CI/CD Glossary
Every CI/CD term, defined.
Plain-English definitions of CI/CD, GitHub Actions, runner, and DevOps terminology - from "artifact" to "workflow". A fast reference that links straight to deeper guides.
CI/CD core
Pipelines, stages, builds, deploys.
.dockerignore.dockerignore: A .dockerignore file lists path patterns excluded from the build context, similar to `.gitigno…
Acceptance TestAcceptance Test: An acceptance test checks whether the software meets the business requirements and is ready…
Acceptance TestAcceptance Test: An acceptance test verifies that the system meets business requirements from the user or sta…
Acceptance TestAcceptance Test: An acceptance test verifies that the software meets the agreed business requirements and acc…
ACIDACID - atomicity, consistency, isolation, durability - are the four guarantees a transactional database makes…
AgileAgile: Agile is a family of software-delivery methods, codified in the 2001 Agile Manifesto, that favor short…
Alert FatigueAlert Fatigue: Alert fatigue is the desensitization that happens when responders receive too many alerts, esp…
Annotated TagAnnotated Tag: An annotated tag is a full Git object storing a message, tagger name, date, and optional GPG s…
API GatewayAn API gateway is a single entry point in front of many services, handling routing, auth, rate limiting, and…
API VersioningAPI Versioning: API versioning is the practice of labeling an API so clients keep working when it changes, us…
Approval GateApproval Gate: An approval gate is a manual checkpoint that pauses a pipeline until a designated person or te…
Arrange, Act, AssertArrange, Act, Assert: Arrange, Act, Assert (AAA) is a pattern for structuring a test into three clear phases:…
AssertionAssertion: An assertion is a statement in a test that checks a condition and fails the test if it is false, f…
AssertionAssertion: An assertion is a statement in a test that checks whether a value or condition matches what is exp…
AssertionAssertion: An assertion is a check inside a test that compares an actual value to an expected one and fails t…
Async RuntimeAn async runtime schedules asynchronous tasks to completion on a thread pool, providing the event loop, timer…
AuthenticationAuthentication: Authentication is the process of verifying who a caller is, usually by checking a credential…
AuthorizationAuthorization: Authorization is deciding whether an already-authenticated identity is permitted to perform a…
Automated GateAutomated Gate: An automated gate is a pipeline checkpoint whose pass/fail decision is made entirely by a mac…
Autoscaling GroupAn autoscaling group manages a fleet of identical instances, adding or removing them automatically to match d…
AvroAvro is a compact, row-oriented binary serialization format with a self-describing schema - common for stream…
Bare MetalBare metal is a physical server with no hypervisor layer - your workload runs directly on the hardware, tradi…
BASE (Basically Available, Soft state, Eventual consistency)BASE describes the relaxed consistency of many NoSQL stores: basically available, soft state, eventually cons…
Base ImageBase Image: A base image is the starting image a Dockerfile builds on top of, named in the first `FROM` instr…
Bastion HostA bastion host is a hardened, internet-facing jump server that brokers SSH access into private subnets so int…
Batch ProcessingBatch processing runs computation over a bounded chunk of data at scheduled intervals, optimizing for through…
Bind MountBind Mount: A bind mount maps a specific file or directory on the host directly into a container. The contain…
Blameless PostmortemBlameless Postmortem: A blameless postmortem reviews an incident by focusing on systemic and process causes r…
Blue-Green DeploymentBlue-green deployment runs two identical environments and switches traffic from the old (blue) to the new (gr…
Blue-Green DeploymentBlue-Green Deployment: A blue-green deployment runs two identical environments (blue and green); the new vers…
Branch CoverageBranch Coverage: Branch coverage is the percentage of decision outcomes (each true and false edge of every `i…
Branch CoverageBranch Coverage: Branch coverage measures the percentage of decision branches (each side of every `if`, `swit…
Branch CoverageBranch Coverage: Branch coverage measures whether both the true and false outcomes of every decision point (i…
Branch ProtectionBranch protection is a set of rules that guard a branch - requiring passing checks, reviews, or an up-to-date…
Breaking ChangeA breaking change forces consumers to update their code or config - a removed API or changed contract - and t…
BrowserslistBrowserslist: Browserslist is a shared configuration that declares which browsers a project supports, so tool…
Bucket PolicyA bucket policy is a resource-level rule on a storage bucket saying who may do what to its objects - the guar…
Build AvoidanceBuild Avoidance: Build avoidance is skipping build work entirely when a cached result for the same inputs alr…
Build ContextBuild Context: The build context is the set of files sent to the builder when an image is built, usually the…
Build FlagBuild Flag: A build flag is a parameter passed to a build tool or compiler that controls how output is produc…
Build Once Deploy ManyBuild Once Deploy Many: Build once, deploy many is the practice of producing a single immutable artifact in C…
Build StageBuild Stage: A build stage is a logical phase in a pipeline (build, test, deploy) that groups jobs and usuall…
BulkheadThe bulkhead pattern isolates resources into separate pools per dependency, so one overloaded dependency can’…
Bundle SplittingBundle splitting breaks a build into multiple chunks so the browser loads only what a page needs, improving i…
BundlerBundler: A bundler is a build tool that combines many source modules and their dependencies into a smaller se…
Burn RateBurn Rate: Burn rate measures how fast an error budget is being consumed relative to the SLO window. A burn r…
BytecodeBytecode: Bytecode is a compact, platform-independent instruction set produced by a compiler and executed by…
Cache EvictionCache eviction removes entries to make room when a cache is full, using a policy like LRU. Aggressive evictio…
Cache KeyA cache key is the identifier a value is stored and looked up under. In CI a key hashed from lockfiles and OS…
Calendar VersioningCalendar Versioning: Calendar versioning (CalVer) derives a version number from the release date, for example…
Calendar Versioning (CalVer)Calendar Versioning (CalVer): Calendar versioning numbers releases by date instead of by change impact, for e…
Canary DeploymentA canary deployment ships a new version to a small slice of traffic first, watching its health before rolling…
Cancellation TokenA cancellation token is a signal passed into async operations so a caller can cooperatively ask them to stop,…
CAP TheoremThe CAP theorem states a distributed store can’t guarantee consistency and availability at once during a netw…
Caret RangeCaret Range: A caret range (`^1.2.3`) allows any version that does not change the left-most non-zero version…
Caret RangeCaret Range: A caret range (`^`) in npm allows updates that do not change the leftmost non-zero version compo…
CDN (Content Delivery Network)A CDN serves content from edge locations close to users, cutting latency and offloading origin servers - and…
Change Data CaptureChange data capture (CDC) streams row-level inserts, updates, and deletes out of a database in real time, usu…
Change Failure RateChange Failure Rate: Change failure rate is a DORA metric: the percentage of deployments that cause a failure…
Changelog GenerationChangelog generation builds a release’s human-readable list of changes automatically from commit messages or…
Checksum VerificationChecksum verification recomputes a downloaded file’s hash and compares it to a trusted value, confirming the…
Checksum VerificationChecksum Verification: Checksum verification is comparing a downloaded artifact's computed hash against an ex…
Cherry-PickCherry-Pick: git cherry-pick applies the changes from one specific commit onto the current branch, creating a…
ChunkChunk: A chunk is one of the output files a bundler produces when it splits code. Each chunk groups a set of…
Circuit BreakerA circuit breaker stops calling a failing dependency once errors cross a threshold, failing fast for a cooldo…
cloud-initcloud-init is the de facto tool that configures a cloud instance on first boot - setting hostname, users, pac…
Code Coverage GateCode Coverage Gate: A code coverage gate is a CI rule that fails the build when coverage drops below a thresh…
Code Coverage ThresholdCode Coverage Threshold: A code coverage threshold is a minimum coverage percentage the test suite must meet,…
Code ReviewCode review is having peers inspect a change before merge, catching bugs and sharing knowledge - usually a re…
Code ReviewCode Review: A code review is the examination of proposed code changes by one or more people other than the a…
Code ReviewCode Review: Code review is the practice of having one or more people read a proposed change before it merges…
Cold StorageCold storage is a low-cost archival tier for rarely-accessed data; retrieval is cheap to keep but slow and so…
Columnar StorageColumnar storage lays data out by column rather than row, so analytical queries read only the columns they ne…
Commit-ishCommit-ish: A commit-ish is anything Git can resolve to a commit: a full or short SHA, a branch, a tag, `HEAD…
CompactionCompaction merges many small data files or table parts into fewer larger ones, reclaiming space and speeding…
Compatibility TestCompatibility Test: A compatibility test confirms the software works across the target range of browsers, ope…
CompilerCompiler: A compiler is a program that translates source code written in one language (such as C, Go, or Type…
Compiler FlagCompiler Flag: A compiler flag is an option passed directly to the compiler that changes how it processes sou…
Connection PoolConnection Pool: A connection pool is a cache of reusable database connections that an application borrows an…
Connection PoolingConnection pooling reuses a fixed set of open database connections across requests, avoiding a new TCP and au…
Connection StringConnection String: A connection string is a single value encoding how to reach a database: driver, host, port…
ConsensusConsensus is the problem of getting distributed nodes to agree on a single value despite failures; Raft and P…
Container ImageContainer Image: A container image is a read-only, layered filesystem plus metadata (entrypoint, environment,…
Container ImageContainer Image: A container image is a read-only, layered package that bundles an application with its runti…
Container VolumeContainer Volume: A volume is storage attached to a container that persists data outside the container writab…
ContainerizationContainerization: Containerization packages an application together with its dependencies into an isolated, p…
Continuous Delivery (CD)Continuous Delivery (CD): **Continuous delivery** extends CI by automatically preparing every validated chang…
Continuous Delivery (Model)Continuous Delivery (Model): Continuous delivery extends continuous integration by keeping every validated ch…
Continuous DeploymentContinuous Deployment: **Continuous deployment** goes one step beyond continuous delivery: every change that…
Continuous Deployment (Model)Continuous Deployment (Model): Continuous deployment automatically releases every change that passes the pipe…
Continuous Integration (CI)Continuous Integration (CI): **Continuous integration** is the practice of automatically building and testing…
Continuous Integration (Model)Continuous Integration (Model): Continuous integration is the practice of merging code to a shared mainline f…
Continuous TestingContinuous Testing: Continuous testing is running automated tests at every stage of the pipeline, so quality…
Continuous TestingContinuous Testing: Continuous testing is running automated tests throughout the delivery pipeline, from comm…
Conventional CommitA conventional commit follows a structured message like feat: or fix:, letting tooling derive changelogs and…
CoroutineA coroutine is a function that can suspend and resume at defined points, keeping its state across yields - th…
Coverage RatchetCoverage Ratchet: A coverage ratchet is a CI policy that fails a change if it lowers test coverage below the…
croncron: cron is the Unix time-based job scheduler that runs commands at fixed times defined by a five-field exp…
CutoverCutover: A cutover is the moment a system switches from an old data path to a new one, making the new schema…
CVE (Common Vulnerabilities and Exposures)A CVE is a public, uniquely numbered identifier for one known security vulnerability, letting tools and teams…
CVSS scoreA CVSS score rates a vulnerability’s severity from 0 to 10 by exploitability and impact, helping teams decide…
Cycle TimeCycle Time: Cycle time is how long a work item takes from when work actually starts on it until it is done, a…
DaemonDaemon: A daemon is a long-running background process detached from any terminal that provides a service, suc…
Data BackfillData Backfill: A data backfill populates a new or changed column across existing rows after a schema migratio…
Data CatalogA data catalog is a searchable inventory of an organization’s datasets with metadata, ownership, and schema -…
Data LakeA data lake stores raw data of any shape - structured or not - cheaply at scale, with schema applied on read…
Data LineageData lineage tracks where data came from and how it was transformed through each pipeline stage - essential f…
Data PipelineA data pipeline is the orchestrated series of steps that moves and transforms data from sources to destinatio…
Data WarehouseA data warehouse is a database optimized for analytical queries over cleaned, structured data - columnar, ind…
Database MigrationDatabase Migration: A database migration is a versioned, ordered change to a database schema or data, applied…
Database TransactionDatabase Transaction: A database transaction is a unit of work that either completes entirely or has no effec…
Dead letter queue (DLQ)A dead letter queue holds messages that repeatedly failed processing, moving them aside so the main queue kee…
Deadline PropagationDeadline propagation passes a request’s remaining time budget through every downstream call, so the whole cha…
Debug SymbolsDebug Symbols: Debug symbols are metadata embedded in or shipped alongside a binary that map machine addresse…
Declarative PipelineDeclarative Pipeline: A declarative pipeline describes the desired CI stages and structure in configuration (…
Definition of DoneThe definition of done is a shared checklist a work item must satisfy - tests passing, reviewed, deployed - b…
Definition of DoneDefinition of Done: A definition of done is a shared, explicit checklist of conditions a work item must meet…
Dependency ConfusionDependency confusion tricks a build into pulling a malicious public package in place of a private one of the…
Dependency GraphDependency Graph: A dependency graph is the directed graph of which packages depend on which others, used by…
Dependency GraphDependency Graph: A dependency graph is the directed graph a bundler builds by starting at entry points and f…
Dependency InjectionDependency Injection: Dependency injection is a design technique where a component receives its dependencies…
Dependency PinningDependency pinning locks each dependency to an exact version so builds are reproducible and an upstream relea…
Dependency PinningDependency Pinning: Dependency pinning is fixing each dependency to an exact version (and ideally a checksum)…
Dependency PinningDependency Pinning: Dependency pinning is locking a dependency to one exact version (for example `lodash@4.17…
Dependency ScanningDependency scanning checks your third-party packages against vulnerability databases, alerting CI when a know…
Deployment FrequencyDeployment Frequency: Deployment frequency is one of the four DORA metrics: how often an organization success…
Deployment GateDeployment Gate: A deployment gate is a checkpoint that must pass before a release is allowed to deploy to a…
Deployment PipelineDeployment Pipeline: A deployment pipeline, a term from the book Continuous Delivery, is the automated path a…
Deployment PipelineDeployment Pipeline: A deployment pipeline is the automated path a change travels from commit through build,…
Deployment PipelineDeployment Pipeline: A deployment pipeline is the automated path a build takes from a committed change to run…
Detached HEADDetached HEAD: A detached HEAD state is when `HEAD` points directly at a commit instead of a branch, so new c…
DeterminismDeterminism: Determinism is the property that a process produces the same result every time given the same in…
Deterministic OutputDeterministic Output: Deterministic output means a build or test step yields the same result on every run giv…
Development BuildDevelopment Build: A development build compiles an app for fast iteration and debugging, skipping heavy optim…
DevOpsDevOps: DevOps is a set of practices and a culture that unite software development and IT operations to short…
Diamond DependencyDiamond Dependency: A diamond dependency is a graph shape where two dependencies both depend on a third, so t…
Direct DependencyDirect Dependency: A direct dependency is a package your project declares explicitly in its manifest (package…
Directed Acyclic GraphDirected Acyclic Graph: A directed acyclic graph (DAG) is a set of nodes connected by one-way edges with no c…
Distroless ImageDistroless Image: A distroless image contains only your application and its runtime dependencies, with no pac…
Distroless ImageDistroless Image: A distroless image contains only the application and its runtime dependencies, with no shel…
DNS Record TypesDNS record types (A, AAAA, CNAME, MX, TXT, NS) each map a name to a different kind of value - addresses, alia…
DNS ResolutionDNS resolution translates a hostname into an IP address before a connection can open. Slow or failing resolut…
DockerfileDockerfile: A Dockerfile is a text file of ordered instructions (`FROM`, `RUN`, `COPY`, `CMD`) that Docker or…
dockerignoredockerignore: A .dockerignore file lists paths excluded from the build context before it is sent to the build…
Dual WriteDual Write: A dual write has application code write to both the old and new schema (or store) at once during…
Dynamic AnalysisDynamic Analysis: Dynamic analysis examines a program while it runs, observing real execution to find issues…
Dynamic LinkingDynamic Linking: Dynamic linking resolves library references at load time rather than build time, so the exec…
EgressEgress is traffic leaving a network or instance - outbound connections. Locking down egress limits what a com…
Elastic IPAn elastic IP is a static public IPv4 address you own and can remap between instances, giving a fixed endpoin…
ELTELT is Extract, Load, Transform - load raw data into the warehouse first, then transform it in place using th…
End-to-End TestEnd-to-End Test: An end-to-end test drives the whole application the way a user would (through the UI or publ…
End-to-End TestEnd-to-End Test: An end-to-end (E2E) test exercises a complete user flow through the fully assembled system,…
End-to-End TestingEnd-to-End Testing: End-to-end testing validates a complete user flow through the entire system, from the int…
Entry PointEntry Point: An entry point is the file a bundler starts from when building the dependency graph. Each entry…
ENTRYPOINTENTRYPOINT: ENTRYPOINT is the Dockerfile instruction that sets the executable a container always runs. Argume…
Environment ModeEnvironment Mode: Environment mode is the setting (typically `development` or `production`) that tells a bund…
Environment ParityEnvironment Parity: Environment parity is keeping development, staging, and production as similar as possible…
Environment VariableEnvironment Variable: An environment variable is a named value held in a process environment and inherited by…
Error BudgetError Budget: An error budget is the amount of unreliability a service is allowed before it breaches its SLO.…
Error BudgetError Budget: An error budget is the allowed amount of unreliability under an SLO, for example the 0.1% of fa…
ETLETL is Extract, Transform, Load - pull data from sources, reshape it, then load the cleaned result into a des…
Event LoopAn event loop repeatedly waits for events - I/O readiness, timers, messages - and dispatches their handlers o…
Event-Driven PipelineEvent-Driven Pipeline: An event-driven pipeline starts work in response to events (a webhook, a queued messag…
Eventual ConsistencyEventual consistency means replicas may briefly disagree after a write but converge to the same value over ti…
Exactly-Once SemanticsExactly-once semantics ensures each message takes effect a single time despite retries and failures, built fr…
Expand-Contract MigrationExpand-Contract Migration: An expand-contract migration splits a breaking schema change into an additive expa…
Exploratory TestExploratory Test: Exploratory testing is unscripted, human-driven testing where the tester simultaneously des…
Exploratory TestExploratory Test: An exploratory test is unscripted, human-driven testing where the tester simultaneously des…
Exponential Backoff with JitterExponential backoff with jitter spaces retries by growing delays plus randomness, so many clients recovering…
FakeFake: A fake is a test double with a working but simplified implementation, such as an in-memory database ins…
Fan-Out / Fan-InFan-Out / Fan-In: Fan-out / fan-in is a pipeline pattern where one stage splits work into many parallel jobs…
Fast FeedbackFast Feedback: Fast feedback is the principle that developers should learn about defects as quickly as possib…
Fast-Forward MergeFast-Forward Merge: A fast-forward merge happens when the target branch has no new commits since the source b…
Feature Branch WorkflowFeature Branch Workflow: A feature branch workflow is a branching model where each unit of work is developed…
Feature FlagA feature flag is a runtime switch that turns code paths on or off without redeploying, letting teams ship da…
Feature FlagFeature Flag: A feature flag (feature toggle) is a runtime switch that turns a code path on or off without re…
Federated IdentityFederated identity lets one system trust identities issued by another, so a CI provider’s tokens are accepted…
Feedback LoopFeedback Loop: A feedback loop is the cycle between making a change and learning whether it worked; shorter l…
Fencing TokenA fencing token is a monotonically increasing number issued with a lock so a stale leader’s late writes are r…
FiberA fiber is a lightweight, cooperatively scheduled thread of execution managed in user space, letting one OS t…
FixtureA fixture is the fixed, known state a test sets up before running - sample data, configured objects, a prepar…
FixtureFixture: A fixture is the fixed baseline state, data, or objects set up before a test runs and torn down afte…
Fixture DataFixture Data: Fixture data is a fixed, predefined dataset loaded before a test so the test runs against a kno…
Flaky TestFlaky Test: A flaky test passes or fails inconsistently on the same code, without any change. Common causes a…
Flaky TestFlaky Test: A **flaky test** passes and fails on the same code due to nondeterminism (races, timing, external…
Flaky Test QuarantineFlaky Test Quarantine: Flaky test quarantine is the practice of isolating a known-flaky test so its nondeterm…
Flaky Test QuarantineFlaky Test Quarantine: Flaky test quarantine moves known-flaky tests into a non-blocking bucket so their inte…
Full Table ScanA full table scan reads every row in a table to satisfy a query. Fine for small tables, but a common bottlene…
Function CoverageFunction Coverage: Function coverage is the percentage of defined functions or methods that were called at le…
Functional TestFunctional Test: A functional test verifies that a feature produces the correct output for a given input, che…
Fuzz TestFuzz Test: A fuzz test feeds a program large volumes of random, malformed, or unexpected inputs to find crash…
Fuzz TestFuzz Test: A fuzz test feeds a program large volumes of random, malformed, or unexpected input to find crashe…
Gate CriteriaGate Criteria: Gate criteria are the explicit, measurable conditions a change must meet to pass a pipeline ga…
Git BisectGit Bisect: git bisect is a binary search over commit history to find the exact commit that introduced a bug.…
Git RefGit Ref: A git ref is a named pointer to a commit, stored under `.git/refs/` (or in `packed-refs`). Branches,…
Git TagGit Tag: A git tag is a ref that points to a specific commit and, unlike a branch, does not move as new commi…
GitflowGitflow: Gitflow is a branching model, introduced by Vincent Driessen, that uses long-lived `main` and `devel…
Golden File (Snapshot Test)Golden File (Snapshot Test): A golden file, also called a snapshot test, stores an approved reference output…
Golden SignalsGolden Signals: The golden signals are four metrics Google's SRE practice recommends monitoring for any user-…
Gossip ProtocolA gossip protocol spreads state across a cluster by having each node periodically exchange info with a few ra…
GraphQL APIGraphQL API: A GraphQL API exposes a single endpoint where the client sends a query describing exactly the fi…
Green ThreadA green thread is a thread scheduled by a language runtime instead of the OS, so a program runs millions chea…
HEADHEAD: HEAD is the symbolic ref pointing to the current branch (or, when detached, directly to a commit). It m…
HEALTHCHECKHEALTHCHECK: A HEALTHCHECK is a Dockerfile instruction or runtime setting that periodically runs a command in…
Hermetic BuildA hermetic build runs isolated from the network and host state, depending only on declared inputs - the basis…
Hermetic BuildA hermetic build runs sealed from the network and host state, using only declared inputs, so the same sources…
Hermetic BuildHermetic Build: A hermetic build is a build that depends only on explicitly declared inputs and is isolated f…
HypervisorA hypervisor is the layer that creates and runs virtual machines, partitioning one physical host into many is…
IAM policyAn IAM policy is a document granting or denying identities specific actions on specific resources, the core w…
IdempotencyIdempotency: Idempotency is the property that performing an operation multiple times has the same effect as p…
Idempotency KeyAn idempotency key is a unique token a client attaches to a request so a server can recognize and ignore dupl…
Idempotent DeployIdempotent Deploy: An idempotent deploy is a deployment that produces the same end state no matter how many t…
Idempotent MigrationIdempotent Migration: An idempotent migration produces the same result whether it runs once or many times, ty…
Image DigestImage Digest: An image digest is the SHA-256 content hash that uniquely and immutably identifies an image (fo…
Image LayerImage Layer: An image layer is a single filesystem diff created by one build instruction. Layers stack to for…
Image RegistryImage Registry: An image registry is a server that stores and distributes container images (Docker Hub, GitHu…
Image RegistryImage Registry: An image registry is a service that stores and distributes container images (Docker Hub, GitH…
Image SquashingImage Squashing: Image squashing merges multiple build layers into fewer (or one) to reduce final image size…
Image TagImage Tag: An image tag is a human-readable label attached to an image in a repository (for example `myapp:1.…
Image VulnerabilityAn image vulnerability is a known security flaw in a container image’s OS packages or libraries, surfaced by…
Immutable AMIAn immutable AMI is a pre-baked machine image deployed unchanged - you replace instances rather than patch th…
Immutable InfrastructureImmutable infrastructure never patches running servers in place; to change anything you build a fresh image a…
Immutable TagAn immutable tag is a registry image tag that cannot be overwritten once pushed, so a given tag always maps t…
Imperative PipelineImperative Pipeline: An imperative pipeline spells out each build step and its execution order explicitly in…
IncidentIncident: An incident is an unplanned disruption or degradation of a service that requires a response, such a…
Incremental BuildIncremental Build: An incremental build rebuilds only the parts of a project affected by a change, reusing pr…
Incremental BuildIncremental Build: An incremental build rebuilds only the parts of a project affected by a change, reusing pr…
Index ScanAn index scan reads rows by walking a database index instead of the whole table, jumping straight to matching…
Inner LoopInner Loop: The inner loop is the fast, local cycle a developer repeats while coding: edit, build, run, and t…
Instance MetadataInstance metadata is data about a running instance - IDs, IPs, IAM credentials - exposed over a link-local en…
Integration TestAn integration test verifies that multiple components - code plus a database, queue, or API - work correctly…
Integration TestIntegration Test: An integration test exercises two or more real components together (for example code plus a…
Integration TestIntegration Test: An integration test verifies that two or more components work correctly together, exercisin…
Integration TestingIntegration Testing: Integration testing verifies that multiple components or services work correctly togethe…
Integrity HashIntegrity Hash: An integrity hash is the cryptographic digest (such as the `sha512-...` value in a lockfile's…
