The Rise and Fall of GitHub
If you're reading this there's a better-than-not chance that you're already a GitHub fan, or were at a time. I'm not here to drag it through the mud. No, this is more in line with that feeling you might get when you see a beloved friend struggling with a lack of direction and purpose in life. The rise and fall of GitHub may be a bit dramatic. But, if history tells us anything, what we're beginning to see with GitHub is nothing new in the world of tech.
UPDATE: What appears to be the end of this saga. Which, spoiler alert, has absolutely no resolution. Here's a link to the ridiculous excuse and non-answer I was given by GitHub regarding why they suspended my account. See follow up comment if interested. I think I may have to give this one up at this point, but I can most certainly tell you that I will never be using GitHub again.
https://github.com/orgs/community/discussions/122615
Part 1: The Rude Awakening
Let me start by explaining why I'm wasting my time writing a post like this. Recently, I started a brand new project that I am looking forward to using in my day-to-day work. I have the most experience with CI/CD and SDLC automation in the world of Microsoft Azure DevOps. I love this tool, and it took a lot for me to even consider going whole hog in the world of GitHub CI/CD. But, I welcomed the challenge and looked forward to learning how to use Actions and seeing what variables and secrets looked like in this new toolset.
Things were going great for the four weeks that I managed to go from idea to MVP. Because of the modern technology at my finger tips coming up with an idea and getting it to market can be done at break-neck speeds. This is true of the development process as well as the deployment process. This is where GitHub comes into the picture. Once I put the finishing touches on V1 of my shiny new app I shifted from "how do I make this application?" to "how do I get this application to market?" A question that every developer or organization faces if they ever plan on their products seeing the light of day. "Works on my machine" never really cuts it when you need to keep the lights on.
I had been tinkering with the GitHub Actions feature for about four days in my spare time. You know, the whole, change a single word, rerun the pipeline, hit an error, try again - bit. This process is ugly, it takes a lot of time, it is probably the most frustrating part of being a developer, or at least being a member of the DevOps community. I continued to retry different configurations for deploying my Docker container (also a brand new technology for me) and as I was doing that I had to repeatedly trigger the pipeline. This seemed fine and all until one time I hit that button and then GitHub seemed to bite the dust on me. I got this beautiful little warning message on my screen to digest:
Immediately, my heart sinks. I get this rush of adrenaline, feeling like I did something wrong or that I somehow did something malicious. Then, after regaining my inner dialog's consciousness I begin to get extremely frustrated. Not because my brand new account, of about a month and a half ago, was suspended. But because they suspended my account and gave me absolutely no indication of the infraction I had just committed. I checked and rechecked my email, my spam inbox, hammering on that refresh button. Still, nothing.
Part 2: Some Time Alone With My Thoughts
Any dev will tell you that as you're developing an application, or even just working through some logic in complex code, it takes every ounce of focus you have at times. If you're anything like me you have a full-time job, a significant other, a life (I envy you if have that) outside of work that you need to tend to as well. As such you probably don't have the luxury to perfectly plan out any projects you want to start or that you already have running outside of your day job. This means that at best your application will work, but it's going to be far from perfect. Time for writing 80% test coverage on your code? Fat chance. Time to make sure that you've hit every single accessibility feature across your whole app? Give me a break. These are important aspects of any project, but we exist in a world of finite amounts of time to do these things, especially with side projects.
As I stewed over my frustration with GitHub suspending my account, without any explanation as to why, I started to dig a little deeper. And where I headed surprised me a little. My immediate thought, after this all unfolded, was singular and critical: "Do I have all of my most recent code changes and are they in my immediate possession?" And in this thought is where my biggest qualms with GitHub began to surface. If not for having a natural skepticism, and a healthy dose of trust issues, I'd be up shit creek without a paddle right then. Luckily, I have a problem, and I utilize a backup strategy that some may call a little paranoid. I didn't think much about it as I was developing, but because of systems I put in place on my computer long ago - I still owned and possessed my own code. And it was backed up. My point with this is that not everyone thinks ahead enough (with limited time) to not treat a repository as a form of backup. It's an easy trap to fall into, but think of any organization who has all of their code in one central repository, and the company hosting that repository felt like shutting down your account without warning.
