GitHub Deploys eBPF to Break Deployment Dependencies, Prevent Outage Escalation
April 5, 2025 — GitHub has deployed a new eBPF-based monitoring and blocking system inside its deployment pipeline to prevent circular dependencies from locking the company out of its own code during outages. The move addresses a long-standing vulnerability that could transform a routine MySQL failure into a full platform crisis.
“If GitHub.com goes down, we lose access to the source code we need to fix it. That’s the core circular dependency we’re solving,” said a GitHub infrastructure engineer familiar with the project. “eBPF lets us catch these loops at runtime, before they block a deploy.”
The system sits inside GitHub’s new host-based deployment engine, filtering all outbound network calls from deployment scripts. It blocks any request that would create a dependency on an internal service or a download from GitHub.com itself—exactly the pattern that can freeze a recovery effort.
Background
GitHub stores its entire source code repository on github.com, meaning the company is its own biggest customer. But this creates a “simple circular dependency”: to deploy a fix for GitHub, you need GitHub to be up. The company maintains a mirrored code repository and built assets for rollback, but that only addresses the top-level problem.
“The deeper issue is inside the deployment scripts themselves,” the engineer explained. “A script might pull a binary from GitHub, call an internal API that then checks GitHub, or use a tool that phones home for updates. Any of those can lock up a deploy during an outage.”
Previously, each team owning stateful hosts—such as MySQL nodes—had to manually review their deployment scripts for circular dependencies. That approach was error-prone and missed hidden or transient cases.
How eBPF Blocks Dependencies
eBPF (extended Berkeley Packet Filter) runs sandboxed programs inside the Linux kernel, allowing GitHub to monitor every network call made by a deployment script. When a call would create a circular dependency—defined as any outbound connection to an internal service or to GitHub.com—the eBPF program can either log the event or block the call entirely.
Three dependency types are targeted, as described in GitHub’s technical documentation:
- Direct dependencies: The deploy script explicitly pulls a binary from GitHub. If GitHub is down, the pull fails.
- Hidden dependencies: A local tool checks GitHub for updates at runtime, hanging if it cannot reach the service.
- Transient dependencies: The script calls an internal API, which itself fetches data from GitHub.
What This Means
For the wider DevOps and infrastructure engineering community, GitHub’s approach offers a new pattern for deployment safety. eBPF provides real-time, kernel-level enforcement without changes to application code. That means teams can retrofit safety into legacy scripts that were never designed for offline operation.
“It’s a shift from hoping scripts are correct to enforcing correctness programmatically,” the engineer said. “For any company that runs its own infrastructure, this is a blueprint for breaking circular dependencies that have haunted deployments for years.”
GitHub has not indicated whether it will open-source the specific eBPF programs, but the technique is widely applicable. The move reinforces the company’s commitment to using eBPF for production safety—a trend that has grown across the industry, including in networking, security, and observability.
In the short term, GitHub’s internal deployment reliability is expected to improve dramatically. The system is already in use for MySQL and other stateful services, and plans are underway to extend it to all host-based deployments.