Internet GatewayAn internet gateway is the VPC component that enables two-way traffic between a public subnet and the interne…
InterpreterInterpreter: An interpreter is a program that reads source code (or an intermediate form) and executes it dir…
KanbanKanban is a flow-based agile method that visualizes work on a board and caps work-in-progress, pulling tasks…
KanbanKanban: Kanban is a flow-based method that visualizes work on a board, limits work in progress, and pulls new…
KMS (Key Management Service)A KMS creates, stores, and controls cryptographic keys, so CI can encrypt secrets and sign artifacts without…
Layer CachingLayer Caching: Layer caching reuses the results of previously built image layers when their inputs are unchan…
Lead TimeLead Time: Lead time is the elapsed time from when a change is requested or committed until it is running in…
Lead Time for ChangesLead Time for Changes: Lead time for changes is a DORA metric measuring the time from a commit being merged t…
Leader ElectionLeader election is how a cluster picks one node to coordinate writes or decisions, and re-elects a new one wh…
Least PrivilegeLeast privilege grants each identity only the permissions it actually needs and no more, so a leaked CI crede…
Library PathLibrary Path: A library path is the list of directories the linker (build time) or loader (run time) searches…
Line CoverageLine Coverage: Line coverage is the percentage of executable source lines that were run at least once by the…
Line CoverageLine Coverage: Line coverage is the fraction of executable source lines that ran at least once during the tes…
LinkerLinker: A linker combines one or more compiled object files, plus referenced libraries, into a single executa…
LintingLinting: Linting is static analysis that flags likely bugs, suspicious patterns, and style violations, for ex…
Load Balancer Health CheckA load balancer health check probes each backend on an interval and stops routing traffic to instances that f…
Load TestLoad Test: A load test measures how a system behaves under an expected level of concurrent demand, checking t…
LockfileLockfile: A lockfile (such as `package-lock.json`, `poetry.lock`, or `Cargo.lock`) records the exact resolved…
LockfileLockfile: A **lockfile** (package-lock.json, Cargo.lock, etc.) pins exact dependency versions so builds are r…
Lockfile DriftLockfile drift is when the committed lockfile no longer matches the manifest, so CI installs different versio…
Lockfile Drift DetectionLockfile Drift Detection: Lockfile drift is when a project’s lockfile no longer matches its manifest, so inst…
Lockfile IntegrityLockfile integrity records a cryptographic hash per dependency, so a CI install fails loudly if a fetched pac…
Long PollingLong Polling: Long polling is a technique where the client sends a request that the server holds open until a…
Machine CodeMachine Code: Machine code is the set of binary instructions a specific CPU executes directly. It is the fina…
Machine ImageA machine image is a snapshot of a full disk - OS, packages, and config - used to boot identical instances. A…
MacroMacro: A macro is a named fragment of code that the preprocessor (or a language macro system) expands inline…
Manifest FileManifest File: A manifest file is a build-generated JSON that maps logical asset names to their hashed output…
Manual GateManual Gate: A manual gate is any pipeline checkpoint that requires deliberate human action (a click, an appr…
Materialized ViewA materialized view stores the precomputed result of a query on disk and refreshes it, trading storage and st…
Mean Time to Detect (MTTD)Mean Time to Detect (MTTD): Mean time to detect is the average time between when an incident begins and when…
Mean Time to Recovery (MTTR)Mean Time to Recovery (MTTR): Mean time to recovery (MTTR) is the average time it takes to restore service af…
Merge CommitMerge Commit: A merge commit is a commit with two or more parents that joins diverged branches together, reco…
Merge ConflictA merge conflict occurs when git cannot auto-reconcile changes to the same lines from two branches, requiring…
Merge ConflictMerge Conflict: A merge conflict occurs when Git cannot automatically reconcile two branches because both cha…
Merge QueueA merge queue serializes pull requests and tests each against the latest main before merging, stopping green…
Migration (schema)A schema migration is a versioned, scripted change to a database structure, applied in order so every environ…
Migration RollbackMigration Rollback: A migration rollback reverses a previously applied migration, restoring the prior schema…
MinificationMinification shrinks code by removing whitespace, comments, and long names without changing behavior, so the…
MinificationMinification: Minification removes whitespace, comments, and unnecessary characters from code without changin…
MockA mock is a test double pre-programmed with expectations about how it should be called, failing the test if t…
MockMock: A mock is a test double that is preprogrammed with expectations about the calls it should receive, and…
MockMock: A mock is a test double pre-programmed with expectations about how it should be called, that fails the…
Mock ObjectMock Object: A mock object is a test double preprogrammed with expectations about the calls it should receive…
Module BundlerModule Bundler: A module bundler is a bundler that understands module systems (ES modules, CommonJS) and stit…
Module ResolutionModule Resolution: Module resolution is the process a bundler or runtime uses to turn an import specifier (li…
MonorepoA monorepo keeps many projects in a single repository, sharing tooling and history. It eases cross-project ch…
MonorepoMonorepo: A monorepo is a single version-control repository that holds many projects or services that are bui…
MonorepoMonorepo: A monorepo is a single repository holding many projects or services that share history, tooling, an…
mTLS (mutual TLS)mTLS has both client and server present certificates, so each cryptographically proves its identity - the bac…
Multi-Stage BuildMulti-Stage Build: A multi-stage build uses several `FROM` stages in one Dockerfile: a heavy build stage comp…
Multi-Stage DockerfileMulti-Stage Dockerfile: A multi-stage Dockerfile uses several `FROM` stages so build tooling stays in an earl…
Mutation TestingMutation Testing: Mutation testing measures test-suite quality by introducing small changes (mutants) into th…
N+1 query problemThe N+1 query problem is running one query to fetch a list, then one extra query per item - turning a page lo…
NAT GatewayA NAT gateway lets instances in a private subnet make outbound internet connections (to pull packages) while…
Network ACLA network ACL is a stateless, ordered set of allow/deny rules applied at the subnet boundary - a coarse secon…
Non-Functional TestNon-Functional Test: A non-functional test verifies qualities of the system rather than specific features: pe…
Nondeterministic TestNondeterministic Test: A nondeterministic test produces results that depend on uncontrolled factors like timi…
Object FileObject File: An object file (.o, .obj) is the compiled machine code of a single source file before linking. I…
Object Lifecycle PolicyAn object lifecycle policy automatically transitions or expires stored objects by age - moving old CI artifac…
OIDC FederationOIDC federation lets a CI system trade its own signed identity for cloud credentials by trusting its OIDC iss…
On-CallOn-Call: On-call is the rotation of engineers responsible for responding to alerts during a shift. Sustainabl…
Optimistic LockingOptimistic locking lets transactions proceed without locks and checks a version column at commit, retrying if…
Optimization LevelOptimization Level: An optimization level is a compiler setting (for example `-O0` through `-O3`, or `-Os` fo…
ORM (Object-Relational Mapping)An ORM maps database rows to in-memory objects so developers query in their host language. It speeds work but…
Outer LoopOuter Loop: The outer loop is the cycle that begins when a developer shares code: pull request, CI checks, re…
PACELCPACELC extends CAP: under a Partition choose Availability or Consistency, Else (normal operation) choose Late…
Package RegistryPackage Registry: A package registry is a repository that hosts published software packages for a language ec…
PaginationPagination: Pagination is splitting a large API result set into pages, returned a few at a time. Offset pagin…
Pair ProgrammingPair Programming: Pair programming is two developers working together at one workstation, one typing (the dri…
ParquetParquet is an open columnar file format for analytics - compressed, schema-aware, and splittable - the defaul…
Partition PruningPartition pruning lets a query engine skip whole data partitions that can’t match the filter, reading far les…
PATHPATH: PATH is the environment variable holding a colon-separated list of directories the shell searches, in o…
Path CoveragePath Coverage: Path coverage measures the percentage of distinct execution paths through a function that were…
Peer DependencyPeer Dependency: A peer dependency is a package your library expects the host project to provide rather than…
Performance TestPerformance Test: A performance test measures speed, responsiveness, and stability under a given workload, co…
Performance TestPerformance Test: A performance test measures the speed, responsiveness, and resource efficiency of a system…
Pessimistic LockingPessimistic locking grabs a row or table lock before reading, blocking other writers. It prevents conflicts a…
Pinned VersionPinned Version: A pinned version is a dependency declared as one exact version (like `1.2.3`, no range operat…
PipelinePipeline: A **pipeline** is the automated sequence of stages - build, test, deploy - a code change passes thr…
Pipeline as CodePipeline as Code: Pipeline as code means defining CI/CD pipelines in version-controlled files that live in th…
Pipeline GatePipeline Gate: A pipeline gate is a checkpoint in a CI/CD pipeline that blocks progress until a defined condi…
Pipeline StagePipeline Stage: A pipeline stage is a named phase of a CI/CD pipeline (such as build, test, or deploy) that g…
PollingPolling: Polling is repeatedly asking a service whether something changed on a fixed interval, as opposed to…
PolyrepoA polyrepo splits each project or service into its own repository, giving teams independent CI and release cy…
PolyrepoPolyrepo: A polyrepo (multi-repo) layout splits each project or service into its own repository, giving indep…
PostmortemPostmortem: A postmortem is a written review after an incident that documents what happened, the impact, the…
Prepared StatementA prepared statement is a pre-parsed SQL template with bound parameters, reused across executions - it speeds…
PreprocessorPreprocessor: A preprocessor transforms source code before compilation, handling directives such as `#include…
Primary-replica replicationPrimary-replica is a topology where one node accepts writes and replicates them to read-only replicas - the b…
Principle of Least PrivilegePrinciple of Least Privilege: The principle of least privilege states that an identity should be granted only…
ProcessProcess: A process is a running instance of a program, with its own memory, file descriptors, and a unique pr…
Product BacklogProduct Backlog: A product backlog is the single, ordered list of everything that might be built (features, f…
Production BuildProduction Build: A production build compiles an app with all optimizations enabled, including minification,…
Progressive DeliveryProgressive delivery rolls a release out gradually - canaries, ramps, flags - with automated metric gates tha…
Property-Based TestProperty-Based Test: A property-based test asserts that a general property holds for many automatically gener…
Property-Based TestProperty-Based Test: A property-based test checks that a property holds for many automatically generated inpu…
Provenance AttestationA provenance attestation is a signed record of how an artifact was built - source, builder, inputs - that con…
Proxy RepositoryProxy Repository: A proxy repository is a repository that caches artifacts fetched from a remote upstream (li…
Pull request (PR)A pull request proposes merging one branch into another, bundling the diff with discussion, reviews, and CI c…
Pull RequestPull Request: A pull request (PR; merge request on GitLab) is a proposal to merge one branch into another. It…
Quality GateQuality Gate: A quality gate is a pass/fail checkpoint in a pipeline that blocks progress unless defined crit…
Quality GateQuality Gate: A quality gate is a pass/fail checkpoint that fails a build when code quality metrics (coverage…
Query PlanA query plan is the step-by-step strategy a database picks to execute a SQL statement - which indexes, joins,…
QuorumA quorum is the minimum number of nodes that must agree for an operation to count as committed, ensuring over…
Rate Limit HeaderRate Limit Header: A rate limit header is an HTTP response header that reports your quota usage, commonly `X-…
Rate LimitingRate limiting caps how many requests a client may make in a window, protecting a service from overload and ab…
Reactor PatternThe reactor pattern demultiplexes incoming I/O events and dispatches each to a registered handler, the design…
Read ReplicaA read replica is a copy of a database that serves read-only queries, offloading traffic from the primary and…
Readiness GateReadiness Gate: A readiness gate is a condition that must be satisfied before an instance or deployment is co…
Rebase vs MergeRebase vs merge is the choice between replaying commits onto the target for a linear history, or joining bran…
RED MethodRED Method: The RED method monitors three request-level metrics per service: Rate (requests per second), Erro…
RefspecRefspec: A refspec maps refs between a remote and your repository in the form `+<src>:<dst>`, for example `+r…
Regression SuiteRegression Suite: A regression suite is the accumulated set of tests run to confirm that previously working b…
Regression TestRegression Test: A regression test verifies that previously working behavior still works after a change. When…
Regression TestRegression Test: A regression test re-runs existing tests after a change to confirm that previously working f…
Regression TestRegression Test: A regression test re-runs existing tests after a change to confirm that previously working b…
Regression TestingRegression Testing: Regression testing reruns existing tests after a change to confirm that previously workin…
Release BranchRelease Branch: A release branch is a branch (e.g. `release/2.1`) cut from main to stabilize a specific versi…
Release candidate (RC)A release candidate is a build believed ready to ship, tagged for final testing. If no blocking defects surfa…
Release EngineeringRelease Engineering: Release engineering is the discipline of making the build, packaging, and release of sof…
Release NotesRelease notes summarize what changed in a version for users - features, fixes, breaking changes - often gener…
Release VersionRelease Version: A release version is an immutable, published artifact version whose coordinates always resol…
Remote Build CacheA remote build cache shares compiled outputs across machines and CI runs over the network, so work done once…
Remote-Tracking BranchRemote-Tracking Branch: A remote-tracking branch (like `origin/main`) is a local, read-only ref that records…
Replication LagReplication lag is the delay between a write committing on the primary database and that change appearing on…
ReproducibilityReproducibility: Reproducibility is the property that building the same source in the same way always yields…
Reproducible BuildA reproducible build produces bit-for-bit identical output from the same source and inputs, letting anyone ve…
Reproducible BuildReproducible Build: A reproducible build produces bit-for-bit identical output artifacts every time it runs f…
Reserved InstanceA reserved instance is a cloud capacity commitment (1–3 years) traded for a steep discount over on-demand pri…
REST APIREST API: A REST API is a web interface that exposes resources at URLs and is operated with standard HTTP met…
Reverse DNSReverse DNS maps an IP address back to a hostname via a PTR record, used for logging, mail server trust, and…
Reverse ProxyA reverse proxy sits in front of backend servers, taking client requests and forwarding them - handling TLS,…
Role AssumptionRole assumption lets an identity take on another role’s permissions via short-lived credentials, so CI acts i…
RollbackA rollback reverts a deployment to the previous known-good version after a release goes wrong. Fast, reliable…
RollbackRollback: A rollback reverts a system to a previously known-good version after a deployment causes problems.…
RollbackRollback: A rollback is the act of reverting a system to a previous known-good version after a deployment int…
Rolling UpdateRolling Update: A rolling update replaces instances of an application in batches, updating a few at a time wh…
RunbookRunbook: A runbook is a documented, step-by-step procedure for responding to a specific alert or operational…
Saga PatternThe saga pattern coordinates a multi-service transaction as a sequence of local steps, each with a compensati…
Sanity TestSanity Test: A sanity test is a narrow, focused check that a specific new change or bug fix behaves as expect…
Sanity TestSanity Test: A sanity test is a narrow, quick check of specific new functionality or a targeted fix to confir…
Sanity TestingSanity Testing: Sanity testing is a narrow, focused check that a specific function or recent fix works as exp…
SASTSAST (Static Application Security Testing) scans source code for security flaws like injection and unsafe API…
SBOMAn SBOM (Software Bill of Materials) is a machine-readable inventory of every component and dependency in a b…
Schema MigrationSchema Migration: A schema migration changes the structure of a database (tables, columns, indexes, constrain…
Schema RegistryA schema registry stores and versions the schemas for messages on a stream, enforcing compatibility so produc…
Scoped PackageScoped Package: A scoped package is an npm package namespaced under an `@scope/` prefix, like `@latchkey/cli`…
Scratch ImageScratch Image: A scratch image is the empty base image `FROM scratch`: it contains no files at all. You copy…
Scratch ImageScratch Image: The scratch image is an empty base image (`FROM scratch`) containing nothing at all. It is use…
ScrumScrum: Scrum is an agile framework that organizes work into fixed-length sprints, with defined roles (product…
Secret RotationSecret rotation periodically replaces credentials with new values and retires the old, limiting how long any…
Security GroupA security group is a stateful virtual firewall attached to an instance, allowing inbound and outbound traffi…
Security TestSecurity Test: A security test probes an application for vulnerabilities such as injection, broken authentica…
Seed DataSeed Data: Seed data is a set of initial records inserted into a database to give an application a usable bas…
Self-Healing CISelf-Healing CI: **Self-healing CI** automatically detects, fixes, and retries transient or mechanical failur…
Semantic Version RangeSemantic Version Range: A semantic version range is a specifier (like `>=1.2.0 <2.0.0`) that describes a set…
Semantic versioning (SemVer)Semantic versioning numbers releases MAJOR.MINOR.PATCH so the version itself signals compatibility: breaking,…
Semantic VersioningSemantic Versioning: Semantic versioning (SemVer) formats a version as MAJOR.MINOR.PATCH, where MAJOR marks b…
Semantic Versioning (SemVer)Semantic Versioning (SemVer): Semantic versioning is a version-numbering scheme of `MAJOR.MINOR.PATCH` where…
Service DiscoveryService discovery lets services find each other by name as instances come and go, via DNS or a registry, inst…
Service Level Agreement (SLA)Service Level Agreement (SLA): A service level agreement is a contractual commitment about a service level, u…
Service Level Indicator (SLI)Service Level Indicator (SLI): A service level indicator is the actual measured metric behind an SLO, such as…
Service Level Objective (SLO)Service Level Objective (SLO): A service level objective is a target for a reliability metric over a window,…
SetupSetup: Setup is the phase that runs before a test to prepare the state it needs, such as creating objects, se…
Sharding (database)Database sharding splits one logical dataset across multiple machines by a shard key, so each node holds only…
Shared LibraryShared Library: A shared library (.so on Linux, .dll on Windows, .dylib on macOS) is a compiled library loade…
Shared StateShared State: Shared state is data or resources (globals, singletons, a common database, files) accessed by m…
ShellShell: A shell is the command interpreter that reads commands, expands variables and globs, and launches proc…
Shift LeftShift Left: Shift left is moving testing, security, and quality checks earlier in the delivery process, so de…
Shift LeftShift Left: Shift left is the practice of moving quality and security checks earlier in the delivery process,…
Shift RightShift Right: Shift right is the practice of testing and observing systems in production or production-like en…
Shift-LeftShift-Left: Shift-left is the practice of moving quality and security activities earlier in the development l…
Short-Lived BranchShort-Lived Branch: A short-lived branch is a feature branch that lives hours to a couple of days before merg…
Short-Lived CredentialsShort-lived credentials expire minutes after issue, so a leaked CI token is useless almost immediately - the…
Sidecar ProxyA sidecar proxy runs beside a service intercepting its traffic to add retries, mTLS, timeouts, and telemetry…
SLSA (Supply-chain Levels for Software Artifacts)SLSA is a security framework defining graded levels of build and release integrity, from basic provenance up…
Smoke TestSmoke Test: A smoke test is a quick, shallow check that the most critical functionality works at all, run rig…
Smoke TestSmoke Test: A smoke test is a quick, shallow check that the most critical paths work at all, run first so an…
Smoke TestSmoke Test: A smoke test is a small, fast set of checks that confirm the most critical functionality works be…
Smoke TestSmoke Test: A smoke test is a small, fast set of checks that confirm the most critical paths of a build work…
Smoke TestSmoke Test: A smoke test is a small, fast check that verifies the most critical paths work at all, run right…
Smoke TestingSmoke Testing: Smoke testing is a quick, shallow check that the most critical paths of a build work at all, r…
Snapshot IsolationSnapshot isolation gives each transaction a consistent point-in-time view of the database, so reads never blo…
Snapshot TestSnapshot Test: A snapshot test records the output of code (a rendered component, a serialized object) to a st…
Snapshot TestingSnapshot Testing: Snapshot testing records the output of code (rendered UI, serialized data) on first run and…
Snapshot VersionSnapshot Version: A snapshot version is a mutable, in-development artifact version (ending in `-SNAPSHOT` in…
Soak TestSoak Test: A soak test (endurance test) applies a sustained, moderate load over a long period to expose issue…
Software Development LifecycleSoftware Development Lifecycle: The software development lifecycle (SDLC) is the end-to-end process of buildi…
Source Date EpochSource Date Epoch: SOURCE_DATE_EPOCH is a standardized environment variable holding a Unix timestamp that bui…
Source MapA source map links minified or transpiled output back to original source, so stack traces and debuggers point…
Spike TestSpike Test: A spike test subjects a system to a sudden, sharp surge in load and then a rapid drop, checking h…
Split BrainSplit brain is a failure where a network partition leaves two halves of a cluster each believing it is the le…
SprintA sprint is a fixed-length iteration in Scrum during which a team commits to and delivers a set scope, ending…
SprintSprint: A sprint is a short, fixed-length iteration in Scrum (commonly one to four weeks) during which a team…
SpySpy: A spy is a test double that wraps a real or fake object and records information about how it was called,…
Squash CommitA squash commit collapses all commits on a branch into one before merging, giving the main branch a clean, si…
Squash MergeSquash Merge: A squash merge combines all commits on a branch into a single commit when merging, so the targe…
StagingStaging is a production-like environment used to validate a release before it ships, catching integration and…
Statement CoverageStatement Coverage: Statement coverage is the percentage of individual statements in the code that were execu…
Static AnalysisStatic Analysis: Static analysis inspects source code without running it, using parsing and data-flow analysi…
Static LinkingStatic Linking: Static linking copies the machine code of every library a program uses into the final executa…
Status CheckA status check is the pass/fail result a CI job reports to a commit or pull request. Required checks block me…
Storage ClassA storage class is a tier of object storage trading retrieval speed and cost - standard for hot data, infrequ…
Story PointA story point is a relative unit of effort a team assigns to a backlog item, capturing complexity and uncerta…
Stream ProcessingStream processing handles data continuously, record by record as it arrives, enabling near-real-time results…
Stress TestStress Test: A stress test pushes a system past its normal operating limits to find its breaking point and ob…
Structured ConcurrencyStructured concurrency scopes concurrent tasks to a block so they all finish or cancel before it exits, makin…
StubA stub is a test double that returns canned responses to calls, supplying the data a test needs without invok…
StubStub: A stub is a test double that returns predetermined responses to calls made during a test, with no logic…
StubStub: A stub is a test double that returns predefined responses to calls made during a test, with no logic of…
StubStub: A stub is a test double that returns predefined responses to calls, with no logic of its own. It lets a…
SubnetA subnet is a slice of a VPC’s IP range tied to one availability zone; public subnets route to the internet,…
Subresource IntegritySubresource Integrity: Subresource Integrity (SRI) is a standard for expressing a resource's expected hash as…
Surge (Deployment)Surge (Deployment): Surge in a rolling update is the number or percentage of extra instances allowed above th…
Symbol TableSymbol Table: A symbol table is a data structure in an object file or executable that maps names (functions,…
System TestSystem Test: A system test validates the complete, integrated application against its requirements in an envi…
System TestSystem Test: A system test validates the complete, integrated application against its specified requirements…
Target (build)Target (build): A build target is the runtime environment a bundler compiles output for, such as a browser, N…
TCP HandshakeA TCP handshake is the three-step SYN, SYN-ACK, ACK exchange that opens a reliable connection before any data…
TeardownTeardown: Teardown is the cleanup phase that runs after a test to release resources and reset state, such as…
Test CaseTest Case: A test case is a single, specific scenario with defined inputs, steps, and an expected result used…
Test CaseTest Case: A test case is a single scenario with defined inputs, actions, and expected outcomes that verifies…
Test CoverageTest coverage measures how much of your code the test suite exercises. It flags untested areas but is a guide…
Test CoverageTest Coverage: Test coverage measures how much of the codebase is exercised by the test suite, expressed as a…
Test CoverageTest Coverage: Test coverage is the percentage of your code (lines, branches, or functions) that is executed…
Test DatabaseTest Database: A test database is an isolated database instance used only by automated tests, so tests can re…
Test DoubleA test double is any stand-in object that replaces a real dependency in a test - the umbrella term covering m…
Test DoubleTest Double: A test double is any object that stands in for a real dependency during a test, such as a stub,…
Test DoubleTest Double: A test double is any stand-in object used in place of a real dependency during testing. Mocks, s…
Test DoubleTest Double: A test double is any object that stands in for a real dependency during a test. Mocks, stubs, sp…
Test FixtureTest Fixture: A test fixture is the fixed baseline state and data a test needs to run reliably, such as a see…
Test FixtureTest Fixture: A test fixture is the fixed baseline state a test needs before it runs: seeded data, temporary…
Test Flake RateTest Flake Rate: Test flake rate is the fraction of test runs that fail non-deterministically on unchanged co…
Test HarnessTest Harness: A test harness is the combination of test framework, drivers, and configuration that automates…
Test HarnessTest Harness: A test harness is the surrounding code and configuration that loads the system under test, driv…
Test Impact AnalysisTest Impact Analysis: Test impact analysis (TIA) selects the subset of tests affected by a code change, using…
Test IsolationTest Isolation: Test isolation means each test runs independently, without depending on or affecting other te…
Test ParallelismTest Parallelism: Test parallelism is running a test suite across multiple workers, processes, or machines at…
Test PlanTest Plan: A test plan is a document that defines the scope, approach, resources, and schedule of testing for…
