GitHub uses eBPF to improve deployment safety
GitHub uses eBPF technology to detect and prevent circular dependencies in its deployment processes, ensuring system reliability during outages. By isolating deployment scripts in cGroups and controlling their network access, GitHub can block unintended dependencies on its own services. This approach allows safer, more resilient deployments without disrupting production traffic.
- ▪GitHub hosts its own source code, creating potential circular dependencies during outages.
- ▪eBPF is used to monitor and restrict network calls from deployment scripts at the kernel level.
- ▪The solution leverages cGroups and the BPF_PROG_TYPE_CGROUP_SKB program type to isolate and control script behavior.
- ▪A Go-based proof of concept using the cilium/ebpf library enables conditional network filtering for specific processes.
Opening excerpt (first ~120 words) tap to expand
Home / Engineering / Infrastructure How GitHub uses eBPF to improve deployment safety Learn how Github uses eBPF to detect and prevent circular dependencies in its deployment tooling. Lawrence Gripper & Aleksey Levenstein April 16, 2026 | 7 minutes Share: Did you know that, at GitHub, we host all of our own source code on github.com? We do this because we’re our own biggest customer—testing out changes internally before they go to users. However, there’s one downside: If github.com were ever to go down, we wouldn’t be able to access our own source code. This is what you’d call a very simple circular dependency: to deploy GitHub, we needed GitHub. If GitHub is down, then we wouldn’t be able to deploy something to fix it.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The GitHub Blog.