Skip to content

Homework 3: GitHub Basics

Learning goals

  • Get comfortable with GitHub if you aren't already
  • Think about secure development practices
  • Practice simple code review

Project context

You and your team have access to a basic calculator app through GitHub classroom. Over the next three assignments, you'll (1) set up the repo and merge a few simple PRs (2) deploy the application and set up automated deployments and (3) write tests and create a continuous integration (CI) pipeline. You should apply the development processes you learn here to your prototype product.

Assignment instructions

In this assignment, you'll set up your local development environment, securely configure your repo, make a PR, and review your teammates' PRs.

You'll notice that a number of these steps address security operations. Why bother with a secure setup? Well, if you actually build a successful company, you (and your software!) become a target. If an attacker can gain write access to your source code, for example, they can insert backdoors that let them hold services ransom, steal user data, or even steal money. This opens you up to a world of legal and financial pain---but luckily, there are really simple things you can do that significantly raise the barrier for attackers. This assignment touches on several of them.

1. Configure GitHub with (non-SMS) 2FA

Having a 2FA method makes it vastly harder for attackers to compromise your GitHub account and impersonate you.

Follow these instructions to set up two-factor authentication for your GitHub account. This 2FA method must not be text message/SMS. We reccomend FIDO if possible, and TOTP as a backup option.

Turn in instructions

When you have done so, navigate to your GitHub profile; under Settings and Authentication, take a screenshot of the Preferred 2FA Method box that includes both the 2FA method and your username. Do not include anything else in the screenshot (this is possible due to the layout of the page).

2. Configure GitHub with SSH

Using SSH for GitHub authentication is both more secure and more convenient than using password authentication.

Follow these instructions to set up a new SSH key with GitHub if you haven't already. Specifically, you will:

  1. Generate a new SSH key. Make sure to use a passphrase.
  2. Add the SSH key to your account.
  3. Test that everything worked.

Turn in instructions

Once you've done these things, navigate to the SSH and GPG page in your account settings, and take a screenshot that encompasses the name/hash identifier of the key of your SSH key and your username.

2b for 10 point bonus: Configure commit signing

To get ten bonus points, configure commit signing. Then, write and submit a couple sentences about why it's beneficial.

Turn in instructions

Submit a screenshot of your signed commits and your description.

3. Create your GitHub classroom team.

One person on your team should go to this GitHub Classroom link to create your team. Be sure to select all of your team's members. Check to see if your team name already exists in the Software Engineering for Startups organization before creating a new one.

This will create a shared repository for all members of your team. All of the instructors will have admin access to your new repository.

There is no deliverable for this step.

4. Clone the calculator repo onto your local machine

When you navigate to the Code tab, make sure you use the SSH tab, not the HTTPS tab. This will clone the repo using the SSH authentication flow.

There is no deliverable for this step.

5. Configure branch protection

As it stands, anyone with access to your repo can push whatever garbage they want to the main branch. That's not good! It's important to make sure code that actually gets deployed has been thoroughly tested and reviewed (to catch everything from mistakes to intentional back doors!). In this assignment, you'll focus on code review; in a future assignment, you'll block merges to main until your code passes CI.

To protect your main branch, navigate to the Settings tab in the calculator repo and click on Branches (on the lefthand side). You'll see two options: (1) Add branch ruleset and (2) Add classic branch protection rule. For now, you're just going to add a classic branch protection rule that protects main from direct, unreviewed commits: check the box to require a pull request before merging. Once you check this box, you will have the ability to require multiple PR approvals before merging is allowed. Require at least two.

Turn in instructions

Take a screenshot of your branch protection rules; we'll also check the repository directly.

6. Configure pull requests

Your main history is much easier to track if all commits to main are uniform. Different teams have different preferences for this configuration, but in this class, we'll require squash merging for a clean history; this is a very common configuration.

Navigate to the General settings. Under Pull requests, uncheck merge commits and rebase merging, leaving only squash merging checked. In the dropdown, select Pull request title and description. This means that only the PR title and description will show up in your main branch's commit history, and each feature branch will be squashed into a single commit.

Turn in instructions

Take a screenshot of your repo's PR settings.

7. Run the calculator app locally

Follow the instructions in the README to set up and run the calculator on your machine. You can choose to deploy the app locally using either Docker or npm, depending on your preference. Ensure everything is working before proceeding with any modifications.

There is no deliverable for this step.

8. Add a piece of functionality to the calculator

You will add a new piece of calculator functionality in a new branch. Then, you will open a pull request (PR) so that your teammates can review and approve your changes.

Each team member should choose one of the following features. Coordinate with your teammates to ensure no two members implement the same functionality.

  1. Backward Button: Add a button that allows users to remove the last entered character in the calculator input field.
  2. Custom Pop-up for Invalid Expressions: Display a pop-up window when the user enters an invalid expression.
  3. Brackets Support: Add "(" and ")" buttons and ensure expressions with brackets are correctly handled.
  4. Expression History Display: Show a list of previously calculated expressions in the frontend. The list should reset when the browser is refreshed.
  5. Backend Logging: Log all expressions sent to the backend into a local file. The log should persist even after the browser is refreshed.

Use your PR message to clearly describe the changes you've made to the calculator app.

Turn in instructions

Please provide us a link to your PR.

9. Review at least two PRs

Following the best practices we discussed in class, leave two reviews on your teammates' PRs. If there issues, continue to discuss in the comments until you're satisfied with the changes and able to approve the pull requests.

Turn in instructions

Please provide two or more links to your reviews.

10. Merge your reviewed PR

Finally, once your PR has been approved, merge it.

Turn in instructions

Please provide a link to your merged commit.