Test PollutionTest Pollution: Test pollution occurs when one test leaves behind state (files, database rows, global variabl…
Test PyramidTest Pyramid: The test pyramid is a strategy that recommends many fast unit tests at the base, fewer integrat…
Test PyramidTest Pyramid: The test pyramid is a heuristic that recommends many fast unit tests at the base, fewer integra…
Test RetryTest Retry: A test retry re-runs a failed test (or job) a bounded number of times before declaring it failed,…
Test RunnerTest Runner: A test runner is the tool that discovers, executes, and reports on tests. Examples include Jest,…
Test RunnerTest Runner: A test runner is the tool that discovers test cases, executes them, and reports pass/fail result…
Test ShardingTest Sharding: Test sharding splits a single test suite into independent subsets (shards) that run in paralle…
Test SuiteTest Suite: A test suite is a collection of related test cases grouped so they can be run together and report…
Test SuiteTest Suite: A test suite is a collection of related test cases grouped to run together, often by feature, mod…
Thread PoolA thread pool keeps a fixed set of reusable threads to run submitted tasks, avoiding per-task thread creation…
Three-Way MergeThree-Way Merge: A three-way merge reconciles two diverged branches by comparing both tips against their comm…
Tilde RangeTilde Range: A tilde range (`~1.2.3`) permits patch-level updates within a minor version, accepting `1.2.4` b…
Tilde RangeTilde Range: A tilde range (`~`) in npm allows patch-level updates when a minor version is specified, so `~1.…
TLS HandshakeA TLS handshake negotiates the cipher and exchanges keys to secure a connection after TCP connects, adding ro…
ToilToil: Toil is the SRE term for manual, repetitive, automatable operational work that scales with service size…
Transaction IsolationTransaction isolation defines how concurrent transactions see each other’s uncommitted work, from read-uncomm…
Transitive DependencyA transitive dependency is one you pull in indirectly through another package. You never declared it, yet its…
Transitive DependencyTransitive Dependency: A transitive dependency is a package you do not require directly but that one of your…
TranspilationTranspilation: Transpilation converts source code from one language or language version to another at the sam…
TranspilerTranspiler: A transpiler (source-to-source compiler) translates code from one high-level language to another…
Tree ShakingTree shaking removes code that is never imported or used from a bundle by analyzing the module graph, shrinki…
Trunk-Based DevelopmentTrunk-based development keeps everyone committing to one shared branch in small, frequent increments behind f…
Trunk-Based DevelopmentTrunk-Based Development: Trunk-based development is a branching model where developers integrate small change…
Trunk-Based DevelopmentTrunk-Based Development: Trunk-based development is a branching model where developers integrate small change…
TTL (Time To Live)TTL is how long a cached entry or DNS record stays valid before refresh. Too long serves stale data; too shor…
Twelve-Factor AppTwelve-Factor App: The twelve-factor app is a methodology of twelve principles for building portable, scalabl…
Two-Phase CommitTwo-phase commit coordinates a transaction across multiple systems: a prepare phase votes, then a commit phas…
Type CheckingType Checking: Type checking verifies that values are used consistently with their declared or inferred types…
TyposquattingTyposquatting publishes malicious packages under names that misspell popular ones, so a single typo in a depe…
Unit TestA unit test checks a single function or module in isolation with dependencies stubbed. Fast and precise, unit…
Unit TestUnit Test: A unit test verifies a single function, method, or class in isolation, with its collaborators repl…
Unit TestUnit Test: A unit test verifies a single function, method, or class in isolation, with external dependencies…
Upstream BranchUpstream Branch: An upstream branch is the remote branch a local branch is configured to track, set with `git…
Usability TestUsability Test: A usability test evaluates how easily real users can accomplish tasks with the software, meas…
USE MethodUSE Method: The USE method monitors resources by three attributes: Utilization, Saturation, and Errors. It ta…
User DataUser data is a script or config blob passed to an instance at launch and run on first boot by cloud-init - th…
Vacuum (Database)Vacuum reclaims storage occupied by dead rows left behind by updates and deletes in MVCC databases, preventin…
Value StreamValue Stream: A value stream is the full sequence of steps needed to deliver value to a customer, from idea t…
Vector ClockA vector clock tracks causal ordering of events across distributed nodes, letting a system detect whether two…
VelocityVelocity is the average amount of work - usually story points - a team completes per sprint, used to forecast…
Vendor ChunkVendor Chunk: A vendor chunk is an output chunk containing third-party dependencies (typically from `node_mod…
VendoringVendoring: Vendoring is committing a project's third-party dependencies directly into its source tree so buil…
VendoringVendoring: Vendoring copies third-party dependencies directly into your repository (for example a `vendor/` d…
VendoringVendoring: Vendoring is committing your dependencies source code directly into your repository (often a `vend…
Version ConflictVersion Conflict: A version conflict occurs when two parts of a dependency graph require incompatible version…
Version PinningVersion pinning locks a dependency to an exact version so builds are reproducible and an upstream release can…
Version RangeVersion Range: A version range is a constraint that allows a span of versions rather than one exact value, su…
Virtual MachineA virtual machine is a software-emulated computer that runs its own OS on shared physical hardware via a hype…
Virtual RepositoryVirtual Repository: A virtual repository is a single logical endpoint that aggregates several underlying repo…
VPCA VPC is a logically isolated virtual network in the cloud where you place instances, control IP ranges, subn…
WebhookA webhook is an HTTP callback a service sends when an event happens, letting CI react to pushes and pull requ…
WebhookWebhook: A webhook is a user-defined HTTP callback: instead of polling, a system POSTs a payload to a URL you…
WIP (Work-In-Progress) limitA WIP limit caps how many items may sit in a workflow stage at once, exposing bottlenecks and forcing the tea…
Work in Progress LimitWork in Progress Limit: A work in progress limit (WIP limit) caps how many items may be active in a workflow…
Work QueueA work queue holds pending tasks that worker threads pull and execute, decoupling submission from execution a…
Workflow OrchestrationWorkflow Orchestration: Workflow orchestration is the coordination of multiple jobs and their ordering, condi…
Working DirectoryWorking Directory: The working directory (current working directory, cwd) is the folder a process treats as t…
WorkspaceWorkspace: A workspace is a feature of package managers (npm, Yarn, pnpm, Cargo) that lets one repository hol…
Write-Ahead LogA write-ahead log records every change before it is applied, so a database can recover to a consistent state…
Write-Through CacheA write-through cache writes data to the cache and the backing store at the same time, so the cache is never…
Zero TrustZero trust assumes no implicit trust from network location: every request must be authenticated and authorize…
Zero-Downtime MigrationZero-Downtime Migration: A zero-downtime migration changes the schema without interrupting service, by making…
GitHub Actions
Workflows, jobs, steps, actions.
Access TokenAn access token is a short-lived credential a client presents to call an API on a user or service’s behalf, s…
ActionAction: An **action** is a reusable unit of automation referenced with `uses:` - for example `actions/checkou…
Action (GitHub Actions)Action (GitHub Actions): An action is a packaged, reusable unit of workflow automation referenced with `uses:…
Action PinningAction Pinning: Action pinning is referencing a third-party action by its full commit SHA (for example `actio…
AnnotationAnnotation: An annotation in GitHub Actions is a message attached to a workflow run (and optionally a specifi…
API keyAn API key is a static secret string identifying a calling app to a service. Simple but long-lived, it must b…
API KeyAPI Key: An API key is a static secret string that identifies and authorizes a caller, usually passed in a he…
Artifact PromotionArtifact promotion moves one tested build unchanged through environments - dev to staging to prod - so exactl…
Artifact RetentionArtifact retention is how long CI keeps build outputs and logs before auto-deleting them. Tuning it balances…
Auto-MergeAuto-Merge: Auto-merge is a GitHub feature that queues a pull request to merge as soon as its merge checks ar…
Bearer TokenA bearer token authorizes whoever holds it - anyone presenting it in the Authorization header gets access - s…
Bearer TokenBearer Token: A bearer token is a credential sent in an `Authorization: Bearer <token>` header; whoever holds…
Branch ProtectionBranch Protection: Branch protection is a set of rules on a branch (usually `main`) that enforce policy befor…
Branch Protection RuleBranch Protection Rule: A branch protection rule is one configured policy targeting a branch name pattern: it…
Build ArgumentA build argument is a value passed into a Docker build with --build-arg or ARG, used only while building and…
Build MatrixA build matrix defines combinations of variables - language versions, operating systems - that fan one job in…
Build MatrixBuild Matrix: A build matrix is a configuration that expands a single job definition into many parallel jobs,…
Build MatrixBuild Matrix: A build matrix expands one job definition into many parallel jobs, one per combination of the v…
Build ProvenanceBuild provenance is the verifiable record a CI system emits of how an artifact was produced - which commit, w…
Build StepBuild Step: A build step is a single unit of work in a job, either a shell command (`run:`) or a reusable act…
Build TriggerA build trigger is the event - a push, pull request, schedule, or manual dispatch - that starts a CI build. T…
Build TriggerBuild Trigger: A build trigger is the event that launches a pipeline: a push, a pull request, a tag, a schedu…
Cache KeyCache Key: A cache key is the identifier passed to `actions/cache` (the `key:` input) that uniquely names a c…
Cache-ControlCache-Control is the HTTP header that dictates how responses may be cached - max-age, no-store, private - acr…
Callback URLCallback URL: A callback URL is the endpoint you register with a service so it can call back to you when an e…
cancel-in-progresscancel-in-progress: cancel-in-progress is a concurrency option that, when `true`, cancels any already-running…
Certificate RotationCertificate rotation replaces TLS certificates before they expire, so services keep trusting each other and a…
Chunked transfer encodingChunked transfer encoding streams an HTTP response in pieces with no known Content-Length, so the server can…
Code OwnerCode Owner: A code owner is defined by path patterns in a `CODEOWNERS` file (in the repo root, `.github/`, or…
Code ReviewCode Review: Code review is the practice of having peers examine changes before they merge, checking correctn…
Composite ActionComposite Action: A composite action is a custom action defined with `runs.using: composite` that bundles mul…
Composite ActionComposite Action: A composite action bundles multiple steps (shell commands and other actions) into a single…
Composite ActionComposite Action: A composite action is a custom action defined with `runs.using: "composite"` that bundles m…
ConcurrencyConcurrency: **Concurrency** controls limit how many runs of a workflow execute at once, and can cancel super…
Concurrency Cancel-in-ProgressConcurrency Cancel-in-Progress: Cancel-in-progress is a `concurrency` setting that cancels an already-running…
Concurrency GroupA concurrency group is a named key that limits a workflow to one active run at a time, cancelling superseded…
Concurrency GroupConcurrency Group: A concurrency group is the string key under `concurrency.group` that identifies which runs…
Concurrency GroupConcurrency Group: A concurrency group is a key set with `concurrency.group` that limits a workflow (or job)…
Concurrency LimitConcurrency Limit: A concurrency limit caps how many runs share a concurrency group at once; only one run per…
Conditional ExecutionConditional Execution: Conditional execution runs a job or step only when a condition holds, controlled by th…
Conditional StepConditional Step: A conditional step is a job step (or job) with an `if:` expression that decides at runtime…
Content NegotiationContent negotiation is how client and server agree on response format via Accept headers - choosing JSON vs X…
Context ExpressionContext Expression: A context expression is a `${{ ... }}` template in a workflow that reads context data (li…
Context ExpressionContext Expression: A context expression is a `${{ ... }}` template in a workflow that reads from contexts li…
continue-on-errorcontinue-on-error lets a job or step fail without failing the whole workflow, used for non-blocking checks li…
continue-on-errorcontinue-on-error: continue-on-error is a key that lets a job or step fail without failing the overall workfl…
Continue-on-Error FlagContinue-on-Error Flag: The continue-on-error flag lets a job or step fail without failing the overall workfl…
CORS PreflightA CORS preflight is the automatic OPTIONS request a browser sends before a cross-origin call to check the met…
Cron ScheduleCron Schedule: A cron schedule is a `schedule:` trigger entry that runs a workflow on a time-based POSIX cron…
Content Security Policy (CSP)A Content Security Policy is an HTTP header listing trusted sources a page may load scripts and styles from -…
Deploy KeyA deploy key is an SSH key granting a single repository read or write access, scoping CI credentials to one r…
Deploy TokenA deploy token is a narrowly scoped credential granting automated access to push images or pull packages, wit…
Deployment Concurrency GroupDeployment Concurrency Group: A deployment concurrency group uses the `concurrency` key with a shared group n…
DeserializationDeserialization rebuilds an in-memory object from serialized bytes. Doing it on untrusted input is a classic…
Dev ServerDev Server: A dev server is a local HTTP server that serves an app during development, rebuilding on change a…
Docker Container ActionDocker Container Action: A Docker container action is a custom action that runs inside a Docker image, declar…
Draft Pull RequestDraft Pull Request: A draft pull request is a PR in a work-in-progress state that cannot be merged until mark…
Drift DetectionDrift detection finds where the live system has diverged from its declared config - a manual change or failed…
Encrypted SecretEncrypted Secret: An encrypted secret is a credential GitHub encrypts (using libsodium sealed boxes on upload…
Encrypted SecretEncrypted Secret: An encrypted secret is a sensitive value (token, key, password) stored encrypted by GitHub…
Environment Protection RuleEnvironment Protection Rule: An environment protection rule is a gate attached to a deployment environment in…
Environment Protection RulesEnvironment Protection Rules: Environment protection rules are GitHub Actions controls that gate a deployment…
Environment SecretEnvironment Secret: An environment secret is stored on a named environment (like `production`) and is readabl…
Environment Variable ScopingEnvironment variable scoping controls where a value is visible - workflow, job, or step - so secrets and conf…
Ephemeral EnvironmentAn ephemeral environment is a full, short-lived stack spun up per branch or PR for testing and demos, then to…
ETagAn ETag is a fingerprint a server returns for a resource version. The client sends it via If-None-Match so un…
Event PayloadEvent Payload: An event payload is the JSON describing the event that triggered a workflow, available as `${{…
fail-fastfail-fast is a matrix setting that cancels all remaining jobs the moment one fails. On by default, it saves m…
fail-fastfail-fast: fail-fast is a matrix strategy option that, when `true` (the default), cancels all remaining matri…
Fail-Fast StrategyFail-Fast Strategy: A fail-fast strategy cancels the remaining jobs in a matrix as soon as one job fails, con…
Fan-Out Fan-InFan-Out Fan-In: Fan-out fan-in is a pipeline pattern where one job splits work across many parallel jobs (fan…
FormattingFormatting: Formatting is the automated application of a consistent code style (indentation, spacing, line br…
Git HookGit Hook: A Git hook is a script Git runs automatically at points in its workflow, such as before a commit, b…
GitHub FlowGitHub Flow: GitHub flow is a lightweight branching model: branch off `main`, open a pull request, get review…
GITHUB_TOKENGITHUB_TOKEN is the short-lived credential GitHub Actions injects into every workflow run, scoped to the repo…
GITHUB_TOKENGITHUB_TOKEN: GITHUB_TOKEN is the short-lived access token GitHub Actions creates automatically for each work…
GITHUB_TOKEN PermissionsGITHUB_TOKEN Permissions: GITHUB_TOKEN permissions are the `permissions:` scopes granted to the automatic tok…
GitOps ReconciliationGitOps reconciliation is a controller continuously comparing the live cluster to the state declared in Git an…
GraphQLGraphQL is a query language for APIs where the client requests exactly the fields it needs in one call, avoid…
gRPCgRPC is a high-performance RPC framework using HTTP/2 and Protocol Buffers, supporting streaming and code-gen…
Gzip CompressionGzip compression shrinks HTTP response bodies when the client sends Accept-Encoding: gzip, cutting bandwidth…
HMAC SignatureAn HMAC signature proves a message’s authenticity and integrity with a shared secret key - how a receiver ver…
Hot Module ReplacementHot Module Replacement: Hot module replacement (HMR) swaps updated modules into a running application without…
HTTP Status CodesHTTP status codes are three-digit numbers signaling a request’s outcome - 2xx success, 3xx redirect, 4xx clie…
IdempotencyIdempotency means an operation can run repeatedly with the same effect as running it once. It is what makes r…
Idempotent ApplyAn idempotent apply produces the same end state no matter how often it runs, so re-running a deploy or terraf…
Idempotent RequestAn idempotent request gives the same result whether sent once or many times, so safe retries never duplicate…
if Conditional (GitHub Actions)if Conditional (GitHub Actions): The if conditional is a `if:` expression on a job or step that decides wheth…
JavaScript ActionJavaScript Action: A JavaScript action is a custom action that runs directly on the runner with Node.js, decl…
JobJob: A **job** is a set of steps that run on a single runner. Jobs run in parallel by default and can depend…
Job Concurrency Group KeyJob Concurrency Group Key: A concurrency group key is the string that groups workflow runs so only one run pe…
Job Concurrency LimitJob Concurrency Limit: A job concurrency limit caps how many jobs may run at the same time within a scope, se…
Job ContainerJob Container: A job container is a Docker image, set with the `container:` key, that a whole GitHub Actions…
Job DependencyJob Dependency: A job dependency is a declared requirement that one job wait for another to finish before it…
Job MatrixJob Matrix: A job matrix is a `strategy.matrix` definition that expands a single job into multiple parallel j…
Job SummaryJob Summary: A job summary is custom Markdown a step writes to the `$GITHUB_STEP_SUMMARY` file, rendered on t…
Job Timeout LimitJob Timeout Limit: A job timeout limit is the maximum time a job may run before CI cancels it, set with `time…
JSON SchemaJSON Schema is a vocabulary for declaring the shape of JSON documents - required fields, types, constraints -…
JWT (JSON Web Token)A JWT is a signed, self-contained token carrying claims as JSON. CI uses short-lived JWTs (such as OIDC token…
JWT ClaimsJWT claims are the key-value statements in a token’s payload - issuer, subject, expiry, scopes - read by the…
Key ManagementKey management is the lifecycle of cryptographic keys - generation, storage, rotation, revocation - so CI sig…
Least-Privilege TokenLeast-Privilege Token: A least-privilege token is a credential granted only the minimum scopes required for a…
LintingLinting: Linting is automated static checking that flags programming errors, bugs, stylistic issues, and susp…
Loader (webpack)Loader (webpack): A loader in webpack is a transform applied to a file as it is imported, turning non-JavaScr…
Long PollingLong polling holds an HTTP request open until the server has data or a timeout hits, approximating push witho…
Manual ApprovalManual Approval: Manual approval is a deployment gate where a job targeting a protected environment pauses un…
Marketplace ActionMarketplace Action: A marketplace action is a published, reusable action listed in the GitHub Marketplace tha…
Matrix BuildMatrix Build: A **matrix build** expands one job into many parallel jobs across combinations of variables (ve…
Matrix ExpansionMatrix Expansion: Matrix expansion is how a single matrix job definition multiplies into one job per combinat…
Matrix Expansion LimitMatrix Expansion Limit: A matrix expansion limit is the cap GitHub Actions places on how many jobs one `strat…
Matrix JobMatrix Job: A matrix job uses `strategy.matrix` to expand one job definition into many parallel jobs, one per…
Matrix Max-ParallelMatrix Max-Parallel: Matrix max-parallel caps how many jobs from a build matrix run at the same time, set wit…
Merge QueueMerge Queue: A merge queue serializes the merging of approved pull requests, testing each one against the lat…
Merge Queue BatchingMerge Queue Batching: Merge queue batching groups several queued pull requests and tests them together agains…
Multipart UploadA multipart upload splits a large file into parts uploaded independently and resumably, then assembled server…
Mutual TLSMutual TLS has both client and server present certificates so each proves its identity to the other, authenti…
needs (GitHub Actions)needs (GitHub Actions): needs declares that a job depends on one or more other jobs, making it wait until the…
needs (Job Dependency)needs (Job Dependency): needs is a key that makes one job wait for one or more other jobs to complete success…
NonceA nonce is a number used once, attached to a request so a server rejects any duplicate - the standard defense…
OIDCOIDC: **OIDC** (OpenID Connect) lets a workflow exchange its identity for short-lived cloud credentials, remo…
OIDC FederationOIDC Federation: OIDC federation lets a CI workflow exchange a short-lived OpenID Connect token for cloud cre…
OIDC Federation (CI to Cloud)OIDC Federation (CI to Cloud): OIDC federation lets a CI workflow present a signed identity token to a cloud…
OIDC TokenAn OIDC token is the short-lived signed identity a workflow presents to a cloud provider to get temporary cre…
OIDC TokenOIDC Token: An OIDC token is a short-lived OpenID Connect JWT that GitHub Actions can issue to a job, letting…
Organization SecretOrganization Secret: An organization secret is a secret stored at the org level and made available to all, pr…
Outputs (Job)Outputs (Job): Job outputs are values a job declares under `outputs:` and sets via `$GITHUB_OUTPUT`, which do…
Path FilterPath Filter: A path filter is a `paths:` or `paths-ignore:` list on a `push` or `pull_request` trigger that r…
Path Filter (Trigger)Path Filter (Trigger): A path filter uses `paths` or `paths-ignore` on a `push` or `pull_request` trigger so…
Path Filter TriggerPath Filter Trigger: A path filter trigger runs a workflow only when the changed files match configured path…
PAT (Personal Access Token)A personal access token (PAT) is a user-tied credential used when the built-in GITHUB_TOKEN lacks the cross-r…
Pipeline as CodePipeline as Code: Pipeline as code is defining the CI/CD pipeline in version-controlled files that live with…
Plugin (build)Plugin (build): A build plugin extends a bundler by hooking into the whole build lifecycle rather than a sing…
Pre-Commit HookPre-Commit Hook: A pre-commit hook is a script Git runs before a commit is recorded. It can lint, format, or…
Preview DeploymentA preview deployment publishes a live, shareable instance of a pull request at a unique URL, so reviewers can…
Protected BranchProtected Branch: A protected branch is a branch (often `main`) with branch protection rules that restrict ho…
Protocol Buffers (protobuf)Protocol Buffers are a compact, schema-defined binary serialization format used by gRPC for fast, versioned,…
Pull RequestPull Request: A pull request is a proposal to merge changes from one branch into another. On GitHub it opens…
Pull Request ReviewPull Request Review: A pull request review is a submitted verdict on a PR with a state of `APPROVED`, `CHANGE…
QuarantineQuarantine moves a known-flaky test out of the blocking suite so it no longer fails the build, while still ru…
Rate Limit HeaderRate limit headers like X-RateLimit-Remaining and Retry-After tell a client how much quota is left and when t…
Read-Only TokenRead-Only Token: A read-only token grants read access without write, for example `contents: read`. Configurin…
Repository DispatchRepository Dispatch: Repository dispatch is a webhook-style event that an external system sends to the GitHub…
Repository DispatchRepository Dispatch: Repository dispatch is the `repository_dispatch` trigger that starts a workflow in respo…
Repository RulesetRepository Ruleset: A ruleset is GitHub's newer branch and tag protection mechanism: a named collection of ru…
Repository SecretRepository Secret: A repository secret is an encrypted key/value stored on a single repo and exposed to its w…
Required Reviewers (Deployment)Required Reviewers (Deployment): Required reviewers is an environment protection rule that pauses a deploymen…
REST (Representational State Transfer)REST is an architectural style for web APIs that models resources as URLs and uses HTTP verbs and status code…
Retry BudgetA retry budget caps how many automatic retries are allowed before a failure is treated as real, stopping endl…
Reusable WorkflowReusable Workflow: A reusable workflow is a full workflow file, triggered by `workflow_call`, that other work…
Reusable WorkflowReusable Workflow: A reusable workflow is a workflow that other workflows call with `uses:` and `workflow_cal…
Reusable WorkflowReusable Workflow: A reusable workflow is a complete workflow file that other workflows can call with `uses:`…
Reusable WorkflowReusable Workflow: A **reusable workflow** is a workflow other workflows can call with `uses:`, letting teams…
RPC (Remote Procedure Call)RPC makes a call to a remote service look like a local function call, hiding the network behind a generated s…
Runner LabelA runner label is a tag like ubuntu-latest or self-hosted that a job names in runs-on to select which runners…
runs-onruns-on: runs-on is the required job key that selects which runner executes the job, either by hosted label l…
Runtime vs Build-TimeRuntime vs build-time distinguishes work done while compiling or packaging from work done when the program ru…
Scheduled Trigger Cron ExpressionScheduled Trigger Cron Expression: A scheduled trigger cron expression is the five-field time spec under `on.…
Scheduled WorkflowScheduled Workflow: A scheduled workflow runs on a cron timetable defined under `on: schedule`, using POSIX c…
SecretSecret: A **secret** is an encrypted value (token, key) stored by GitHub and injected into workflows without…
Secret RotationSecret Rotation: Secret rotation is the practice of replacing credentials (tokens, keys, passwords) on a regu…
Secretless CISecretless CI: Secretless CI is a pipeline design where no long-lived secrets are stored in the repository or…
Secrets ManagementSecrets Management: Secrets management is the practice of storing, distributing, and rotating sensitive value…
SerializationSerialization converts an in-memory object into a byte stream or string for storage or transport, so it can b…
Server-Sent Events (SSE)Server-Sent Events stream one-way updates from server to browser over one long-lived HTTP connection, simpler…
Service Account KeyA service account key is a long-lived credential for a non-human automation identity. Powerful and hard to ro…
Service ContainerService Container: A **service container** is a Docker container (e.g. Postgres, Redis) GitHub Actions runs a…
Session TokenA session token is an opaque identifier a server issues at login and the client returns on each request to pr…
Shallow Checkout DepthShallow Checkout Depth: Shallow checkout depth is the number of recent commits fetched during a CI checkout,…
Sharding StrategyA sharding strategy decides how a test suite is split across parallel runners - by count, timing, or file - t…
Short-Lived CredentialsShort-Lived Credentials: Short-lived credentials are access tokens that expire minutes after issue, so a leak…
Signed CommitsSigned commits attach a cryptographic signature to each commit so its author can be verified, proving history…
Sparse Checkout FilterSparse Checkout Filter: A sparse checkout filter limits a CI checkout to specific paths of a repository inste…
Status CheckStatus Check: A status check is a pass or fail result reported against a commit (by CI or an app) that branch…
StepStep: A **step** is a single task in a job - either a shell command (`run:`) or an action (`uses:`).