Applications and SaaS, like GitHub and Azure DevOps, have become a requirement and not a luxury in the world of tech. These applications aren't just trivial niceties that a person or developer picks up because they make life easier. No, these applications have become a necessity for survival in the tech landscape. I will go so far as to say that if you're not utilizing automation and CI/CD technology it may not be today, but eventually your application or organization will be made obsolete. I know this is a little intense, but I'm willing to bet it holds plenty of merit. This is because it not only eases the time to market, but it removes so much of the human aspect of development and deployment. Humans are great problem solvers, we are not meant to manage repetitive, rapid changes that need to be done repeatedly. This is largely in part why we even have computers to begin with.
This rapid development and deployment means the difference between early adoption of a new technology or a game-changing feature that one organization releases prior to their competitor. It also means doing so in a way that decreases the likelihood of human error and helps to stabilize complex systems. These are all things that again are necessary to even have a fighting chance in today's tech world. So, where on earth am I going with all of this? In short - the risk that exists with the centralization of all of the most critical modern automation and CI/CD technology being owned by one of the largest companies in the world. And they own not one, but two of the most widely used, widely recognized offerings on the market.
Part 3: Guilty Until Proven Innocent
My biggest issue in all of this isn't the fact that they suspended my account. As a developer who thinks a lot about users abusing systems or taking advantage of features or functionality, it's on my mind a lot. I understand the need for preventative measures and to lock accounts with suspicious activity. The issue, however, from all of the new things I've experienced developing a new browser extension, is that the result of all of the recent lawsuits, GDPR, user rights issues and the like - is that it's individual developers, indie teams and small businesses who are ultimately paying the price. And in my opinion (and I'm not a lawyer but I'm pretty sure there's something about a service level agreement for these companies) if you offer a service where your users either pay, or are wholly dependent on your products to maintain a business or earn a living it is your responsibility to communicate with those end users. It shouldn't be acceptable to simply ghost a customer without warning or explaining to them what you think they did wrong. And having a fast, effective line of communication, along with the openness and willingness to work with people to try and rectify an infraction, should go without saying. A slow, weeks long email chain on the chance that maybe you'll hear back at some point is not good enough.
To further my point, the application I keep referring to in this post is that of a browser extension. I have run into roadblocks developing this application at every turn. It's not been the development that is the hard part. It's all the red tape being put up on me as a solo developer because I have no power in this market against these huge players. With Google, if you make an extension today, you have to provide them with all of your personal information. This information is then listed publicly in the details of your extension. Any person across the globe will see your home address, your personal phone number, your personal email. All of this is required, and must be proven with a valid form of identification, if you plan on taking even a single penny in payments within your app. On top of that they put your application through a rigorous screening process and nitpick every single feature you list in your manifest file. All in the name of "user privacy."
I am one of the lucky few who has a legally registered business. But, this wasn't enough and the remaining pieces I needed to prevent my personal information from being exposed has an ongoing cost of quite a bit of money. I happen to have two phones (like a crazy person) one is a Pixel, the other is an iPhone. All of this is so that I can do cross-browser testing on iOS Safari. I also recently opened a PO box. I got lucky in that years ago USPS, in an effort to stay relevant, started allowing people and businesses to list the address of the post office along with your PO box number as a "Unit Number" just so that people could use PO boxes as valid addresses. Again, I pay for these services. Think of the thousands of indie developers who just want to learn, or simply put out an application for fun or for a small project. I am fairly certain they won't be opening any PO boxes or getting new phones to keep their private information hidden from the world just so they can develop a basic app.
Moving on to GitHub in this tirade of words I'm forming. For the countless professional consultants, or for any indie developer running their own apps or apps for clients through GitHub, it should be a terrifying notion that your account can be suspended at any moment without reason. It's like being arrested and getting thrown in a cell only to be told 1) nothing and 2) that maybe at some point in the future you'll get an email as to why you've been arrested. But we can't guarantee when or even if you'll get a notice.
After this happened I poured over the web to see if I was the only one, because surely I couldn't be. And, the entire reason I felt empowered to blab about this, is because I am far from the only person who's experienced this. DiorFlipFlops here had a similar issue in 2023 when their account was suspended while they were testing (just like me). Reddit is just a dumping ground for cases like this, so I'll just leave you with one case where robot236 had their account suspended without notice. One of the more productive and helpful pieces of internet ramblings I found happened to come from ycombinator. This one, where 'My GitHub account got suspended without any notice' is actually where I started to both come to grips with the situation and to start forming a plan to keep moving forward. And here is where the warning flags started to come from. So, thank you to those before me and I wish you the best of luck to those who will surely face this after me.
