub during an outage. Before eBPF, the burden was on individual teams to manually audit their scripts—a process prone to human error and often overlooked.

3. Introducing eBPF: The Kernel Superpower

eBPF (extended Berkeley Packet Filter) is a technology that lets you run sandboxed programs inside the Linux kernel without changing kernel source or loading modules. GitHub uses eBPF to create fine-grained hooks that observe every system call a deployment script makes. This allows them to detect and block attempts to contact internal services or download resources from GitHub itself during a deployment.

4. Direct Dependencies: The Obvious Trap

A direct dependency occurs when a deploy script explicitly tries to fetch a tool from GitHub. For example, during a MySQL outage, a script might attempt to pull the latest release of an open-source utility from github.com. Since GitHub is unreachable, the script fails—and so does the fix. eBPF can intercept the network call and either block it or reroute it to a local mirror.

5. Hidden Dependencies: The Silent Saboteurs

Sometimes the dependency isn't obvious. A tool already on disk might, when launched, check GitHub for an update. Even if the main script doesn't rely on GitHub, this background check can hang or crash the entire deployment. eBPF can monitor such hidden behaviors by tracking socket calls and file reads, ensuring no unexpected network access occurs.

6. Transient Dependencies: Cascading Failures

Transient dependencies are the trickiest. A deploy script might call an internal API, which in turn tries to fetch a binary from GitHub. The failure propagates back, making it look like the internal service is down. eBPF's ability to trace system calls across processes helps GitHub map these indirect paths and block them at the kernel level.

7. How eBPF Monitors Deployment Calls

GitHub's eBPF programs attach to key syscalls like connect, open, and execve. When a deployment script runs, eBPF evaluates each action against a whitelist of allowed destinations and resources. If a system call tries to reach github.com or an unauthorized internal service, eBPF can log it, alert operators, or block it outright—all with minimal performance overhead.

8. Selective Blocking Without Breaking Everything

Not all network access is bad. A deploy script might need to contact a configuration service or a package registry. eBPF allows per-process policies: you can define that only the deployment harness's children are restricted, while other system processes remain unaffected. This precision is what makes eBPF superior to broad firewall rules or network namespaces.

9. Real-World Implementation at GitHub

To put eBPF into production, GitHub developed a small Go agent that loads eBPF programs and manages policies. The agent runs on every host and attaches to deployment-specific cgroups. When a deploy starts, the agent enforces a 'no-GitHub access' rule for that cgroup's processes. Any violation triggers a deny and logs the call for post-incident review.

10. Getting Started With Your Own eBPF Deployment Guards

You don't need GitHub's scale to benefit from eBPF. Start with a simple program using bpf() syscall or use higher-level frameworks like bcc or bpftrace. Write a program that attaches to connect and checks if the destination IP belongs to your own services. Test in a containerized environment first. Remember: the key is to block only during critical deployment windows, not permanently.

eBPF has transformed how GitHub approaches deployment safety, turning a painful circular dependency into a solvable kernel problem. By embedding safety checks at the lowest level, they ensure that even when everything else fails, the fix can still be deployed. Whether you're running a monolith or microservices, eBPF offers a powerful, lightweight way to break the cycle.