Step (GitHub Actions)Step (GitHub Actions): A step is a single task within a job, either a shell command via `run:` or an action v…
Step OutputStep Output: A step output is a named value one step produces by writing `name=value` to the `$GITHUB_OUTPUT`…
Step Retry PolicyStep Retry Policy: A step retry policy defines how a failing step is automatically re-attempted, including th…
Step SummaryStep Summary: A step summary is Markdown written to the `$GITHUB_STEP_SUMMARY` file during a job, which GitHu…
Supply-Chain SecuritySupply-chain security protects every step from source to deployed artifact - dependencies, build, signing - a…
Tag a ReleaseTag a Release: To tag a release is to attach a version label (a Git tag such as `v1.4.0`) to a specific commi…
Test Impact AnalysisTest impact analysis selects only the tests affected by a change instead of the whole suite, by mapping code…
Test IsolationTest isolation ensures each test runs independently with its own clean state, so ordering and shared data can…
Test ParallelizationTest parallelization runs independent tests at once across cores or machines, cutting suite wall-clock time -…
ThrottlingThrottling is a server deliberately slowing or rejecting requests over a rate limit, returning 429 or latency…
timeout-minutestimeout-minutes caps how long a job or step may run before GitHub Actions cancels it, preventing a hung proce…
timeout-minutestimeout-minutes: timeout-minutes is a GitHub Actions key that sets the maximum minutes a job or step may run…
Trigger (Event)Trigger (Event): A **trigger** is the event that starts a workflow - `push`, `pull_request`, `schedule`, `wor…
Wait Timer (Deployment)Wait Timer (Deployment): A wait timer is an environment protection rule that delays a deployment job by a set…
WebhookWebhook: A webhook is an HTTP callback that a service sends to a URL you register whenever an event happens,…
Webhook PayloadWebhook Payload: A webhook payload is the JSON body sent with a webhook request describing the event: which r…
Webhook SecretA webhook secret is a shared key used to sign webhook payloads so the receiver can verify a delivery genuinel…
Webhook SecretWebhook Secret: A webhook secret is a shared token configured on both the sender and receiver, used to sign e…
WebSocketA WebSocket is a persistent, full-duplex connection upgraded from HTTP, letting client and server push messag…
WorkflowWorkflow: In GitHub Actions, a **workflow** is an automated process defined in a YAML file under `.github/wor…
Workflow DispatchWorkflow Dispatch: Workflow dispatch is the `workflow_dispatch` trigger that lets you start a GitHub Actions…
Workflow Dispatch InputWorkflow Dispatch Input: A workflow dispatch input is a parameter declared under `on.workflow_dispatch.inputs…
Workflow PermissionWorkflow Permission: A workflow permission is set with the `permissions:` key to scope the automatic `GITHUB_…
Workflow PermissionsWorkflow Permissions: Workflow permissions are the access scopes granted to the automatic `GITHUB_TOKEN`, set…
Workflow RunWorkflow Run: A workflow run is a single execution of a workflow triggered by an event, containing all of tha…
Workflow RunWorkflow Run: A workflow run is a single execution of a GitHub Actions workflow, triggered by an event, with…
Workflow RunWorkflow Run: A workflow run is a single execution instance of a workflow, created when a trigger fires, with…
workflow_dispatchworkflow_dispatch: workflow_dispatch is a trigger that lets you start a workflow manually from the Actions UI…
Workload IdentityWorkload Identity: Workload identity is the broad pattern of giving a running workload (a CI job, a pod, a fu…
Workload IdentityWorkload Identity: Workload identity is the practice of giving an automated workload (a CI job, service, or p…
Runners & infra
Runners, caching, artifacts, concurrency.
ABI (Application Binary Interface) compatibilityABI compatibility means compiled binaries agree on calling conventions and layouts, so a library can be swapp…
AST (abstract syntax tree)An abstract syntax tree is the structured tree a parser builds from source, capturing its grammar without pun…
AffinityAffinity rules attract or repel pods relative to nodes or other pods, controlling placement - co-locating cac…
ArtifactArtifact: An **artifact** is a file or set of files produced by a job (build output, test report) that can be…
Artifact RegistryAn artifact registry stores and versions build outputs - packages, libraries, images - so pipelines and deplo…
Artifact RegistryArtifact Registry: An artifact registry is a server that stores and serves build outputs (container images, J…
Artifact RetentionArtifact Retention: Artifact retention is the policy that controls how long build outputs, logs, and test rep…
Artifact SigningArtifact signing attaches a cryptographic signature to a build output so consumers can verify which pipeline…
AttestationAn attestation is a signed statement about an artifact - its provenance, scan results, or test status - that…
AutoscalingAutoscaling adds and removes runners automatically based on queued demand, so jobs start quickly under load w…
Autoscaling GroupAutoscaling Group: An autoscaling group is a cloud construct (AWS Auto Scaling Group, GCP managed instance gr…
Autoscaling PolicyAutoscaling Policy: An autoscaling policy is the rule set that decides when to add or remove runners based on…
Autoscaling RunnerAutoscaling Runner: An autoscaling runner setup automatically adds runners when jobs queue and removes them w…
Base ImageA base image is the starting layer a Dockerfile builds on, set by the first FROM. Choosing a slim, trusted ba…
Bin PackingBin Packing: Bin packing is the scheduling strategy of placing as many jobs (or containers) onto each machine…
Bit-for-bit reproducibilityBit-for-bit means two builds produce byte-identical output, so anyone can rebuild from source and prove an ar…
Blob (Binary Large Object)A blob is an opaque chunk of binary data stored and retrieved as a unit - a build artifact, image layer, or l…
Build AgentA build agent is the worker process or machine that picks up and executes CI jobs. In GitHub Actions the equi…
Build AgentBuild Agent: A build agent is the process running on a CI machine that registers with the orchestrator, picks…
Build ArtifactBuild Artifact: A build artifact is output generated by a job (a binary, bundle, coverage report, or log) tha…
Build CacheA build cache stores intermediate compilation outputs keyed by their inputs, so unchanged work is restored in…
Build CacheBuild Cache: A build cache is a keyed store of files (downloaded dependencies, compiled objects) that a later…
Build Cache PoisoningBuild cache poisoning injects malicious content into a shared build cache, so later builds restore tampered o…
Build LogBuild Log: A build log is the recorded stdout and stderr of every step in a job. It is the primary evidence f…
Build Minutes OverageBuild Minutes Overage: Build minutes overage is the usage beyond your plan included allotment, charged at the…
Build NodeBuild Node: A build node is one compute instance in a fleet of CI runners. Jobs are dispatched to available n…
Build PhaseA build phase is one stage of a build - configure, compile, link, package - run in order, so CI can cache and…
Build ProfileA build profile is a named set of compiler and build settings - debug vs release - that controls optimization…
Build QueueBuild Queue: A build queue is the ordered backlog of jobs waiting for an available runner. Queue time (how lo…
Build TargetA build target is a named unit a build system knows how to produce - a binary, library, or test - along with…
BuildKitBuildKit is Docker’s modern build engine, adding parallel stage execution, efficient layer caching, and build…
Cache (CI)Cache (CI): A **cache** stores dependencies or build outputs between runs so they are restored instead of rec…
Cache Hit RatioCache Hit Ratio: The cache hit ratio is the fraction of cache lookups served from the cache versus recomputed…
Calling ConventionA calling convention is the agreed rules for passing arguments and returning values between functions - regis…
Cluster AutoscalerThe cluster autoscaler adds nodes when pods cannot be scheduled for lack of capacity and removes underused on…
CNI (Container Network Interface)The CNI is the plugin standard for wiring container networking - assigning IPs and routes to pods - used by K…
Code SigningCode signing attaches a cryptographic signature to an artifact so consumers can verify it came from the expec…
Cold StartCold Start: A **cold start** is the delay while a fresh runner boots and sets up before a job begins. Warm po…
Cold Start (Runner)Cold Start (Runner): A runner cold start is the delay while a fresh runner provisions, boots, and installs to…
Compilation UnitA compilation unit is the chunk of source a compiler processes independently into one object file - the granu…
Compute MinutesCompute Minutes: Compute minutes are the unit CI providers meter usage in: one minute of one runner executing…
Concurrency LimitConcurrency Limit: A concurrency limit is a cap on how many jobs or workflow runs may execute at the same tim…
Connection PoolA connection pool keeps open connections ready to reuse, so callers borrow one instead of paying handshake co…
Constant FoldingConstant folding evaluates expressions with known values at compile time, so the binary ships the precomputed…
Container RegistryA container registry stores and serves Docker/OCI images by repository, tag, and digest. CI pushes built imag…
containerdcontainerd is the standard container runtime that handles image transfer, storage, and execution, used under…
Content-Addressed StorageContent-addressed storage names each blob by the hash of its contents, so identical data is stored once and r…
Control PlaneThe control plane is the set of Kubernetes components - API server, scheduler, controllers - that decide what…
Cordon (Runner)Cordon (Runner): To cordon a runner is to mark it so that no new jobs are scheduled onto it, while any job al…
Core DumpA core dump is a snapshot of a crashed process’s memory written to disk, so engineers can load it in a debugg…
CRD (Custom Resource Definition)A CRD extends the Kubernetes API with new object types, letting operators and tools manage domain objects wit…
CRI (Container Runtime Interface)The CRI is the gRPC API the kubelet uses to talk to any container runtime, decoupling Kubernetes from a singl…
Cross-CompilationCross-compilation builds a binary on one platform to run on another - like compiling ARM64 binaries on an x86…
DaemonsetA DaemonSet is a Kubernetes controller that runs one pod copy on every selected node - used for per-node agen…
Debug SymbolsDebug symbols map machine code back to source lines, variables, and types, letting debuggers and crash report…
DeploymentA Deployment is the Kubernetes controller for a stateless app, keeping a desired number of pod replicas runni…
Deployment EnvironmentDeployment Environment: A deployment environment is a named target a pipeline deploys to, such as staging or…
Deterministic BuildA deterministic build yields the same output from the same inputs by removing nondeterminism like timestamps…
Digest PinningDigest pinning references an image by its immutable sha256 digest instead of a mutable tag, so every build an…
Disk IOPSDisk IOPS: Disk IOPS (input/output operations per second) is the rate at which a storage device can service r…
Disk Space ReclaimDisk Space Reclaim: Disk space reclaim is freeing storage on a CI runner before or during a job to avoid "no…
DistrolessA distroless image holds only your app and its runtime dependencies - no shell or package manager - shrinking…
docker-composedocker-compose defines and runs multi-container apps from one YAML file, wiring services, networks, and volum…
DockerfileA Dockerfile is the text recipe of instructions - FROM, RUN, COPY, CMD - that Docker executes to build a cont…
Dynamic LinkingDynamic linking resolves library references at load or run time from shared libraries on the system, keeping…
Dynamic LoaderThe dynamic loader is the OS component that maps a program and its shared libraries into memory and prepares…
Ephemeral EnvironmentEphemeral Environment: An ephemeral environment is a short-lived, isolated copy of an application stood up on…
Ephemeral PortAn ephemeral port is a short-lived high-numbered port the OS assigns to the client side of each outbound conn…
Ephemeral RunnerEphemeral Runner: An ephemeral runner is a self-hosted runner configured to accept exactly one job and then d…
Ephemeral RunnerEphemeral Runner: An ephemeral runner is a self-hosted runner registered with the `--ephemeral` flag that acc…
Ephemeral RunnerEphemeral Runner: An **ephemeral runner** is created fresh for one job and destroyed after, giving clean, rep…
Ephemeral Runner LifecycleEphemeral Runner Lifecycle: The ephemeral runner lifecycle is the create, run one job, then destroy cycle of…
Ephemeral TokenEphemeral Token: An ephemeral token is a credential valid for a single use or a very short window, such as a…
Escape AnalysisEscape analysis determines whether an object outlives its creating function, letting the compiler stack-alloc…
FFI (foreign function interface)An FFI lets code in one language call functions written in another, bridging calling conventions - how high-l…
Generics ErasureGenerics erasure compiles generic code once, dropping type parameters at runtime, so binaries stay small but…
GitHub-Hosted RunnerGitHub-Hosted Runner: A GitHub-hosted runner is a fresh virtual machine that GitHub provisions and tears down…
Health CheckHealth Check: A health check is a periodic probe that reports whether a service is functioning, so a load bal…
HTTP Keep-AliveHTTP keep-alive reuses one TCP connection for multiple requests instead of reconnecting each time, removing h…
HypervisorHypervisor: A hypervisor is the layer that creates and runs virtual machines by allocating physical CPU, memo…
Image DigestAn image digest is the immutable SHA-256 hash identifying an exact container image. Pinning to a digest guara…
Image Pull BackoffImage Pull Backoff: ImagePullBackOff is a Kubernetes pod state indicating the kubelet failed to pull a contai…
Image ScanningImage scanning inspects a container image’s OS packages and libraries for known vulnerabilities and misconfig…
Image TagAn image tag is a human-readable label like v1.2.0 or latest pointing at a container image. Tags are mutable,…
ImmutabilityImmutability: Immutability is the practice of never modifying an artifact or environment after creation; chan…
Immutable ArtifactImmutable Artifact: An immutable artifact is a build output that is created once, given a unique version, and…
Incremental BuildAn incremental build recompiles only the parts of a project affected by a change, reusing prior outputs for e…
Ingress ControllerAn ingress controller is the running component that implements Ingress rules - an NGINX or LB pod that watche…
Init ContainerAn init container runs to completion before a pod’s main containers start, preparing state - fetching config,…
InliningInlining replaces a function call with the function’s body, removing call overhead and unlocking further opti…
IR (intermediate representation)An intermediate representation is the compiler’s internal form between source and machine code, where optimiz…
JIT RunnerJIT Runner: A JIT (just-in-time) runner is a GitHub Actions self-hosted runner registered with a single-use c…
Job QueueJob Queue: A job queue is the ordered list of CI jobs waiting for an available runner. When demand exceeds ru…
Just-in-Time RunnerJust-in-Time Runner: A just-in-time (JIT) runner is registered with a single-use configuration token that let…
Just-in-Time RunnerJust-in-Time Runner: A just-in-time (JIT) runner is registered with a single-use configuration token from the…
kubeletThe kubelet is the agent on every Kubernetes node that starts and stops containers, reports node health, and…
Layer CachingLayer caching reuses unchanged Docker image layers between builds, so only the steps after the first change r…
LexerA lexer scans raw source characters into tokens - keywords, identifiers, literals - the first compiler stage…
Linker ScriptA linker script tells the linker how to lay out sections of object files into the final binary’s memory regio…
Linux CapabilitiesLinux capabilities split root’s all-or-nothing power into discrete privileges, so a container can be granted…
Liveness ProbeLiveness Probe: A liveness probe checks whether an instance is still functioning; if it fails, the orchestrat…
Load BalancingLoad Balancing: Load balancing distributes incoming work across multiple servers or runners so no single one…
Managed RunnerManaged Runner: A **managed runner** is a runner operated by a third party (like Latchkey) - you get self-hos…
microVMmicroVM: A microVM is a stripped-down virtual machine that boots in tens of milliseconds with minimal device…
MonomorphizationMonomorphization generates a specialized copy of generic code for each concrete type used, trading larger bin…
Multi-Stage BuildA multi-stage build uses several FROM stages in one Dockerfile so heavy build tools stay out of the final ima…
Name ManglingName mangling encodes types and namespaces into a symbol’s name so overloaded functions get unique linker sym…
NAT (Network Address Translation)NAT rewrites private source addresses to a shared public one so many internal hosts reach the internet throug…
Network Egress CostNetwork Egress Cost: Network egress cost is the per-gigabyte fee cloud providers charge for data leaving thei…
Node PoolA node pool is a group of cluster nodes that share a machine type and config, letting you run CI builds on a…
Node PoolNode Pool: A node pool is a group of machines in a cluster that share the same configuration: instance type,…
Noisy NeighborNoisy Neighbor: A noisy neighbor is a workload sharing a machine that consumes a disproportionate amount of a…
Object FileAn object file is the compiler’s machine-code output for one source unit, not yet runnable - the linker combi…
Object StorageObject storage keeps data as flat objects in buckets addressed by key, scaling to huge artifact stores - the…
OCI ImageAn OCI image is a container image following the Open Container Initiative spec, so it runs across Docker, con…
On-Demand InstanceOn-Demand Instance: An on-demand instance is a cloud VM you pay for by the second or hour with no upfront com…
OperatorA Kubernetes operator is a custom controller that encodes operational know-how, watching custom resources to…
Optimization LevelAn optimization level (-O0 to -O3, -Os) tells the compiler how aggressively to optimize, trading compile time…
Parallel Test ExecutionParallel Test Execution: Parallel test execution runs multiple tests or test files at the same time, within o…
ParserA parser consumes tokens from the lexer and builds an abstract syntax tree per the language grammar, reportin…
Persistent VolumeA persistent volume is cluster storage whose lifecycle is independent of any pod, so data survives restarts -…
PodA pod is the smallest deployable unit in Kubernetes: one or more containers sharing a network namespace and s…
Port BindingPort binding claims a TCP/UDP port so a service can accept connections on it. A port already in use raises EA…
PIC (position-independent code)Position-independent code runs correctly regardless of where it is loaded in memory, using relative addressin…
Preemptible RunnerPreemptible Runner: A preemptible runner runs on cheap, interruptible compute (such as cloud spot or preempti…
Presigned URLA presigned URL grants time-limited access to one object in private storage, so CI can upload or download an…
Priority QueuePriority Queue: A priority queue is a job queue that dispatches higher-priority jobs before lower-priority on…
ProvenanceProvenance is verifiable metadata describing how an artifact was built - source, builder, and inputs - lettin…
ProvisioningProvisioning is the process of allocating and preparing a fresh machine - booting, installing tools, register…
Pull-Through CacheA pull-through cache fetches an image from upstream on the first request, stores it, and serves later request…
Queue DepthQueue Depth: Queue depth is the number of jobs waiting for a free runner at a given moment. It is the primary…
Queue PositionQueue Position: Queue position is where a pending CI job sits in line while it waits for a free runner. A job…
Queue TimeQueue time is how long a job waits after being triggered before a runner picks it up. Long queue time, not jo…
Quota ExhaustionQuota Exhaustion: Quota exhaustion is when a usage limit (CI minutes, API rate limit, concurrent jobs, cloud…
Rate Limiting (CI API)Rate Limiting (CI API): Rate limiting caps how many API requests a client may make in a window; exceeding it…
Readiness ProbeReadiness Probe: A readiness probe checks whether an instance is ready to accept work; if it fails, the insta…
Registry MirrorA registry mirror is a local cache that serves copies of upstream images, cutting pull latency and dodging ra…
Registry ThrottlingRegistry Throttling: Registry throttling is a container registry limiting the rate of image pulls, which in C…
RelocationRelocation is the linker or loader patching address references in compiled code once the load location is kno…
Remote CacheRemote Cache: A remote cache stores build or test outputs on a shared server so that any machine, including e…
Rootless ContainersRootless containers run the runtime and workload as an unprivileged user via user namespaces, so a container…
RunnerRunner: A **runner** is the machine that executes a job. It can be GitHub-hosted, self-hosted, or managed by…
Runner AutoscalerRunner Autoscaler: A runner autoscaler is a controller that adds or removes CI runners based on demand, for e…
Runner AutoscalingRunner Autoscaling: Runner autoscaling is automatically adding runner capacity when jobs queue and removing i…
Runner ConcurrencyRunner Concurrency: Runner concurrency is the number of jobs that can execute in parallel across your runner…
Runner DrainRunner Drain: A runner drain is the process of gracefully removing a runner from service by stopping new job…
Runner GroupRunner Group: A runner group is a GitHub feature that organizes self-hosted runners and controls which reposi…
Runner GroupRunner Group: A runner group is a collection of self-hosted runners that an organization or enterprise manage…
Runner GroupRunner Group: A runner group is an organization- or enterprise-level collection of self-hosted runners with a…
Runner GroupRunner Group: A runner group is an organization or enterprise level collection of self-hosted runners with ac…
Runner Idle TimeoutRunner Idle Timeout: A runner idle timeout is how long an autoscaled runner stays up with no work before it i…
Runner LabelRunner Label: A runner label is a tag assigned to a runner that a workflow matches in `runs-on:` to route a j…
Runner Label SelectorRunner Label Selector: A runner label selector is the set of labels a job requests in `runs-on` so the schedu…
Runner PoolRunner Pool: A runner pool is a group of interchangeable runners that share a job queue. Jobs are dispatched…
Runner Registration TokenRunner Registration Token: A runner registration token is a short-lived credential that authorizes a machine…
Runner Scale SetRunner Scale Set: A runner scale set is a group of homogeneous ephemeral runners managed by the Actions Runne…
Runner StarvationRunner Starvation: Runner starvation occurs when jobs wait in a queue because no runner capacity is available…
Runner Work DirectoryRunner Work Directory: The runner work directory is the folder on a CI runner where the repository is checked…
Runtime LinkerThe runtime linker resolves shared-library symbols as a program starts or on first use, binding calls to thei…
Scale-In CooldownScale-In Cooldown: A scale-in cooldown is a waiting period an autoscaler enforces after scaling before it rem…
Scale-to-ZeroScale-to-Zero: Scale-to-zero is an autoscaling behavior that removes every runner when there is no work, so y…
seccompseccomp filters which Linux syscalls a process may make, shrinking a container’s kernel attack surface. CI sa…
Self-Hosted RunnerSelf-Hosted Runner: A self-hosted runner is a machine you provision and connect to GitHub Actions to execute…
Self-Hosted RunnerSelf-Hosted Runner: A **self-hosted runner** is a runner you operate on your own infrastructure, giving you c…
Self-Hosted Runner (GitHub Actions)Self-Hosted Runner (GitHub Actions): A self-hosted runner is a machine you own and register with GitHub Actio…
Self-Hosted Runner LabelSelf-Hosted Runner Label: A self-hosted runner label is a tag attached to a runner so a job can request it wi…
Semantic AnalysisSemantic analysis checks an AST for meaning-level rules a grammar can’t - scope, types, declared-before-use -…
ShardingSharding splits a large test suite into independent slices that run on separate runners in parallel, cutting…
Shared LibraryA shared library (.so, .dll, .dylib) is reusable compiled code loaded by many programs at run time, so a fix…
SidecarA sidecar is a helper container running alongside the main one in a pod, sharing its lifecycle to add capabil…
SIMD (Single Instruction, Multiple Data)SIMD executes one instruction across multiple data lanes at once, the hardware feature vectorized code target…
SocketA socket is the OS endpoint for network communication, identified by an IP and port. Programs read and write…
Spot InstanceA spot instance is discounted cloud capacity the provider can reclaim with little notice. It cuts runner cost…
Spot InterruptionSpot Interruption: A spot interruption is when a cloud provider reclaims a discounted spot (preemptible) inst…
StatefulSetA StatefulSet manages pods that need stable identities and persistent storage, like databases - each gets a f…
Static LinkingStatic linking bakes all library code into the binary at build time, producing a larger but self-contained ex…
Stripping BinariesStripping a binary removes its symbol and debug information to shrink it for release, at the cost of readable…
Symbol TableA symbol table maps names - functions and variables - to addresses in a binary. Linkers use it to resolve ref…
TaintA taint marks a node to repel pods that do not tolerate it, reserving nodes - like GPU or CI runner nodes - f…
Target TripleA target triple is a string like x86_64-unknown-linux-gnu naming the architecture, vendor, OS, and ABI a tool…
Test SelectionTest Selection: Test selection runs only the tests affected by a change instead of the whole suite, using a d…
Test ShardingTest Sharding: Test sharding splits a test suite into independent subsets (shards) that run on separate runne…
Trait ObjectA trait object stores a value plus a pointer to its method table, enabling runtime polymorphism over differin…
Type InferenceType inference lets a compiler deduce expression types without explicit annotations, keeping code terse while…
vCPUvCPU: A vCPU (virtual CPU) is one thread of a physical processor core that a cloud provider presents to a vir…
VectorizationVectorization rewrites a scalar loop to process several elements per instruction using SIMD, multiplying thro…
Virtual MachineVirtual Machine: A virtual machine is a full software emulation of a computer, including its own guest operat…
Vtable (virtual method table)A vtable is a per-type table of function pointers the runtime uses to dispatch a polymorphic call to the righ…
Vulnerability ScanningVulnerability scanning checks code, dependencies, or images against CVE databases and flags or fails CI when…
Warm PoolWarm Pool: A **warm pool** is a set of pre-booted runners kept ready so jobs start almost instantly instead o…
Warm Pool (Runner)Warm Pool (Runner): A warm pool for runners is a set of pre-booted, idle runner machines kept ready so a queu…
Warm Pool (Runners)Warm Pool (Runners): A warm pool is a set of pre-booted, idle runners kept ready so a queued job starts almos…
Warm Standby RunnerWarm Standby Runner: A warm standby runner is a runner kept booted and ready (often with dependencies or a ba…
Workspace Cleanup StepWorkspace Cleanup Step: A workspace cleanup step is a pipeline task that deletes checked-out files and build…
Exit codes & signals
Codes and signals you see in logs.