Part 4: Where Do I Go From Here?
One of the worst aspects of being any tech professional, business, consumer, or otherwise human being these days, is the concept of vendor lock. According to Cloudflare (ha, the irony kills me with this one...wow) "Vendor lock-in is when someone is essentially forced to continue using a product or service regardless of quality, because switching away from that product or service is not practical."[1] Now, think about the risk involved in having all of your eggs in one basket due to convenience and that the effort of creating and maintaining multiple just isn't worth it. If you're a consultant, a company, or an individual with a profitable application and your entire dev and deploy process exists in a single SaaS offering, the moment they pull the rug out from under you is the moment you realize that you are not in control of your own products. I didn't even have my application to market, I was merely working towards that goal and they killed it. With a single flip of a bit, and 0 explanation as to why, my progress and my application were totally dead in the water.
There is a resolution to all of this mess. And that is, for the companies who hold all the power, who control all of these highly necessary technologies that are simply too advanced to even think about "rolling your own" with, to be much more conscientious of the impact of automated and egregious account suspensions. If you're going to accuse users of "breaching" your terms and conditions it is your responsibility to give them the opportunity to both defend themselves and to come to a quick and efficient resolution that corrects the behavior. Which more often than not is likely accidental. People's livelihoods are literally at stake when you suspend accounts for applications on GitHub and Azure DevOps. It should be the standard and not the exception that if you demand everything from us developers and you want the responsibility of consumer transparency to fall on us, then it is also your responsibility to be responsive to the impact that your decisions have on us. All users, no matter who they are, no matter what your automated flag systems accuse us of doing, should be afforded a much more transparent process and means of resolution to these instances and it needs to be made a primary focus, and not an afterthought of doing business.
Summary
I don't have a whole lot to summarize on this one. At first I felt like I did something wrong. I felt accused and "dirty," almost, after having seen the account suspension page. But then as I thought about it I realized I did nothing wrong. As I had no intent, I had no motive, and I had no opportunity to do anything that was an active breach of their terms and conditions. I was merely developing, learning and growing my skills. And if a person does do something, just like in our regular physical existence, you correct the behavior by at least giving the slightest indication as to what that behavior is. GitHub, do better. If you're going to keep acting like you're the cool kid on the block and have a culture of collaboration and innovation, you need to stop killing it by acting like you don't care about your users anymore.
Update: Almost 2 Weeks Later
I have yet to hear anything back on the support ticket I placed with GitHub. Having read both community posts on GitHub and on Reddit I had little faith of hearing anything in the first place. But, life doesn't stop just because a company is being unprofessional.
I have since completely quit using GitHub and have switched to GitLab. I'm even hesitant to go back to using Azure DevOps for my personal projects given the lack of support I'm already experiencing with another Microsoft company. Unfortunately, as I said in my blog post, these are necessary tools in the world of modern tech and they are not optional. It's hard to explain the uneasy feeling I generally hold toward all SaaS providers now, including Google accounts, as a result.
I also cancelled my GitHub Copilot subscription and have since found alternatives, which shockingly, I find even better than Copilot. Codeium is free for individuals and has support for even more languages than Copilot. It's lighting fast and has extensions for more IDEs than GitHub's Copilot. Until GitHub does the bare minimum and responds with even the slightest indication that they give a crap I will seek alternatives from here on out.
For myself and anyone else who has experienced this with GitHub, I did some more research and there seems to be a steady community in favor of boycotting the service altogether. Here are a few links I've found calling for a boycott of GitHub. Most are just duplicates of the Software Freedom Conservancy calling for a boycott, but it's always good to get several perspectives:
I'm not calling for anarchy and to boycott GitHub to be a PITA. I'm calling for GitHub to be a good actor, have a responsible line of communication with users and to take their own processes more seriously. I refuse to start any new projects with this company. It's far too big of a risk to take.
Sources
[1] What is vendor lock-in? | Vendor lock-in and cloud computing | Cloudflare
Subscribe to my newsletter
Read articles from Charles J directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Charles J
Charles J
The software developer with a half a cup of water 🥤 and chopsticks 🥢