gss

Overview

GSS is a Kubernetes addon that scans scheduled workflows across GitHub Enterprise Server. It runs as a CronJob and posts results to console or Slack Canvas.

Why GSS exists

GitHub has a known behavior: when a GHES user is deleted (e.g., after leaving the company), all scheduled workflows last committed by that user stop running silently. No warning, no alert, no error — they just stop.

In a large org with 960+ repos, this leads to hidden CI/CD outages that are hard to trace. GSS makes this risk visible by scanning all scheduled workflows and tracking their last committer, so teams can fix at-risk workflows before they break.

Features

Tech Stack

GSS was first built in Go, then ported to Rust in November 2025 to match the team's Rust-based Kubernetes tooling. The rewrite brought:

Async work is handled by Tokio.

Setup

Secret

Create a secret for the GitHub token:

kubectl create secret generic gss-secret \
  --namespace gss \
  --from-literal=GITHUB_TOKEN=ghp_xxxxxxxxxxxx

Helm Chart

GHES and Slack settings are managed through the chart's configMap.data values. The Slack Canvas publisher needs SLACK_TOKEN (xoxb- bot token), SLACK_CHANNEL_ID, and SLACK_CANVAS_ID. See values.yaml for all options.

# Check available versions
crane ls ghcr.io/younsl/charts/gss

# Pull chart
helm pull oci://ghcr.io/younsl/charts/gss --version 0.1.0 --untar

# Install
helm install gss ./gss --namespace gss --create-namespace

Slack Canvases API

---
title: System architecture for GSS
---
flowchart LR
    subgraph k8s["Kubernetes"]
        subgraph "Pod GSS"
            p1["`canvas
            component`"]
        end
    end
    subgraph s["Slack"]
        sb["Slack Bot"]
        cv["Slack Canvas"]
    end

    p1 --Get canvases:write scopes--> sb --> cv

    style k8s fill: transparent
    style p1 fill: darkorange, color: white

GSS uses the Slack Canvases API to write scan results to a canvas page on each CronJob run.

References