AOT (Ahead-of-Time) compilationAhead-of-time compilation turns source or bytecode into native code before run, giving fast, predictable star…
AlertingAlerting: Alerting is the automated notification that fires when a monitored signal crosses a threshold or a…
Anomaly DetectionAnomaly Detection: Anomaly detection automatically flags metric values that deviate from expected patterns, f…
API Rate LimitAPI Rate Limit: An API rate limit caps how many requests a client may make in a time window; exceeding it ret…
ApprovalApproval: An approval is a recorded decision by an authorized reviewer that a change or deployment may procee…
AssertionAssertion: An assertion is a statement in a test that checks a condition and fails the test if the condition…
Atomic OperationAn atomic operation completes indivisibly - no other thread observes a partial result - the building block of…
Audit LogAudit Log: An audit log is an append-only record of security-relevant events: who did what, when, and from wh…
Audit TrailAudit Trail: An audit trail is a chronological, tamper-evident record of actions taken in a system, such as w…
Backoff with JitterBackoff with Jitter: Backoff with jitter spaces out retries by increasing the delay after each attempt (backo…
BackpressureBackpressure is a system signaling upstream producers to slow down when it cannot keep up, preventing unbound…
BackpressureBackpressure: Backpressure is the mechanism by which a downstream component signals an upstream producer to s…
Borrow CheckerA borrow checker statically enforces that references never outlive their data or alias mutably, catching use-…
BottleneckA bottleneck is the single stage or resource that limits overall throughput, so the whole pipeline or system…
Branch CoverageBranch coverage measures whether tests exercise both outcomes of each decision point, catching untested else-…
Build Log AnnotationBuild Log Annotation: A build log annotation is a structured message (error, warning, or notice) attached to…
Build StatusBuild Status: A build status is the result state of a pipeline run. Common states are queued, in-progress, su…
Bundle AnalysisBundle Analysis: Bundle analysis is inspecting a build output to see which modules contribute to size, usuall…
Bundle SizeBundle Size: Bundle size is the total byte count of the files a bundler emits, often measured both raw and gz…
Cache LineA cache line is the fixed-size block (often 64 bytes) the CPU moves between memory and cache as a unit - the…
Cache StampedeA cache stampede is many requests all missing the same expired cache key at once and racing to recompute it,…
Cache StampedeCache Stampede: A cache stampede happens when a cached entry expires or is invalidated and many concurrent co…
Cancellation TokenCancellation Token: A cancellation token is a signal object passed into an operation that lets a caller reque…
cgroupA cgroup (control group) is a Linux feature that limits CPU, memory, and I/O for a group of processes. Contai…
Change Failure RateChange Failure Rate: Change failure rate is the percentage of deployments that cause a failure in production…
Chaos EngineeringChaos engineering deliberately injects failures - killed nodes, network delays, dependency outages - to verif…
Chaos ExperimentA chaos experiment is a controlled test that injects a specific failure - a killed node, added latency - with…
Chaos ExperimentChaos Experiment: A chaos experiment deliberately injects a controlled failure (killing a pod, adding latency…
Check RunCheck Run: A check run is one individual test or validation reported via the GitHub Checks API. It carries a…
Check SuiteCheck Suite: A check suite is a grouping of the check runs created by a single GitHub App (such as GitHub Act…
Circuit Breaker (Retries)Circuit Breaker (Retries): A circuit breaker stops sending requests to a failing dependency after a threshold…
Code CoverageCode Coverage: Code coverage measures what fraction of the code was exercised by the test suite, reported as…
Code Coverage ThresholdA code coverage threshold is a minimum coverage percentage CI enforces, failing the build when tests exercise…
Commit SigningCommit Signing: Commit signing attaches a cryptographic signature to a commit (`git commit -S`, GPG or SSH) s…
Commit StatusCommit Status: A commit status is a state (`error`, `failure`, `pending`, or `success`) posted against a comm…
Compliance GateCompliance Gate: A compliance gate is a pipeline checkpoint that enforces regulatory or organizational policy…
Consumer GroupA consumer group is a set of consumers sharing a topic’s partitions, so each message is processed by exactly…
Container BreakoutA container breakout is workload code escaping its container to reach the host kernel or other containers - t…
Contract TestA contract test verifies that two services agree on a shared interface, so a provider and consumer can evolve…
Correlation IDCorrelation ID: A correlation ID is a unique identifier attached to a request and propagated through every se…
CORS (Cross-Origin Resource Sharing)CORS is the browser mechanism that lets a server opt in to cross-origin requests via response headers. A misc…
Coverage GateCoverage Gate: A coverage gate is a CI rule that fails the build if code coverage falls below a set threshold…
CPU ThrottlingCPU Throttling: CPU throttling is when the kernel (via cgroups CFS quota) caps a container or process to its…
Critical PathThe critical path is the longest chain of dependent jobs through a pipeline. Its length sets the minimum end-…
Critical Path Analysis (Pipeline)Critical Path Analysis (Pipeline): Critical path analysis finds the longest chain of dependent stages in a pi…
CSRF (Cross-Site Request Forgery)CSRF tricks a logged-in user’s browser into sending an unwanted authenticated request. Anti-CSRF tokens and S…
DashboardDashboard: A dashboard is a visual panel of metrics and charts that shows the current and historical state of…
Data RaceA data race is two threads accessing the same memory at once with at least one write and no synchronization -…
DeadlockA deadlock is when two or more tasks each wait forever on a resource the other holds, so none proceed. In CI…
DeadlockDeadlock: A deadlock occurs when two or more threads each wait for a resource the other holds, so none can pr…
Deadlock (Database)Deadlock (Database): A deadlock occurs when two or more transactions each hold a lock the other needs, so non…
DebounceDebounce: Debounce is collapsing a burst of rapid events into one action by waiting for a quiet period. In CI…
Deployment FrequencyDeployment Frequency: Deployment frequency is how often an organization successfully releases to production.…
Disaster RecoveryDisaster Recovery: Disaster recovery (DR) is the set of plans and processes for restoring service and data af…
Distributed TracingDistributed tracing stitches a request’s journey across services into one timeline of spans, so you can see w…
Distributed TracingDistributed Tracing: Distributed tracing follows a single request as it travels across multiple services, sti…
DNS ResolutionDNS Resolution: DNS resolution is the process of translating a hostname into an IP address so a client can op…
DORA MetricsDORA Metrics: DORA metrics are four measures of software delivery performance from the DevOps Research and As…
DrainDraining stops sending new work to an instance while letting existing work finish, so it can be retired or up…
Drain TimeoutDrain Timeout: A drain timeout is the grace period a system waits for a process to shut down gracefully after…
Environment VariableAn environment variable is a named value the OS passes to a process. CI uses them to configure builds, set PA…
Error BudgetAn error budget is the allowable amount of unreliability under an SLO. Spending it slows risky releases; stay…
Error Budget PolicyError Budget Policy: An error budget policy defines what happens when a service exhausts its error budget, th…
Error RateError Rate: Error rate is the fraction of requests that fail, usually expressed as a percentage of total requ…
Exit CodeExit Code: An **exit code** is the number a process returns when it ends. Zero means success; non-zero means…
Exit Status PropagationExit Status Propagation: Exit status propagation is ensuring a failing command's non-zero exit code reaches C…
Exponential BackoffExponential backoff waits progressively longer between retries (1s, 2s, 4s...), often with jitter, so a strug…
Exponential BackoffExponential Backoff: Exponential backoff is a retry strategy that doubles the wait between attempts (1s, 2s,…
Exponential BackoffExponential Backoff: Exponential backoff is a retry strategy where the wait between attempts grows exponentia…
Exponential BackoffExponential Backoff: Exponential backoff is a retry strategy that doubles the wait between attempts (1s, 2s,…
FailoverFailover: Failover is the automatic or manual switch to a standby system when the primary fails, so service c…
False SharingFalse sharing is when threads update different variables sharing one cache line, forcing costly coherency tra…
Fan-OutFan-out is delivering one incoming message to many downstream consumers or queues at once - the dispatch patt…
Fault InjectionFault Injection: Fault injection is the deliberate introduction of errors (network delays, dropped packets, f…
File DescriptorA file descriptor is the integer the OS assigns a process for each open file, socket, or pipe. Exhausting the…
Flame GraphA flame graph visualizes profiling data as stacked bars where width is time spent, making the hottest call pa…
Fuzz TestingFuzz testing feeds a program large volumes of malformed or random input to provoke crashes, hangs, and memory…
Garbage collection (GC)Garbage collection automatically reclaims memory no longer reachable, freeing developers from manual frees bu…
Golden SignalsThe four golden signals - latency, traffic, errors, saturation - are the core metrics Google’s SRE practice r…
Graceful ShutdownGraceful shutdown lets a process finish in-flight work and release resources after a SIGTERM before exiting,…
Graceful ShutdownGraceful Shutdown: Graceful shutdown is stopping a process cleanly on receiving a termination signal (SIGTERM…
Graceful ShutdownGraceful Shutdown: Graceful shutdown is stopping a service by finishing in-flight requests and closing connec…
Health CheckA health check is an endpoint or probe reporting whether a service works, letting load balancers and orchestr…
Health CheckHealth Check: A health check is a periodic probe that reports whether a service instance is working, so load…
Health Check EndpointHealth Check Endpoint: A health check endpoint is an HTTP route (often `/healthz`) that returns whether a ser…
Health EndpointHealth Endpoint: A health endpoint is a URL (often `/health`) that reports whether a service is running, used…
Heap ProfilingHeap profiling samples where a program allocates memory and what stays live, helping find leaks and bloat tha…
HMAC Webhook SignatureHMAC Webhook Signature: An HMAC webhook signature is a hash of the webhook payload computed with a shared sec…
Horizontal ScalingHorizontal scaling adds more instances to handle load, spreading work across machines. It is the basis of ela…
HTTP Status CodeHTTP Status Code: An HTTP status code is a three-digit number a server returns to summarize the result: 2xx s…
Idempotency KeyIdempotency Key: An idempotency key is a unique identifier a client attaches to a request so the server proce…
IngressIngress in Kubernetes is the rules and controller that route external HTTP/HTTPS traffic to internal services…
InstrumentationInstrumentation: Instrumentation is the code that emits telemetry: the log statements, metric counters, and t…
JIT (Just-In-Time) compilationJIT compilation translates bytecode into native machine code at run time, optimizing hot paths as the program…
JitterJitter: Jitter is random variation added to a delay, such as retry timing, so many clients do not retry at th…
Job Summary ReportJob Summary Report: A job summary report is custom Markdown a job writes to the run's summary page, appended…
LatencyLatency is the time a single operation takes from start to finish. Low latency feels fast; tail latency (p95/…
Lead Time for ChangesLead Time for Changes: Lead time for changes is the time it takes for a commit to reach production. It is a D…
LifetimeA lifetime is the compiler’s notion of how long a reference stays valid, used to prove borrowed data outlives…
Linker ErrorLinker Error: A linker error is any failure during the link stage of a build, such as an unresolved symbol, a…
Liveness EndpointLiveness Endpoint: A liveness endpoint reports whether a service process is alive and not deadlocked; a faili…
Liveness ProbeA liveness probe tells Kubernetes whether a container is still healthy. If it keeps failing, the kubelet rest…
Liveness ProbeLiveness Probe: A liveness probe is a Kubernetes check that determines whether a container is still healthy;…
Load BalancerA load balancer spreads incoming requests across multiple backend instances, improving throughput and availab…
Load Balancer Health CheckLoad Balancer Health Check: A load balancer health check is a periodic probe (often an HTTP GET to `/health`)…
Load TestA load test drives expected or peak traffic at a system to measure throughput, latency, and where it degrades…
Lock ContentionLock Contention: Lock contention is when many transactions compete for the same locks, forcing them to wait a…
Lock-FreeA lock-free algorithm guarantees some thread always makes progress without locks, avoiding deadlock and prior…
Log LevelLog Level: A log level classifies the severity of a log message, typically DEBUG, INFO, WARN, ERROR, and FATA…
Log LevelLog Level: A log level is the severity tag on a log line, conventionally TRACE, DEBUG, INFO, WARN, ERROR, and…
Log ScrubbingLog Scrubbing: Log scrubbing is the practice of filtering CI log output to remove secrets, PII, or noise, whe…
LoggingLogging: Logging is recording discrete, timestamped events emitted by a system. In CI, job logs are the prima…
Mean Time to Recovery (MTTR)Mean Time to Recovery (MTTR): Mean time to recovery (MTTR) is the average time to restore service after a pro…
Memory BarrierA memory barrier forces an ordering on memory operations, so CPU or compiler reordering can’t break the visib…
Memory LeakA memory leak is memory a program allocates but never releases, so usage climbs until the process is killed -…
Memory LeakMemory Leak: A memory leak is memory that a program allocates but never frees and no longer references, so us…
Memory PressureMemory Pressure: Memory pressure is the condition where available RAM is scarce, forcing the kernel to reclai…
Memory SafetyMemory safety guarantees code never accesses memory incorrectly - no buffer overruns, use-after-free, or null…
Merge CheckMerge Check: A merge check is a condition GitHub evaluates before permitting a merge: required status checks…
Message BrokerA message broker is middleware that routes messages between producers and consumers, decoupling services so t…
Message QueueA message queue holds messages in order until a consumer pulls them, smoothing bursts and letting producers a…
Metric CardinalityMetric Cardinality: Metric cardinality is the number of distinct time series a metric produces, which equals…
MetricsMetrics: Metrics are numeric measurements aggregated over time, such as request rate, error count, or job dur…
Metrics CardinalityMetrics cardinality is the number of unique label combinations a metric produces. High cardinality, like user…
MonitoringMonitoring: Monitoring is the practice of collecting predefined signals and comparing them against known thre…
MTTR (Mean Time To Recovery)MTTR is the average time to restore service after a failure. Lowering it - via fast rollback and self-healing…
Mutation ScoreMutation score measures test quality by injecting small code changes and checking how many your tests catch -…
Mutation ScoreMutation Score: A mutation score is the percentage of injected code changes (mutants) that a test suite detec…
ObservabilityObservability is how well you can infer a system’s internal state from its outputs - logs, metrics, traces -…
ObservabilityObservability: Observability is the property of a system whose internal state you can infer from its external…
Offset (Kafka)An offset is the sequential position of a message in a Kafka partition. Consumers commit offsets to record ho…
OOM (Out of Memory)OOM (Out of Memory): **OOM** is when a process exceeds available memory and the kernel kills it. On CI runner…
OOM ScoreOOM Score: The OOM score is a per-process value the Linux kernel uses to decide which process to kill first w…
OwnershipOwnership is a model where each value has a single owning binding responsible for freeing it, giving determin…
p50 Latencyp50 Latency: p50 latency (the 50th percentile, or median) is the value below which half of measured latencies…
p95 (95th percentile)p95 is the 95th-percentile latency: the value 95% of requests come in under. It captures tail slowness that a…
p99 Latencyp99 Latency: p99 latency (the 99th percentile) is the value below which 99 percent of measured latencies fall…
Partition (Kafka)A partition is an ordered, append-only log that is one slice of a Kafka topic - the unit of parallelism and o…
pipefailpipefail: pipefail is a bash option, enabled with `set -o pipefail`, that makes a pipeline return the exit co…
Pipeline DAG (directed acyclic graph)A pipeline DAG models jobs as nodes and dependencies as edges, letting a CI system run independent work in pa…
Point-in-Time RecoveryPoint-in-Time Recovery: Point-in-time recovery (PITR) restores a database to any specific moment by replaying…
PostmortemA postmortem is a blameless written analysis after an incident, capturing timeline, root cause, and action it…
Privilege EscalationPrivilege escalation is gaining higher permissions than granted - user to root, or one role to a broader one…
Property-Based TestingProperty-based testing generates many random inputs and checks that a stated property always holds, finding e…
Protected BranchProtected Branch: A protected branch is a branch with rules that block or gate changes, such as requiring pul…
Publish-subscribe (pub/sub)Publish-subscribe is a pattern where publishers send to a topic and any number of subscribers each receive a…
Quality GateQuality Gate: A quality gate is a set of pass or fail conditions, such as minimum test coverage, no failing t…
Quarantine ListQuarantine List: A quarantine list is a set of known-flaky tests temporarily excluded from failing the build,…
Race ConditionA race condition is a bug where the outcome depends on the unpredictable timing of concurrent operations. Rac…
Race ConditionRace Condition: A race condition is a bug where the outcome depends on the unpredictable timing of concurrent…
Rate LimitA rate limit caps how many requests a client may make to an API in a window. Hitting one - like Docker Hub or…
Readiness EndpointReadiness Endpoint: A readiness endpoint reports whether a service is ready to accept traffic, for example af…
Readiness ProbeA readiness probe tells Kubernetes when a pod is ready to receive traffic. Until it passes, the pod stays out…
Readiness ProbeReadiness Probe: A readiness probe is a Kubernetes check that determines whether a container should receive t…
Readiness ProbeReadiness Probe: A readiness probe is a health check that reports whether a container is ready to receive tra…
Regression SuiteA regression suite is the body of tests that guard against previously fixed bugs reappearing, run on every ch…
Replay AttackA replay attack captures a valid request and re-sends it later to repeat its effect. Nonces, timestamps, and…
Replay AttackReplay Attack: A replay attack is when an attacker captures a valid request (such as a signed webhook) and re…
Request TimeoutA request timeout caps total time waiting for an operation before giving up, so a stuck call fails fast inste…
Required CheckRequired Check: A required check is a status context or check run that branch protection mandates as green be…
RestoreRestore: A restore rebuilds a database from a backup or snapshot, bringing it back to the state captured at t…
RetryA retry re-runs a failed step or job, often after a short wait, to recover from transient errors like network…
Retry BudgetRetry Budget: A retry budget caps how many automatic retries are allowed over a window, so retrying transient…
Retry StormA retry storm is a flood of simultaneous retries that piles load onto an already struggling service, often tu…
Retry with BackoffRetry with Backoff: Retry with backoff is retrying a failed operation after a delay that grows between attemp…
RunbookA runbook is a documented, step-by-step procedure for a specific operational situation - an alert, deploy, or…
Runner Queue DepthRunner Queue Depth: Runner queue depth is the number of jobs waiting for a free runner at a given moment; a p…
Same-Origin PolicyThe same-origin policy stops a page from reading data from a different origin - the browser’s baseline isolat…
Sandbox EscapeA sandbox escape is code breaking out of its confined environment to affect the host, defeating the isolation…
SanitizerA sanitizer is a compiler-instrumented runtime checker - for memory errors, data races, or undefined behavior…
SaturationSaturation: Saturation is how full a resource is relative to its capacity, the degree to which it has queued…
Secret MaskingSecret Masking: Secret masking is the runner behavior that scans log output for registered secret values and…
Security GateSecurity Gate: A security gate is a pipeline checkpoint that blocks a change from progressing unless it passe…
Segmentation FaultA segmentation fault happens when code touches memory it is not allowed to, raising SIGSEGV and exit 139. It…
Segmentation FaultSegmentation Fault: A segmentation fault (SIGSEGV) is a crash the OS raises when a program accesses memory it…
Service Level Indicator (SLI)Service Level Indicator (SLI): A service level indicator (SLI) is a quantitative measure of a service's behav…
Service Level Objective (SLO)Service Level Objective (SLO): A service level objective (SLO) is a target value for a service level indicato…
Service MeshA service mesh is a layer of sidecar proxies that handles service-to-service traffic - routing, retries, mTLS…
SIGHUPSIGHUP: SIGHUP (signal 1) was originally sent when a terminal hung up. Today it commonly tells daemons to rel…
SIGINTSIGINT (signal 2) is the interrupt sent by Ctrl+C, asking a process to stop. A process terminated by it exits…
SIGKILLSIGKILL: **SIGKILL** (signal 9) force-terminates a process immediately and cannot be caught. In CI it usually…
Sign-OffSign-Off: A sign-off is a formal, recorded statement by a responsible party that a deliverable meets its crit…
SignalSignal: A **signal** is an OS message that can terminate a process. A process killed by signal N exits with c…
Signed TagSigned Tag: A signed tag (`git tag -s`) is an annotated tag carrying a cryptographic signature (GPG or SSH) t…
SIGSEGVSIGSEGV (signal 11) fires when a process accesses memory it may not - a segmentation fault. It exits with cod…
SIGTERMSIGTERM (signal 15) asks a process to shut down gracefully so it can clean up. CI sends it on cancel or timeo…
SIGTERMSIGTERM: SIGTERM (signal 15) is the polite request to a process to shut down. Unlike SIGKILL it can be caught…
SLA (Service Level Agreement)An SLA is a contractual promise about service quality - uptime or response time - with consequences like cred…
SLI (Service Level Indicator)An SLI is a measured signal of service quality - like success rate or latency - that an SLO sets a target on…
SLI (Service Level Indicator)SLI (Service Level Indicator): An SLI (service level indicator) is a quantitative measure of a service's beha…
SLO (Service Level Objective)An SLO is an internal reliability target - like 99.9% of requests under 300ms - that teams measure against to…
Source MapSource Map: A source map is a file that maps positions in compiled or minified output back to the original so…
SpanSpan: A span is the basic unit of a distributed trace: a single named operation with a start time, a duration…
SpanSpan: A span is the basic unit of a trace: a single named, timed operation with a start, an end, and attribut…
Stack TraceA stack trace is the ordered list of function calls active when an error occurred, showing the path the progr…
Startup ProbeStartup Probe: A startup probe is a Kubernetes check that gives a slow-starting container time to initialize…
Structured LoggingStructured Logging: Structured logging emits log entries as machine-parseable records (usually JSON) with nam…
TelemetryTelemetry: Telemetry is the collective data a system emits about itself: logs, metrics, and traces. OpenTelem…
TelemetryTelemetry: Telemetry is the data a system emits about its own behavior: metrics, logs, and traces (the three…
Test Flakiness RateTest Flakiness Rate: The test flakiness rate is the fraction of test runs that fail intermittently on unchang…
Test Runner Exit BehaviorTest Runner Exit Behavior: A test runner's exit behavior is the exit code it returns: zero when all tests pas…
Test ShardingTest sharding splits a suite into balanced groups run on separate machines in parallel, cutting wall-clock te…
ThrottlingThrottling: Throttling is deliberately slowing or limiting a rate, such as capping CPU when a job hits its li…
ThroughputThroughput is the rate of work a system completes - requests per second, builds per hour. It measures capacit…
ThroughputThroughput: Throughput is the rate at which a system completes units of work, for example jobs finished per m…
Thundering HerdA thundering herd is many clients hitting a resource at the same instant - a cache expiry or recovery - overw…
Thundering HerdThundering Herd: The thundering herd problem is when a large number of processes or requests are all released…
TimeoutTimeout: A timeout is a maximum time an operation is allowed to run before it is aborted, preventing a stuck…
Timeout BudgetTimeout Budget: A timeout budget is the total time allotted to an operation, divided among its sub-steps so r…
TLS HandshakeTLS Handshake: A TLS handshake is the negotiation at the start of an HTTPS connection where client and server…
TraceTrace: A trace is the complete record of one request or workflow as it flows through a system, assembled from…
TracingDistributed tracing follows a single request as it hops across services, recording timing at each step so you…
TracingTracing: Tracing follows a single request or operation as it moves across services and components, recording…
TranspilerA transpiler translates source from one high-level language to another - TypeScript to JavaScript, modern JS…
ulimitulimit sets per-process resource limits - open files, memory, processes. A too-low file-descriptor ulimit cau…
Undefined BehaviorUndefined behavior is code whose effect the language spec leaves unconstrained, so the compiler may do anythi…
Undefined ReferenceUndefined Reference: An undefined reference is a linker error meaning a symbol (function or variable) was dec…
Verified CommitVerified Commit: A verified commit is one whose signature GitHub could validate against a known key on the au…
Webhook DeliveryWebhook delivery is the outbound HTTP POST a service sends to a subscriber’s URL when an event fires, usually…
Zero-Cost AbstractionA zero-cost abstraction is a high-level construct that compiles to code as efficient as a hand-written low-le…
Zombie ProcessA zombie process has exited but its parent has not yet collected its status, so it lingers in the process tab…
Delivery, reliability & supply chain
Progressive delivery, DORA/SRE, supply-chain, and advanced runner terms.
ABI (Application Binary Interface)ABI (Application Binary Interface): An ABI is the low-level contract between compiled binaries: how functions…
ABI (Application Binary Interface)ABI (Application Binary Interface): An ABI (application binary interface) is the low-level contract between b…
Acceptance GateAcceptance Gate: An acceptance gate is a checkpoint where a change is verified against its acceptance criteri…
Acceptance TestAcceptance Test: An acceptance test verifies that a feature meets its business requirements from the user's p…
Acceptance Test-Driven DevelopmentAcceptance Test-Driven Development: Acceptance test-driven development (ATDD) is a collaborative practice whe…
Access TokenAccess Token: An access token is a credential a client presents to an API to prove it is authorized for a sco…
Access TokenAccess Token: An access token is a short-lived credential that authorizes a client to call protected API endp…
ACIDACID: ACID is the set of guarantees a transactional database provides: Atomicity (all-or-nothing), Consistenc…
ACIDACID: ACID is a set of guarantees for reliable transactions: Atomicity, Consistency, Isolation, and Durabilit…
Action SHA PinningAction SHA Pinning: Action SHA pinning is referencing a third-party action by its full commit SHA (for exampl…
Adapter PatternAdapter Pattern: The adapter pattern puts a sidecar in front of a container to normalize its interface, for e…
Admission ControllerAdmission Controller: An admission controller is a Kubernetes component that intercepts requests to the API s…
Admission ControllerAdmission Controller: An admission controller intercepts requests to the Kubernetes API server after authenti…
Affected GraphAffected Graph: An affected graph identifies which projects or tasks in a monorepo are impacted by a set of c…
AffinityAffinity: Affinity is a scheduling rule that attracts a job to specific runners, for example placing a job ne…
AffinityAffinity: Affinity rules tell the Kubernetes scheduler where a pod prefers or requires to run. Node affinity…
Ahead-of-Time CompilationAhead-of-Time Compilation: Ahead-of-time (AOT) compilation translates source or bytecode into native machine…
Ahead-of-Time Compilation (AOT)Ahead-of-Time Compilation (AOT): Ahead-of-time (AOT) compilation translates source or bytecode to native mach…
Ambassador PatternAmbassador Pattern: The ambassador pattern puts a proxy container in front of a main container to handle outb…
Anti-AffinityAnti-Affinity: Anti-affinity is a scheduling rule that keeps jobs apart, for example spreading replicas of a…
Apdex ScoreApdex Score: Apdex (Application Performance Index) is a standardized score from 0 to 1 that summarizes user s…
API ContractAPI Contract: An API contract is the agreed specification of how a client and server communicate: the endpoin…
API GatewayAPI Gateway: An API gateway is a server that sits in front of backend services and handles cross-cutting conc…
API SchemaAPI Schema: An API schema is a formal, machine-readable description of an API's data structures and operation…
API VersioningAPI Versioning: API versioning is the practice of exposing distinct versions of an API (via URL path, header,…
Apply (IaC)Apply (IaC): An apply executes the changes an IaC tool computed, creating, updating, or deleting real resourc…
Approval TestingApproval Testing: Approval testing captures the actual output of code and requires a human to approve it as c…
Artifact AttestationArtifact Attestation: An artifact attestation is a signed statement binding a build artifact to how and where…
Artifact PromotionArtifact Promotion: Artifact promotion is moving a single tested artifact through environments (dev to stagin…
Artifact RepositoryArtifact Repository: An artifact repository is a server that stores and serves build outputs and packages (fo…
Artifact Retention WindowArtifact Retention Window: An artifact retention window is the fixed period a CI platform keeps an uploaded b…
Asset HashingAsset Hashing: Asset hashing embeds a content-derived hash in output filenames (for example `app.3f9a1c.js`)…
Assume RoleAssume Role: Assume role is the act of an identity temporarily taking on a different role's permissions, rece…
Assume RoleAssume Role: Assume role is the action of an identity requesting temporary credentials for an IAM role it is…
Asymmetric EncryptionAsymmetric Encryption: Asymmetric encryption uses a mathematically linked key pair - a public key to encrypt…
At-Least-Once DeliveryAt-Least-Once Delivery: At-least-once delivery guarantees a message is delivered one or more times, never zer…
At-Least-Once DeliveryAt-Least-Once Delivery: At-least-once delivery guarantees a message is delivered one or more times: it is nev…
Attack SurfaceAttack Surface: An attack surface is the total set of points where an attacker could try to enter, extract da…
AttestationAttestation: An attestation is a signed statement about an artifact, such as its provenance, SBOM, or test re…
AttestationAttestation: An attestation is a signed, machine-verifiable statement about an artifact, such as which tests…
AttestationAttestation: An attestation is a signed, verifiable statement about an artifact or process, for example a cla…
Attribute-Based Access Control (ABAC)Attribute-Based Access Control (ABAC): Attribute-based access control decides access by evaluating attributes…
Audience (aud)Audience (aud): The audience claim (`aud`) names the intended recipient of a token; a verifier must reject a…
Audit LoggingAudit Logging: Audit logging is the recording of security-relevant events (who did what, when, and to which r…
AvailabilityAvailability: Availability is the proportion of time a system is operational and able to serve requests, comm…
Backend (IaC)Backend (IaC): A backend defines where and how an IaC tool stores its state and runs operations, for example…
BackfillBackfill: A backfill populates a newly added column or table with values derived from existing data, typicall…
BackfillBackfill: A backfill reprocesses historical data through a pipeline, for example to populate a new column or…
Background ProcessBackground Process: A background process is one started with a trailing `&` so the shell returns immediately…
Backoff JitterBackoff Jitter: Backoff jitter is the random delay added to each retry interval so that many clients retrying…
Backward CompatibilityBackward Compatibility: Backward compatibility means a newer version of an API still works with clients built…
Baseline ScanBaseline Scan: A baseline scan records the set of findings that exist today so future scans report only new i…
Bearer TokenBearer Token: A bearer token is a credential sent in the HTTP `Authorization: Bearer <token>` header; whoever…
Behavior-Driven DevelopmentBehavior-Driven Development: Behavior-driven development (BDD) extends TDD by writing examples in a structure…
Behavior-Driven DevelopmentBehavior-Driven Development: Behavior-driven development (BDD) extends TDD by describing desired behavior in…
Bin Packing (Scheduling)Bin Packing (Scheduling): Bin packing in scheduling is placing jobs onto runners so each machine is filled cl…
Binary RepositoryBinary Repository: A binary repository is an artifact repository specialized for compiled binaries and packag…
BisectBisect: Bisect (`git bisect`) performs a binary search through commit history to find the exact commit that i…
Blast RadiusBlast Radius: Blast radius is the scope of impact if a change or failure goes wrong: how many systems, users,…
Blue-Green CutoverBlue-Green Cutover: A blue-green cutover switches all traffic from the current version (blue) to a fully depl…
Blue-Green DeploymentBlue-Green Deployment: A blue-green deployment runs two identical production environments, one live (blue) an…
Blue-Green DeploymentBlue-Green Deployment: A blue-green deployment runs two identical production environments, blue (live) and gr…
BottleneckBottleneck: A bottleneck is the stage in a process with the least capacity, which limits the throughput of th…
Breaking Change DetectionBreaking Change Detection: Breaking change detection compares two versions of an API schema or contract and f…
Build ArtifactBuild Artifact: A build artifact is a file or package produced by compiling or assembling source code, such a…
Build FarmBuild Farm: A build farm is a pool of machines dedicated to compiling and testing software, shared across tea…
Build FingerprintBuild Fingerprint: A build fingerprint is a hash computed from a task’s inputs (source files, dependencies, t…
Build ParallelizationBuild Parallelization: Build parallelization is splitting work across multiple cores or machines so independe…
Build Provenance (GitHub)Build Provenance (GitHub): Build provenance is verifiable metadata describing the origin of an artifact (sour…
BuildKitBuildKit: BuildKit is Docker's modern build engine that parallelizes independent build steps, supports advanc…
Buildx BuilderBuildx Builder: A buildx builder is a BuildKit build instance managed through the `docker buildx` CLI. Builde…
BulkheadBulkhead: A bulkhead is a resilience pattern that isolates resources (like connection or thread pools) per de…
BulkheadBulkhead: The bulkhead pattern isolates resources, such as separate thread pools or connection pools per depe…
Bulkhead IsolationBulkhead Isolation: Bulkhead isolation partitions resources so a failure in one part cannot exhaust the whole…
BundlingBundling: Bundling combines many source modules and their dependencies into a smaller number of output files,…
Burn RateBurn Rate: Burn rate is how fast an error budget is being consumed relative to the pace that would exhaust it…
BytecodeBytecode: Bytecode is a compact, platform-independent instruction set produced by a compiler and executed by…
Cache BustingCache Busting: Cache busting forces clients to download a new version of a file by changing its URL, usually…
Cache Eviction PolicyCache Eviction Policy: A cache eviction policy governs which CI caches are removed when a repository hits its…
Cache Restore KeyCache Restore Key: A cache restore key is a fallback prefix used to find a partial cache match when the exact…
Cache ScopeCache Scope: Cache scope defines the boundary within which a cache entry is visible and reusable, such as per…
Cache WarmthCache Warmth: Cache warmth describes how well a cache is populated with currently useful entries, on a spectr…
Calling ConventionCalling Convention: A calling convention is the part of an ABI that specifies how functions receive arguments…
Canary AnalysisCanary Analysis: Canary analysis evaluates a new version against metrics (error rate, latency, saturation) wh…
Canary DeploymentCanary Deployment: A canary deployment releases a new version to a small fraction of traffic or users first,…
Canary ModelCanary Model: A canary model is a new model version rolled out to a small fraction of live traffic first, so…
Canary ReleaseCanary Release: A canary release rolls a new version out to a small subset of users or servers first, watches…
Capacity PlanningCapacity Planning: Capacity planning is the practice of forecasting future demand and provisioning enough res…
CardinalityCardinality: Cardinality is the number of unique label combinations for a metric. High cardinality (for examp…
Certificate AuthorityCertificate Authority: A certificate authority (CA) is a trusted entity that signs TLS certificates. A client…
Certificate AuthorityCertificate Authority: A certificate authority (CA) is a trusted entity that issues and signs digital certifi…
Certificate PinningCertificate Pinning: Certificate pinning is hard-coding the expected certificate or public key of a server in…
cgroupscgroups: cgroups (control groups) are a Linux kernel feature that limits and accounts for the resources (CPU,…
Chain of CustodyChain of Custody: A chain of custody is an unbroken, verifiable record of how an artifact was produced and ha…
ChangelogChangelog: A changelog is a chronological, version-by-version record of notable changes to a project, typical…
ChangelogChangelog: A changelog is a curated, ordered record of notable changes per release (features, fixes, breaking…
Characterization TestCharacterization Test: A characterization test captures the current behavior of existing (often legacy) code…
ChecksumChecksum: A checksum is a fixed-size value computed from a file with a hash function (such as SHA-256) that c…
Cherry-PickCherry-Pick: A cherry-pick applies a specific commit from one branch onto another without merging the whole b…
Cherry-PickCherry-Pick: Cherry-pick (`git cherry-pick <sha>`) applies the change introduced by one specific commit onto…
Circuit BreakerCircuit Breaker: A circuit breaker is a resilience pattern that stops calling a failing dependency after a th…
Circuit BreakerCircuit Breaker: A circuit breaker stops calling a failing dependency after errors cross a threshold, returni…
Circuit BreakerCircuit Breaker: A circuit breaker is a resilience pattern that stops calling a failing dependency after erro…
Circuit BreakerCircuit Breaker: A circuit breaker is a resilience pattern that stops calling a failing dependency after a th…
Circuit BreakingCircuit Breaking: Circuit breaking is a resilience pattern that stops sending requests to a failing dependenc…
ClaimClaim: A claim is a name-value statement carried inside a token, such as `sub`, `iss`, or a custom field, tha…
ClusterCluster: A cluster is the set of worker nodes plus a control plane managed together as one orchestration unit…
Cluster (Kubernetes)Cluster (Kubernetes): A cluster is a set of machines (nodes) managed together by a control plane that schedul…
Cluster AutoscalerCluster Autoscaler: A cluster autoscaler adds nodes when pods cannot be scheduled for lack of capacity and re…
CNAME RecordCNAME Record: A CNAME record is a DNS alias that points one hostname at another canonical name. Resolution th…
CNI (Container Network Interface)CNI (Container Network Interface): CNI is the Container Network Interface, a standard for plugins that wire u…
Code FreezeCode Freeze: A code freeze is a period before a release when changes to the release branch are restricted to…
Code SigningCode Signing: Code signing is applying a cryptographic signature to a binary or package so recipients can ver…
Code SmellCode Smell: A code smell is a surface symptom in code (long methods, duplicated logic, large classes) that hi…
Code SplittingCode Splitting: Code splitting breaks a bundle into multiple smaller chunks that load on demand rather than a…
Code SplittingCode Splitting: Code splitting breaks a bundle into multiple chunks that load on demand, so users download on…
Cold CacheCold Cache: A cold cache is a cache with no useful entries for the current run, so every lookup misses and th…
Command SubstitutionCommand Substitution: Command substitution replaces `$(command)` (or backticks) with that command output, let…
Common Weakness Enumeration (CWE)Common Weakness Enumeration (CWE): CWE is a community-maintained catalog of software and hardware weakness ty…
CompilationCompilation: Compilation is the process of translating source code into a lower-level form (machine code, byt…
Compile CacheCompile Cache: A compile cache stores the output of compiling a source file keyed by its content and flags, s…
Compliance FrameworkCompliance Framework: A compliance framework is a structured set of controls and requirements (such as SOC 2…
Compliance ScanningCompliance Scanning: Compliance scanning is the automated inspection of code, configuration, images, or infra…
ConcurrencyConcurrency: Concurrency is structuring a program so multiple tasks make progress over overlapping time perio…
Concurrency (Performance)Concurrency (Performance): Concurrency in performance testing is the number of requests or users being handle…
Condition CoverageCondition Coverage: Condition coverage requires that each boolean sub-expression in a compound condition eval…
Configuration DriftConfiguration Drift: Drift is the divergence between a system's real configuration and the state declared in…
Configuration DriftConfiguration Drift: Configuration drift is the gradual divergence of a running system from its intended, ver…
Configuration ManagementConfiguration Management: Configuration management is the process of establishing and maintaining a known, co…
ConftestConftest: Conftest is a command-line tool that tests structured configuration files (YAML, JSON, HCL, Dockerf…
ConftestConftest: Conftest is a command-line tool that tests structured configuration files (YAML, JSON, HCL, Dockerf…
Connection PoolConnection Pool: A connection pool is a cache of open, reusable connections (to a database or HTTP service) s…
Connection PoolConnection Pool: A connection pool is a cache of open database connections that an application reuses instead…
Connection StringConnection String: A connection string is a single value that tells a client how to reach a database, encodin…
Container Image RegistryContainer Image Registry: A container image registry is a server that stores and distributes container images…
Container OrchestrationContainer Orchestration: Container orchestration automates deploying, scaling, networking, and healing of con…
Container OrchestrationContainer Orchestration: Container orchestration is the automated scheduling, networking, scaling, and lifecy…
Container RuntimeContainer Runtime: A container runtime is the software that creates and runs containers from images, managing…
Container RuntimeContainer Runtime: A container runtime is the software that actually runs containers from images, handling pr…
Container Runtime InterfaceContainer Runtime Interface: The Container Runtime Interface (CRI) is the standard API Kubernetes uses to tal…
Container ScanningContainer Scanning: Container scanning inspects a container image's operating-system packages and application…
containerdcontainerd: containerd is a widely used high-level container runtime that pulls images, manages storage and n…
Content HashContent Hash: A content hash is a hash computed from a file contents, used in output filenames so the name ch…
Content TrustContent Trust: Content trust is verifying that a pulled image is authentic and unmodified by checking a crypt…
Content-Addressable CacheContent-Addressable Cache: A content-addressable cache stores each artifact under a key derived from a hash o…
Content-Addressable StorageContent-Addressable Storage: Content-addressable storage identifies data by the hash of its content rather th…
Context (GitHub Actions)Context (GitHub Actions): A context is a named object of run data available in expressions, such as `github`,…
Contract TestingContract Testing: Contract testing verifies that two services agree on the shape of the messages they exchang…
Control (Compliance)Control (Compliance): A control is a specific safeguard or countermeasure (technical, administrative, or phys…
Control PlaneControl Plane: The control plane is the set of components that make global decisions about a system (scheduli…
Control PlaneControl Plane: The control plane is the set of Kubernetes components that make global decisions about the clu…
Conventional CommitsConventional Commits: Conventional Commits is a specification for commit message format, `type(scope): descri…
CORSCORS: CORS (Cross-Origin Resource Sharing) is a browser security mechanism where a server uses `Access-Contro…
CORSCORS: CORS (Cross-Origin Resource Sharing) is a browser mechanism that uses HTTP headers to let a server decl…
Cosign SigningCosign Signing: Cosign is a tool from the Sigstore project that signs and verifies container images and other…
CRI-OCRI-O: CRI-O is a lightweight container runtime built specifically to implement the Kubernetes Container Runt…
Critical PathCritical Path: The critical path is the longest chain of dependent steps in a pipeline, the sequence that det…
Cross CompilationCross Compilation: Cross compilation is building an executable on one platform (the host) that runs on a diff…
Cross-CompilationCross-Compilation: Cross-compilation is building an executable on one platform (the host) that runs on a diff…
CSI (Container Storage Interface)CSI (Container Storage Interface): CSI is the Container Storage Interface, a standard that lets storage vendo…
Custom Resource Definition (CRD)Custom Resource Definition (CRD): A custom resource definition extends the Kubernetes API with a new object t…
Cut a ReleaseCut a Release: To cut a release is to create the specific, versioned build (often by branching and tagging) t…
CVECVE: A CVE (Common Vulnerabilities and Exposures) is a unique public identifier, formatted like CVE-2024-1234…
CVE (Common Vulnerabilities and Exposures)CVE (Common Vulnerabilities and Exposures): A CVE is a unique identifier (e.g. `CVE-2021-44228`) assigned to…
CVSSCVSS: CVSS (Common Vulnerability Scoring System) is an open standard that rates the severity of a vulnerabili…
CVSS (Common Vulnerability Scoring System)CVSS (Common Vulnerability Scoring System): CVSS is a standard for scoring the severity of a vulnerability on…
Cyclomatic ComplexityCyclomatic Complexity: Cyclomatic complexity is a metric, defined by Thomas McCabe, that counts the number of…
Cyclomatic ComplexityCyclomatic Complexity: Cyclomatic complexity counts the number of linearly independent paths through a functi…
DaemonSetDaemonSet: A DaemonSet ensures one copy of a pod runs on every node (or every node matching a selector), and…
Dark LaunchDark Launch: A dark launch ships new code to production but keeps it hidden from users, often by sending real…
Data ContractData Contract: A data contract is an explicit, versioned agreement between a data producer and consumer speci…
Data DriftData Drift: Data drift is a change in the statistical distribution of a models input features between trainin…
Data IngestionData Ingestion: Data ingestion is the process of collecting data from sources (APIs, databases, files, event…
Data LineageData Lineage: Data lineage is the traceable map of how data flows from sources through transformations to fin…
Data MigrationData Migration: A data migration transforms or moves the rows themselves (rewriting values, splitting a colum…
Data PipelineData Pipeline: A data pipeline is an automated series of steps that moves data from sources to destinations,…
Data QualityData Quality: Data quality measures how accurate, complete, consistent, and timely data is relative to expect…
Data RetentionData Retention: Data retention is the policy for how long data is kept before it is deleted or archived, driv…
Data TransformationData Transformation: Data transformation is the step that cleans, reshapes, joins, and aggregates raw data in…
Data ValidationData Validation: Data validation is the automated checking of data against rules (types, ranges, nullability,…
Data WarehouseData Warehouse: A data warehouse is a central store optimized for analytical queries over structured, cleaned…
Database IndexDatabase Index: A database index is an auxiliary data structure (usually a B-tree) that lets the database fin…
Database IndexDatabase Index: A database index is a data structure that speeds up lookups on one or more columns, at the co…
Database MigrationDatabase Migration: A database migration is a versioned, ordered change to a database schema or data, applied…
Database ShardingDatabase Sharding: Database sharding splits a dataset across multiple databases by a shard key, so each shard…
Database SnapshotDatabase Snapshot: A database snapshot is a point-in-time copy of a database (a dump or a storage-level clone…
DataOpsDataOps: DataOps applies agile and CI/CD practices to data pipelines: version control, automated testing, con…
Dead Code EliminationDead Code Elimination: Dead code elimination is a compiler optimization that removes code that can never exec…
Dead Code EliminationDead Code Elimination: Dead code elimination is a compiler optimization that removes code whose results are n…
Dead Letter QueueDead Letter Queue: A dead letter queue (DLQ) is a holding queue for messages that could not be processed afte…
Dead Letter QueueDead Letter Queue: A dead letter queue (DLQ) is a holding queue for messages that could not be processed afte…
Deadline PropagationDeadline Propagation: Deadline propagation is passing a remaining-time deadline down through nested calls so…
DeadlockDeadlock: A deadlock occurs when two transactions each hold a lock the other needs, so neither can proceed. T…
Declarative ConfigurationDeclarative Configuration: Declarative configuration describes the desired end state of a system and lets the…
Definition of ReadyDefinition of Ready: A definition of ready is an agreed checklist a work item must satisfy before the team st…
DenormalizationDenormalization: Denormalization deliberately duplicates or pre-joins data so reads avoid expensive joins, tr…
Dependency ConfusionDependency Confusion: Dependency confusion is a supply-chain attack where a public package is published under…
Dependency Confusion AttackDependency Confusion Attack: A dependency confusion attack tricks a package manager into pulling a malicious…
Dependency Confusion DefenseDependency Confusion Defense: Dependency confusion is a supply-chain attack where an attacker publishes a pub…
Dependency HellDependency Hell: Dependency hell is the situation where conflicting, circular, or impossible-to-satisfy versi…
Dependency LockDependency Lock: A dependency lock is a generated file (package-lock.json, yarn.lock, Cargo.lock, poetry.lock…
Dependency ResolutionDependency Resolution: Dependency resolution is the process a package manager uses to choose concrete version…
Dependency ScanningDependency Scanning: Dependency scanning examines a project's declared and transitive libraries against vulne…
Deploy KeyDeploy Key: A deploy key is an SSH public key added to one repository, granting read (or read/write) access t…
Deployment Artifact LineageDeployment Artifact Lineage: Deployment artifact lineage is the traceable chain linking a deployed artifact b…
Deployment EnvironmentDeployment Environment: A deployment environment is a named target (like `staging` or `production`) in GitHub…
Deployment Freeze WindowDeployment Freeze Window: A deployment freeze window is a scheduled period during which production deployment…
Deployment FrequencyDeployment Frequency: Deployment frequency is a DORA metric measuring how often an organization successfully…
Deployment GateDeployment Gate: A deployment gate is a check that must pass before a release proceeds to the next environmen…
Deployment RingDeployment Ring: A deployment ring is a group of users or hosts that receives a new release at a defined stag…
Deployment StrategyDeployment Strategy: A deployment strategy is the method by which a new version replaces the old one, such as…
Deployment StrategyDeployment Strategy: A deployment strategy is how a new version replaces the old one. The two built-in Kubern…
DeserializationDeserialization: Deserialization is the reverse of serialization: turning received bytes (a JSON string, a pr…
DeserializationDeserialization: Deserialization is reconstructing an in-memory object from a serialized byte or text payload…
Desired StateDesired State: Desired state is the target configuration you declare for a system: the resources, versions, a…
Destroy (IaC)Destroy (IaC): A destroy removes all resources an IaC configuration manages, tearing down infrastructure in d…
Deterministic CompilationDeterministic Compilation: Deterministic compilation produces byte-for-byte identical output from the same so…
Dev DependencyDev Dependency: A dev dependency is a package needed only to build or test the project, not to run it, declar…
Developer ExperienceDeveloper Experience: Developer experience (DevEx) is the overall quality of how it feels to build software i…
Developer PortalDeveloper Portal: A developer portal is a central web interface (for example Backstage) where engineers disco…
DevSecOpsDevSecOps: DevSecOps extends DevOps by making security a shared, continuous responsibility built into the pip…
Diamond DependencyDiamond Dependency: A diamond dependency occurs when two of your dependencies both require a third package bu…
Digital SignatureDigital Signature: A digital signature is a value created with a private key that lets anyone with the matchi…
Disaster RecoveryDisaster Recovery: Disaster recovery is the set of plans and procedures for restoring systems and data after…
Distributed BuildDistributed Build: A distributed build splits compilation across multiple machines that work on different par…
Distributed TracingDistributed Tracing: Distributed tracing follows a single request as it flows across multiple services, recor…
Distroless ImageDistroless Image: A distroless image is a minimal base image that contains only your application and its runt…
DNS RecordDNS Record: A DNS record maps a name to data: an A record points a hostname to an IPv4 address, AAAA to IPv6,…
DNS-Based DiscoveryDNS-Based Discovery: DNS-based discovery is service discovery implemented through DNS, where a service name r…
Docker-in-Docker (DinD)Docker-in-Docker (DinD): Docker-in-Docker (DinD) runs a Docker daemon inside a container so a containerized C…
DowntimeDowntime: Downtime is any period during which a system is unavailable to serve requests, whether from an outa…
Drift DetectionDrift Detection: Drift detection compares the real state of infrastructure against the declared configuration…
Drift DetectionDrift Detection: Drift detection is the process of comparing the actual state of infrastructure against its d…
Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST): DAST tests a running application from the outside, sending craft…
Dynamic ImportDynamic Import: A dynamic import is the `import()` expression that loads a module at runtime and returns a pr…
Dynamic LinkingDynamic Linking: Dynamic linking resolves library references at load time or run time rather than build time,…
Dynamic SecretDynamic Secret: A dynamic secret is a credential generated on demand for a specific consumer with a short lea…
East-West TrafficEast-West Traffic: East-west traffic is network traffic between services inside the same cluster or data cent…
EgressEgress: Egress is outbound network traffic leaving a system, such as a runner reaching package registries, AP…
ELTELT: ELT (Extract, Load, Transform) loads raw data into a warehouse first, then transforms it in place using…
Encryption at RestEncryption at Rest: Encryption at rest protects stored data by encrypting it on disk, so that reading the raw…
Encryption at RestEncryption at Rest: Encryption at rest protects stored data (on disks, in databases, in object storage) by ke…
Encryption in TransitEncryption in Transit: Encryption in transit protects data as it moves across a network by encrypting the con…
EndpointEndpoint: An endpoint is a specific URL and method combination that an API exposes to perform an operation, s…
Entry CriteriaEntry Criteria: Entry criteria are the conditions that must be satisfied before a phase (such as testing, a r…
Environment Protection RuleEnvironment Protection Rule: An environment protection rule is a condition attached to a deployment environme…
Ephemeral ContainerEphemeral Container: An ephemeral container is a temporary container you inject into a running Kubernetes pod…
Ephemeral ContainerEphemeral Container: An ephemeral container is a temporary container added to a running Kubernetes Pod for de…
Ephemeral CredentialEphemeral Credential: An ephemeral credential is a token or key issued just-in-time for one CI run and expiri…
Ephemeral EnvironmentEphemeral Environment: An ephemeral environment is a short-lived, fully deployed instance of an application s…
Error Budget PolicyError Budget Policy: An error budget policy is the agreed set of rules for what happens as an SLO's allowed f…
etcdetcd: etcd is the distributed key-value store that holds all Kubernetes cluster state: every object, its spec…
ETLETL: ETL (Extract, Transform, Load) is a pattern that pulls data from sources, reshapes it, then writes the r…
Event BusEvent Bus: An event bus is a central channel that routes events from producers to interested consumers, formi…
Eventual ConsistencyEventual Consistency: Eventual consistency is a guarantee that, given no new writes, all replicas will conver…
Eventual ConsistencyEventual Consistency: Eventual consistency is a model where replicas may briefly disagree after a write but c…
Everything as CodeEverything as Code: Everything as code is the practice of expressing infrastructure, configuration, pipelines…
EvictionEviction: Eviction is the termination of a running pod by the cluster, either voluntarily (drains, rebalancin…
Evidence CollectionEvidence Collection: Evidence collection is the gathering and retention of artifacts (logs, approvals, scan r…
Exactly-Once DeliveryExactly-Once Delivery: Exactly-once delivery is the guarantee that each message takes effect once and only on…
Exactly-Once DeliveryExactly-Once Delivery: Exactly-once delivery means a message is processed one time and only one time. True en…
Exit CriteriaExit Criteria: Exit criteria are the conditions that must be true for a phase (a test cycle, a hardening peri…
Expand-Contract MigrationExpand-Contract Migration: The expand-contract (parallel change) pattern splits a breaking schema change into…
Experiment TrackingExperiment Tracking: Experiment tracking records the parameters, code version, data version, metrics, and art…
Exploratory TestingExploratory Testing: Exploratory testing is unscripted, human-driven testing where the tester simultaneously…
Exponential BackoffExponential Backoff: Exponential backoff is a retry strategy that doubles the wait between attempts (1s, 2s,…
Expression Syntax (GitHub Actions)Expression Syntax (GitHub Actions): Expression syntax is the `${{ }}` language in GitHub Actions used to read…
False PositiveFalse Positive: A false positive is a finding a tool reports that is not actually a real problem, for example…
Fan-InFan-In: Fan-in is the point where many parallel CI jobs converge into a single downstream job that aggregates…
Fan-OutFan-Out: Fan-out is splitting one CI job into many parallel jobs so independent work (test shards, matrix com…
Fan-Out FactorFan-Out Factor: The fan-out factor is how many parallel downstream units a single upstream step spawns, for e…
Fault InjectionFault Injection: Fault injection is deliberately introducing failures, such as latency, errors, or killed pro…
Feature FlagFeature Flag: A feature flag is a runtime toggle that turns a code path on or off without redeploying, lettin…
Feature FreezeFeature Freeze: A feature freeze is a point in a release cycle after which no new features are accepted, so r…
Feature StoreFeature Store: A feature store is a system that computes, stores, and serves machine-learning features consis…
Federated IdentityFederated Identity: Federated identity lets one system trust identities issued by another, so a token from a…
Federated IdentityFederated Identity: Federated identity lets one system trust identities issued by another (via OIDC or SAML)…
File DescriptorFile Descriptor: A file descriptor is a small non-negative integer the kernel uses to reference an open file,…
File PermissionsFile Permissions: File permissions are the read, write, and execute bits (rwx) the OS checks before allowing…
Fine-Grained TokenFine-Grained Token: A fine-grained token is a GitHub PAT restricted to chosen repositories and per-resource p…
Fixture DataFixture Data: Fixture data is a fixed, predefined dataset loaded before a test so the test runs against a kno…
Flow EfficiencyFlow Efficiency: Flow efficiency is the ratio of active work time to total elapsed time for a unit of work; l…
Force PushForce Push: A force push (`git push --force`) overwrites the remote branch with your local history, discardin…
Force-With-LeaseForce-With-Lease: Force-with-lease (`git push --force-with-lease`) is a safer force push that only overwrites…
Foreign KeyForeign Key: A foreign key is a column that references the primary key of another table, enforcing that the r…
Foreign Key ConstraintForeign Key Constraint: A foreign key constraint is a rule that a column's values must match a key in another…
Forward MigrationForward Migration: A forward migration (the "up" direction) advances the schema to a newer version, applying…
Fuzz TestingFuzz Testing: Fuzz testing feeds a program large amounts of random, malformed, or unexpected input to find cr…
FuzzingFuzzing: Fuzzing feeds a program large volumes of random, malformed, or unexpected input to trigger crashes,…
Git HookGit Hook: A git hook is a script Git runs automatically at points in its workflow, such as `pre-commit`, `com…
Git LFSGit LFS: Git LFS (Large File Storage) replaces large binaries in the repository with small text pointers and…
GITHUB_TOKENGITHUB_TOKEN: GITHUB_TOKEN is an automatically generated, per-run credential that authenticates a workflow to…
GitOpsGitOps: GitOps is an operating model in which a Git repository holds the declared desired state of infrastruc…
GitOps ReconciliationGitOps Reconciliation: GitOps reconciliation is the continuous loop in which a controller compares the actual…
Given, When, ThenGiven, When, Then: Given, When, Then is a template for expressing a test or scenario in plain language: given…
Go/No-Go DecisionGo/No-Go Decision: A go/no-go decision is a formal checkpoint where stakeholders decide whether a release is…
Golden PathGolden Path: A golden path is the supported, opinionated route for a common task (creating a service, adding…
Golden TestingGolden Testing: Golden testing compares program output against a known-good reference file, the golden file,…
Graceful DegradationGraceful Degradation: Graceful degradation is designing a system to keep serving reduced functionality when a…
Graceful DegradationGraceful Degradation: Graceful degradation is designing a system to keep working at reduced capability when a…
Graceful DegradationGraceful Degradation: Graceful degradation is designing a system to keep serving reduced functionality when a…
Graceful TerminationGraceful Termination: Graceful termination is the shutdown sequence that gives a pod time to finish in-flight…
GraphQL SchemaGraphQL Schema: A GraphQL schema defines the types, queries, mutations, and subscriptions a GraphQL API expos…
gRPCgRPC: gRPC is a high-performance remote procedure call framework that runs over HTTP/2 and serializes message…
gRPCgRPC: gRPC is a high-performance remote procedure call framework that uses HTTP/2 for transport and Protocol…
GuardrailGuardrail: A guardrail is an automated preventive or detective control that constrains what changes a pipelin…
GuardrailsGuardrails: Guardrails are automated, preventive or detective controls that keep teams inside approved bounda…
gVisorgVisor: gVisor is a sandboxed container runtime (invoked as `runsc`) that intercepts application syscalls in…
HandoffHandoff: A handoff is a transfer of work from one person or team to another; each handoff adds queueing, cont…
Hardening PhaseHardening Phase: A hardening phase is a stabilization period late in a release cycle focused on fixing bugs,…
Hardware Security Module (HSM)Hardware Security Module (HSM): A hardware security module (HSM) is a dedicated, tamper-resistant device that…
Hash VerificationHash Verification: Hash verification is recomputing an artifact's hash and comparing it to a trusted expected…
HeadroomHeadroom: Headroom is the spare capacity a system keeps in reserve above its normal load, so it can absorb sp…
Hermetic BuildHermetic Build: A hermetic build runs in complete isolation from the host: it declares every input explicitly…
HIPAAHIPAA: HIPAA (Health Insurance Portability and Accountability Act) is a US law whose Security Rule sets stand…
HMAC SignatureHMAC Signature: An HMAC signature is a keyed hash of a message computed with a shared secret; recomputing it…
Horizontal Pod AutoscalerHorizontal Pod Autoscaler: A Horizontal Pod Autoscaler (HPA) is a Kubernetes controller that automatically ch…
Horizontal ScalingHorizontal Scaling: Horizontal scaling (scaling out) adds more instances of a service to handle load, spreadi…
HotfixHotfix: A hotfix is an urgent, narrowly scoped patch applied to production to fix a critical bug outside the…
Hyperparameter TuningHyperparameter Tuning: Hyperparameter tuning searches over model configuration values (learning rate, tree de…
IAM RoleIAM Role: An IAM role is an identity in a cloud provider with a set of permissions that trusted principals ca…
ID TokenID Token: An ID token is an OpenID Connect JWT that asserts the identity of an authenticated subject through…
IdempotencyIdempotency: Idempotency is the property that running an operation multiple times has the same effect as runn…
Idempotency KeyIdempotency Key: An idempotency key is a unique client-supplied identifier (often in an `Idempotency-Key` hea…
Idempotency KeyIdempotency Key: An idempotency key is a unique client-supplied identifier attached to a request so the serve…
Idempotent MethodIdempotent Method: An idempotent method is an HTTP method that produces the same result whether called once o…
Idempotent MigrationIdempotent Migration: An idempotent migration produces the same result whether it runs once or many times, ty…
Idempotent OperationIdempotent Operation: An idempotent operation produces the same result whether it runs once or many times, so…
Idempotent PipelineIdempotent Pipeline: An idempotent pipeline produces the same end state whether it runs once or many times on…
Idempotent RequestIdempotent Request: An idempotent request produces the same result whether sent once or many times, so retrie…
Image Digest PinningImage Digest Pinning: Image digest pinning references a container image by its immutable content digest (for…
Image IndexImage Index: An image index is the OCI specification equivalent of a Docker manifest list: a top-level docume…
Image LayerImage Layer: An image layer is one immutable, content-addressed filesystem change in a container image. Each…
Image ManifestImage Manifest: An image manifest is the JSON document describing a single-platform image: its config and the…
Image Pull PolicyImage Pull Policy: An image pull policy controls when a runtime fetches an image versus using a cached copy.…
Image Pull SecretImage Pull Secret: An image pull secret is a stored credential that lets a runtime or cluster authenticate to…
Image Pull TimeImage Pull Time: Image pull time is the wall-clock duration spent downloading and extracting a container imag…
Image ScanningImage Scanning: Image scanning analyzes a container image for known vulnerabilities in its OS packages and ap…
Image Tag ImmutabilityImage Tag Immutability: Image tag immutability is a registry setting that prevents an existing tag from being…
Immutable ActionImmutable Action: An immutable action is a published action version that cannot be changed after release, so…
Immutable InfrastructureImmutable Infrastructure: Immutable infrastructure is a model where servers are never modified after deployme…
Immutable InfrastructureImmutable Infrastructure: Immutable infrastructure is a model where servers are never modified after deployme…
Immutable TagImmutable Tag: An immutable tag is a registry tag or reference that, once published, can never be overwritten…
IncidentIncident: An incident is an unplanned disruption or degradation of a service that requires a response, such a…
Incremental CompilationIncremental Compilation: Incremental compilation recompiles only the parts of a program affected by a change,…
Infrastructure as CodeInfrastructure as Code: Infrastructure as Code (IaC) is the practice of defining servers, networks, and cloud…
Infrastructure as Code (IaC)Infrastructure as Code (IaC): Infrastructure as code is defining and provisioning infrastructure (servers, ne…
Infrastructure ScanningInfrastructure Scanning: Infrastructure scanning analyzes infrastructure-as-code files and cloud configuratio…
IngressIngress: Ingress is inbound network traffic entering a system or the rules and components that control it, su…
Ingress ControllerIngress Controller: An ingress controller is a component that watches Ingress resources and configures a reve…
Init ContainerInit Container: An init container is a container in a Kubernetes Pod that runs to completion before the app c…
Input Variable (IaC)Input Variable (IaC): An input variable parameterizes an IaC configuration or module, letting you pass values…
Installation TokenInstallation Token: An installation access token is a token a GitHub App mints for a specific installation. I…
Interactive Application Security Testing (IAST)Interactive Application Security Testing (IAST): IAST instruments a running application from the inside to ob…
Interactive RebaseInteractive Rebase: An interactive rebase (`git rebase -i`) opens an editor listing commits so you can reorde…
Intermediate RepresentationIntermediate Representation: An intermediate representation (IR) is the data structure a compiler uses intern…
Internal Developer PlatformInternal Developer Platform: An internal developer platform (IDP) is the integrated set of self-service tools…
Inversion of ControlInversion of Control: Inversion of control is a principle where the framework or container, rather than your…
Isolation LevelIsolation Level: An isolation level controls how visible one transaction's uncommitted work is to others. The…
Issuer (iss)Issuer (iss): The issuer claim (`iss`) identifies the authority that minted a token; a verifier trusts a toke…
JSON SchemaJSON Schema: JSON Schema is a vocabulary for validating the structure of JSON: it declares required fields, t…
JSON Web Token (JWT)JSON Web Token (JWT): A JSON Web Token (JWT) is a compact, URL-safe token (RFC 7519) with three base64url par…
JUnit XMLJUnit XML: JUnit XML is a widely supported machine-readable report format that lists each test case with its…
Just-in-Time CompilationJust-in-Time Compilation: Just-in-time (JIT) compilation compiles code to native machine code during executio…
Just-in-Time Compilation (JIT)Just-in-Time Compilation (JIT): Just-in-time (JIT) compilation converts bytecode or source to native machine…
JWTJWT: A JWT (JSON Web Token) is a signed, base64url-encoded token carrying claims about a subject, verifiable…
Kata ContainersKata Containers: Kata Containers run each container inside a lightweight virtual machine, combining VM-level…
Key ManagementKey Management: Key management is the disciplined generation, storage, distribution, rotation, and revocation…
Key RotationKey Rotation: Key rotation is replacing a cryptographic key with a new one on a schedule or after suspected e…
Key RotationKey Rotation: Key rotation is replacing cryptographic keys or credentials on a schedule or after suspected ex…
Kill SwitchKill Switch: A kill switch is a feature flag whose specific purpose is to instantly disable a feature or subs…
kubeletkubelet: The kubelet is the agent that runs on every Kubernetes node. It watches the API server for pods assi…
KubernetesKubernetes: Kubernetes is an open-source container orchestration platform that schedules containers onto node…
Kubernetes NamespaceKubernetes Namespace: A Kubernetes namespace is a virtual cluster that scopes and isolates resources (pods, s…
Label (Metrics)Label (Metrics): A label is a key-value pair attached to a metric to add dimensions, such as `branch="main"`…
LatencyLatency: Latency is the time a single request or operation takes to complete. It is the delay experienced per…
Latency PercentileLatency Percentile: A latency percentile reports the value below which a given fraction of requests fall: a p…
Latency PercentileLatency Percentile: A latency percentile describes the value below which a given fraction of requests fall, s…
Layer CacheLayer Cache: A layer cache stores the result of each instruction in a container build so that unchanged layer…
Layer CachingLayer Caching: Layer caching reuses unchanged image layers from a previous build instead of rebuilding them.…
Lazy LoadingLazy Loading: Lazy loading defers loading a resource or module until it is actually needed, rather than at in…
Lead TimeLead Time: Lead time for changes is a DORA metric measuring the elapsed time from a code commit to that chang…
Least PrivilegeLeast Privilege: Least privilege is the principle that an identity (user, service, or CI job) should hold onl…
Least PrivilegeLeast Privilege: Least privilege is the security principle of granting an identity only the permissions it ne…
Least PrivilegeLeast Privilege: Least privilege is the security principle that a user, service, or process should be granted…
Least Recently UsedLeast Recently Used: Least recently used (LRU) is an eviction policy that discards the cache entries untouche…
License ComplianceLicense Compliance: License compliance is the practice of tracking the open-source licenses of every dependen…
Linker ScriptLinker Script: A linker script is a file that tells the linker how to map input sections to output sections a…
LinkingLinking: Linking is the build step that combines compiled object files and libraries into a single executable…
Linux CapabilitiesLinux Capabilities: Linux capabilities split the privileges of root into distinct units (such as `CAP_NET_BIN…
Linux NamespacesLinux Namespaces: Linux namespaces are a kernel feature that isolates what a process can see: PID, network, m…
Load BalancerLoad Balancer: A load balancer distributes incoming network requests across multiple backend instances to spr…
Load TestingLoad Testing: Load testing measures how a system behaves under an expected level of concurrent traffic, verif…
Login ShellLogin Shell: A login shell is the first shell started when a user authenticates; it reads profile files like…
Long-Term CachingLong-Term Caching: Long-term caching is serving static assets with a far-future cache lifetime so browsers re…
Machine UserMachine User: A machine user is a GitHub account created to represent automation, holding tokens and permissi…
Manifest ListManifest List: A manifest list (Docker term) points to several per-platform image manifests under one tag, so…
Manual Approval GateManual Approval Gate: A manual approval gate is a pipeline checkpoint that pauses a deployment until a design…
Mean Time Between Failures (MTBF)Mean Time Between Failures (MTBF): Mean time between failures is the average elapsed time between one failure…
Mean Time To Acknowledge (MTTA)Mean Time To Acknowledge (MTTA): Mean time to acknowledge is the average time between an alert firing and a r…
Mean Time To Detect (MTTD)Mean Time To Detect (MTTD): Mean time to detect is the average time between when a failure starts and when mo…
Mean Time To Recovery (MTTR)Mean Time To Recovery (MTTR): Mean time to recovery is the average time it takes to restore service after a f…
Message QueueMessage Queue: A message queue is a buffer that holds messages between a producer and one or more consumers,…
Message QueueMessage Queue: A message queue is a buffer that holds messages between a producer and a consumer, decoupling…
Metrics (Observability)Metrics (Observability): Metrics are numeric measurements collected over time, such as request rate, error co…
MiddlewareMiddleware: Middleware is code that runs in the request pipeline before or after the main handler, handling c…
MinificationMinification: Minification rewrites source (typically JavaScript or CSS) to be smaller without changing behav…
MLOpsMLOps: MLOps applies CI/CD, testing, monitoring, and automation practices to the machine-learning lifecycle,…
Mock ObjectMock Object: A mock object is a test double pre-programmed with expectations about which calls it should rece…
Model DeploymentModel Deployment: Model deployment is the act of releasing a validated model to production so it can serve pr…
Model DriftModel Drift: Model drift is the gradual decline in a deployed models accuracy as the real-world data it sees…
Model MonitoringModel Monitoring: Model monitoring continuously tracks a deployed models predictions, inputs, and outcomes to…
Model RegistryModel Registry: A model registry is a versioned store for trained machine-learning models with their metadata…
Model TrainingModel Training: Model training is the process of fitting a machine-learning model to training data by optimiz…
Model ValidationModel Validation: Model validation evaluates a trained model on held-out data against quality thresholds (acc…
Module (IaC)Module (IaC): A module is a reusable, parameterized package of IaC configuration that groups related resource…
Monorepo ToolingMonorepo Tooling: Monorepo tooling is software (Nx, Turborepo, Bazel, Lerna, pnpm workspaces) that manages ma…
Mount PointMount Point: A mount point is a directory where a filesystem (a disk, network share, or container volume) is…
Multi-Factor Authentication (MFA)Multi-Factor Authentication (MFA): Multi-factor authentication requires two or more independent factors to au…
Mutable TagMutable Tag: A mutable tag is a registry tag that can be repointed to new content over time, such as `latest`…
Mutation ScoreMutation Score: A mutation score is the percentage of injected code mutations (deliberate bugs) that a test s…
Mutation ScoreMutation Score: Mutation score is the percentage of introduced mutants that the test suite detected (killed)…
Mutation TestingMutation Testing: Mutation testing deliberately introduces small faults (mutants) into the code, then checks…
Mutual TLSMutual TLS: Mutual TLS (mTLS) is TLS where both sides present certificates: the client authenticates the serv…
Mutual TLSMutual TLS: Mutual TLS (mTLS) is TLS where both the client and the server present certificates and verify eac…
Mutual TLSMutual TLS: Mutual TLS (mTLS) is a form of TLS where both the client and the server present certificates and…
Mutual TLS (mTLS)Mutual TLS (mTLS): Mutual TLS is TLS in which both the client and the server present and verify certificates,…
N+1 QueryN+1 Query: An N+1 query problem is a performance issue where code runs one query to fetch a list, then one ad…
Name ManglingName Mangling: Name mangling is how a compiler encodes function signatures (namespaces, argument types) into…
Named Pipe (FIFO)Named Pipe (FIFO): A named pipe, or FIFO, is a pipe that exists as a path on the filesystem, created with `mk…
Namespace (Kubernetes)Namespace (Kubernetes): A namespace is a virtual cluster inside a Kubernetes cluster that scopes names, RBAC,…
Namespace IsolationNamespace Isolation: Namespace isolation uses Kubernetes namespaces to partition a cluster into virtual sub-c…
Namespace QuotaNamespace Quota: A namespace quota (ResourceQuota) caps the aggregate resources a namespace may consume: tota…
NATNAT: NAT (network address translation) rewrites IP addresses as packets cross a boundary, letting many privat…
Network PolicyNetwork Policy: A network policy is a rule set that defines which sources and destinations a workload may com…
Network PolicyNetwork Policy: A network policy is a Kubernetes object that controls which pods can talk to which, acting as…
Nightly BuildNightly Build: A nightly build is an automated build produced on a schedule (typically once per day) from the…
Node AffinityNode Affinity: Node affinity is a scheduling rule that attracts pods to nodes matching specified labels, eith…
Node DrainNode Drain: A node drain safely evicts all pods from a node so it can be updated or removed, respecting pod d…
Node PoolNode Pool: A node pool is a group of nodes within a cluster that share the same configuration (machine type,…
Node SelectorNode Selector: A node selector is a set of key/value labels that constrains where a job can run, matching it…
NormalizationNormalization: Normalization is the process of organizing a schema to remove redundancy by splitting data int…
North-South TrafficNorth-South Traffic: North-south traffic is network traffic that enters or leaves a cluster or data center bo…
NotaryNotary: Notary is a project and set of services for signing and verifying content, historically the backend f…
OAuth 2.0OAuth 2.0: OAuth 2.0 is an authorization framework (RFC 6749) that lets an application obtain limited access…
OAuth FlowOAuth Flow: An OAuth flow is one of the standardized OAuth 2.0 sequences for obtaining an access token, such…
ObservabilityObservability: Observability is the degree to which you can understand a system's internal state from its ext…
OCI ArtifactOCI Artifact: An OCI artifact is any content stored in an OCI-compatible registry using the image manifest fo…
OCI ImageOCI Image: An OCI image is a container image that follows the Open Container Initiative image specification:…
OCI Runtime SpecOCI Runtime Spec: The OCI runtime spec is the Open Container Initiative standard defining how a container is…
OIDC SubjectOIDC Subject: An OIDC subject is the `sub` claim in the OpenID Connect token GitHub issues to a workflow, enc…
OIDC TokenOIDC Token: An OIDC token is a short-lived, signed JSON Web Token that GitHub Actions issues to a workflow so…
On-CallOn-Call: On-call is the rotation in which an engineer is responsible for responding to production alerts and…
Online Schema ChangeOnline Schema Change: An online schema change alters a large table without blocking reads and writes, typical…
OPA/Rego GateOPA/Rego Gate: An OPA/Rego gate is a CI check that uses Open Policy Agent to evaluate Rego policies against c…
Open Policy Agent (OPA)Open Policy Agent (OPA): Open Policy Agent (OPA) is a general-purpose policy engine that evaluates rules writ…
OpenAPIOpenAPI: OpenAPI is a standard, language-agnostic specification format for describing HTTP APIs, formerly cal…
OpenAPI SpecificationOpenAPI Specification: The OpenAPI Specification (formerly Swagger) is a machine-readable, language-agnostic…
OpenID ConnectOpenID Connect: OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that issues a signed ID…
Operator PatternOperator Pattern: The operator pattern packages operational knowledge for an application into a controller th…
Optimistic LockingOptimistic Locking: Optimistic locking detects concurrent edits without holding a lock: each row carries a ve…
Optional DependencyOptional Dependency: An optional dependency is a package whose installation failure does not fail the overall…
OrchestrationOrchestration: Orchestration is the automated coordination of multiple systems, services, or provisioning ste…
ORMORM: An ORM (object-relational mapper) is a library that maps database tables to objects in code, so develope…
ORM (Object-Relational Mapping)ORM (Object-Relational Mapping): An ORM maps database tables to objects in code so developers query with the…
Outlier DetectionOutlier Detection: Outlier detection automatically ejects individual backend instances from the load-balancin…
Package ManagerPackage Manager: A package manager is a tool that resolves, downloads, and installs software dependencies and…
PackfilePackfile: A packfile (`.pack` under `.git/objects/pack/`) stores many Git objects compressed together with de…
ParallelismParallelism: Parallelism is executing multiple computations literally at the same instant on separate cores o…
Path CoveragePath Coverage: Path coverage requires that every possible route through a function (each unique combination o…
Paved RoadPaved Road: A paved road is a curated, well-supported set of tools and workflows that make the recommended ap…
PCI DSSPCI DSS: PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for organiz…
Peer DependencyPeer Dependency: A peer dependency is a package that a library expects its host project to provide rather tha…
Penetration TestPenetration Test: A penetration test is an authorized simulated attack on a system by a skilled tester who at…
Percentile (Latency)Percentile (Latency): A percentile is a value below which a given percentage of observations fall. In perform…
Persistent VolumePersistent Volume: A persistent volume is cluster storage whose lifecycle is independent of any pod, claimed…
Personal Access TokenPersonal Access Token: A personal access token is a credential tied to a user account that authenticates Git…
Personal Access Token (PAT)Personal Access Token (PAT): A personal access token (PAT) is a token tied to an individual user account that…
Pessimistic LockingPessimistic Locking: Pessimistic locking prevents conflicts by locking a row before reading or editing it (fo…
Pinned Action SHAPinned Action SHA: A pinned action SHA is referencing an action by its full 40-character commit hash (for exa…
PipePipe: A pipe (`|`) connects the standard output of one command to the standard input of the next, letting sma…
Plan (IaC)Plan (IaC): A plan is a preview an IaC tool generates showing exactly which resources it would create, change…
Plan/Apply (Terraform)Plan/Apply (Terraform): In Terraform, plan produces a preview of the changes required to reach the desired st…
Platform EngineeringPlatform Engineering: Platform engineering is the discipline of building an internal developer platform (self…
Platform EngineeringPlatform Engineering: Platform engineering is the discipline of building and operating internal self-service…
PodPod: A pod is the smallest deployable unit in Kubernetes: one or more containers that share a network namespa…
PodPod: A pod is the smallest deployable unit in Kubernetes: one or more containers that share a network namespa…
PodPod: A Pod is the smallest deployable unit in Kubernetes: one or more containers that share a network namespa…
Pod Disruption BudgetPod Disruption Budget: A pod disruption budget (PDB) limits how many pods of an application may be voluntaril…
Pod Disruption BudgetPod Disruption Budget: A pod disruption budget limits how many pods of an application can be voluntarily evic…
Pod SchedulingPod Scheduling: Pod scheduling is the process by which the Kubernetes scheduler selects a node for a new pod…
Policy as CodePolicy as Code: Policy as code expresses governance and security rules (such as "no public S3 buckets") in ma…
Policy as CodePolicy as Code: Policy as code is the practice of writing organizational rules (security, compliance, cost) a…
Policy-as-CodePolicy-as-Code: Policy-as-code expresses governance and compliance rules as version-controlled, machine-evalu…
PolyfillPolyfill: A polyfill is code that implements a modern feature in environments that lack it, so newer APIs wor…
PolyfillPolyfill: A polyfill is code that implements a newer API on older runtimes that lack it, so the same source c…
PolyrepoPolyrepo: A polyrepo is a code organization strategy where each project, service, or library lives in its own…
PostmortemPostmortem: A postmortem is a written review after an incident that records what happened, the timeline, the…
Pre-releasePre-release: A pre-release is a version published before the final stable release (such as an alpha, beta, or…
Preflight RequestPreflight Request: A preflight request is an automatic `OPTIONS` request a browser sends before certain cross…
Prepared StatementPrepared Statement: A prepared statement is a SQL query parsed once with placeholders for its parameters, the…
preStop HookpreStop Hook: A preStop hook is code that runs just before a container is terminated, used to deregister from…
Preview EnvironmentPreview Environment: A preview environment is a temporary deployment of a branch or pull request that lets re…
Primary KeyPrimary Key: A primary key is the column (or set of columns) that uniquely identifies each row in a table. It…
Privileged ContainerPrivileged Container: A privileged container runs with `--privileged`, granting nearly all host kernel capabi…
Progressive DeliveryProgressive Delivery: Progressive delivery rolls out a change to a growing subset of users while measuring he…
Progressive DeliveryProgressive Delivery: Progressive delivery is releasing a change to an increasing share of users over time wh…
Progressive RolloutProgressive Rollout: A progressive rollout releases a new version to a growing fraction of traffic or hosts o…
Progressive RolloutProgressive Rollout: A progressive rollout releases a new version to an increasing share of users or instance…
Promotion CriteriaPromotion Criteria: Promotion criteria are the conditions a build must meet to be promoted from one environme…
Promotion GatePromotion Gate: A promotion gate is a rule that must pass before an artifact or release advances from one env…
Property-Based TestingProperty-Based Testing: Property-based testing checks that a property holds for many automatically generated…
Protocol BuffersProtocol Buffers: Protocol Buffers (protobuf) are a compact, binary serialization format defined in `.proto`…
Protocol BuffersProtocol Buffers: Protocol Buffers (protobuf) is a language-neutral binary serialization format defined by `.…
ProvenanceProvenance: Provenance is verifiable metadata describing how an artifact was built: the source commit, builde…
ProvenanceProvenance: Provenance is verifiable metadata describing how a software artifact was built, including its sou…
Provenance AttestationProvenance Attestation: A provenance attestation is signed metadata that records how an artifact was built: t…
Provenance PredicateProvenance Predicate: A provenance predicate is the structured claim inside a build attestation that records…
Provider (IaC)Provider (IaC): A provider is a plugin that lets an IaC tool manage a specific platform's resources (AWS, Azu…
ProvisioningProvisioning: Provisioning is the act of creating and configuring infrastructure resources (compute, storage,…
Publish-SubscribePublish-Subscribe: Publish-subscribe (pub-sub) is a messaging pattern where publishers emit messages to a top…
Pull Rate LimitPull Rate Limit: A pull rate limit is a cap a registry places on how many image pulls a client may perform in…
Pull-Through Registry CachePull-Through Registry Cache: A pull-through registry cache is a local registry mirror that fetches an image f…
Query BuilderQuery Builder: A query builder is a library that constructs SQL programmatically through chained method calls…
Ramp-UpRamp-Up: Ramp-up is the period at the start of a load test during which virtual users are added gradually rat…
Rate Limit BudgetRate Limit Budget: A rate limit budget is the quota of requests an API permits per time window before it retu…
Rate LimitingRate Limiting: Rate limiting caps how many requests a client can make in a time window, returning HTTP 429 (T…
Rate LimitingRate Limiting: Rate limiting restricts how many requests a client can make in a time window, protecting a ser…
Read ReplicaRead Replica: A read replica is a copy of the primary database that serves read-only queries, offloading repo…
Read ReplicaRead Replica: A read replica is a copy of a database that receives changes from the primary and serves read-o…
RebaseRebase: Rebase replays your commits on top of another base commit, rewriting their SHAs to produce a linear h…
Reconciliation LoopReconciliation Loop: A reconciliation loop is a control mechanism that repeatedly compares desired state to c…
Reconciliation LoopReconciliation Loop: A reconciliation loop is a controller that repeatedly compares actual state to desired s…
Recreate StrategyRecreate Strategy: The Recreate strategy terminates all old pods before creating new ones, accepting a brief…
Red, Green, RefactorRed, Green, Refactor: Red, Green, Refactor is the core cycle of test-driven development: write a failing test…
RedirectionRedirection: Redirection sends a process stream to or from a file or another descriptor using operators like…
RefactoringRefactoring: Refactoring is changing the internal structure of code to improve its design without altering it…
Referential IntegrityReferential Integrity: Referential integrity is the guarantee that every foreign key points at a row that act…
ReflogReflog: The reflog records every update to `HEAD` and branch tips locally, so `git reflog` can recover commit…
Refresh TokenRefresh Token: A refresh token is a long-lived credential used to obtain new access tokens without re-authent…
RegistryRegistry: A registry is a server that stores and distributes container images (and other OCI artifacts) addre…
RegoRego: Rego is the declarative query language used by Open Policy Agent to express policy rules as logic over…
Release CandidateRelease Candidate: A release candidate (RC) is a build believed ready for release that is put through final t…
Release ChannelRelease Channel: A release channel is a named track of releases with a consistent stability level (for exampl…
Release NotesRelease Notes: Release notes are a human-readable summary of what changed in a release: new features, fixes,…
Release TrainRelease Train: A release train ships releases on a fixed schedule, and whatever features are ready by the cut…
Release TrainRelease Train: A release train is a fixed, recurring release schedule: whatever features are merged and ready…
Remote BackendRemote Backend: A remote backend stores Terraform state in a shared remote location (such as S3, GCS, or Terr…
Remote Build CacheRemote Build Cache: A remote build cache is a shared, network-accessible store of build outputs that multiple…
Remote StateRemote State: Remote state stores an IaC tool's state file in a shared backend (such as an S3 bucket or a man…
ReplicaSetReplicaSet: A ReplicaSet keeps a specified number of identical pod replicas running, replacing any that die.…
ReplicationReplication: Replication copies data from a primary database to one or more replicas, providing redundancy fo…
Reproducible BuildReproducible Build: A reproducible build produces a bit-for-bit identical output whenever it is run from the…
Reproducible Container BuildReproducible Container Build: A reproducible container build produces byte-for-byte identical image layers fr…
Reproducible PipelineReproducible Pipeline: A reproducible pipeline produces identical outputs when rerun with the same inputs, pi…
Requests Per SecondRequests Per Second: Requests per second (RPS, sometimes QPS for queries) is throughput expressed as the numb…
Resource (IaC)Resource (IaC): A resource is a single piece of infrastructure an IaC configuration manages, such as a virtua…
Resource LimitResource Limit: A resource limit is the maximum CPU or memory a job may use. Exceeding a memory limit trigger…
Resource LimitsResource Limits: Resource limits cap the CPU and memory a container may consume, enforced through cgroups. In…
Resource RequestResource Request: A resource request is the amount of CPU and memory a job asks for so the scheduler can rese…
Resource Request and LimitResource Request and Limit: A resource request is the CPU and memory a pod is guaranteed and is used for sche…
Response TimeResponse Time: Response time is the total elapsed time from sending a request to receiving the complete respo…
RESTREST: REST (Representational State Transfer) is an architectural style for APIs using HTTP methods, URLs as r…
Retry BudgetRetry Budget: A retry budget caps how many retries a system will attempt within a window, expressed as a frac…
Retry PolicyRetry Policy: A retry policy defines when and how many times a failed operation is retried, including the del…
Retry StormRetry Storm: A retry storm is a cascade where many clients retry a failing operation at once, multiplying loa…
Retry StormRetry Storm: A retry storm is a self-amplifying flood of retries: a dependency slows or fails, many clients r…
Reverse ProxyReverse Proxy: A reverse proxy sits in front of one or more servers and forwards client requests to them, oft…
Reverse ProxyReverse Proxy: A reverse proxy is a server that sits in front of backend services and forwards client request…
Role-Based Access Control (RBAC)Role-Based Access Control (RBAC): Role-based access control grants permissions to roles rather than directly…
Role-Based Access Control (RBAC)Role-Based Access Control (RBAC): Role-based access control (RBAC) grants permissions to named roles and assi…
RollbackRollback: A rollback reverts a system to the previous known-good version after a deployment causes problems.…
Rollback MigrationRollback Migration: A rollback migration (the "down" direction) reverses a previous migration, dropping the c…
Rollback WindowRollback Window: A rollback window is the period after a deployment during which reverting to the previous ve…
Rolling UpdateRolling Update: A rolling update replaces pods incrementally, bringing up new ones and tearing down old ones…
Rollout StatusRollout Status: Rollout status is the current progress and health of a deployment update, reporting how many…
Root UserRoot User: The root user is the superuser account (UID 0) on Unix-like systems, exempt from permission checks…
Rootless BuildKitRootless BuildKit: Rootless BuildKit is a mode of the BuildKit builder that constructs container images witho…
Rootless ContainerRootless Container: A rootless container runs the container engine and workload as an unprivileged user by ma…
Rootless ContainerRootless Container: A rootless container runs and is built without root privileges on the host, using user na…
Rootless ContainerRootless Container: A rootless container runs without root privileges on the host by mapping the container ro…
RouteRoute: A route is the rule that maps an incoming request path and method to the handler that serves it. Routi…
RunbookRunbook: A runbook is a documented set of steps for performing a routine or emergency operations task, such a…
runcrunc: runc is the reference low-level OCI runtime that actually spawns a container process using Linux namesp…
Runtime DependencyRuntime Dependency: A runtime dependency is a package the application needs to execute in production, not jus…
SAMLSAML: SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and au…
Sampling (Tracing)Sampling (Tracing): Sampling keeps only a fraction of traces to control cost and volume while preserving repr…
Sandbox (Container)Sandbox (Container): A sandbox is an isolation boundary that restricts what code inside it can touch. Sandbox…
SaturationSaturation: Saturation is how full a resource is relative to its capacity, such as CPU at 95% or a full CI ru…
SBOM DiffSBOM Diff: An SBOM diff compares two software bills of materials to show which components were added, removed…
ScaffoldingScaffolding: Scaffolding is the automated generation of a project starting structure, its directories, config…
Scatter-GatherScatter-Gather: Scatter-gather is a pattern that scatters a task into parallel workers and then gathers their…
Scheduler (Kubernetes)Scheduler (Kubernetes): The scheduler is the control-plane component that assigns newly created pods to nodes…
Schema DriftSchema Drift: Schema drift is the divergence between a database's actual schema and the schema your migration…
Schema EvolutionSchema Evolution: Schema evolution is the controlled change of a datasets structure over time (adding, renami…
Schema MigrationSchema Migration: A schema migration changes the structure of a database (tables, columns, indexes, constrain…
Schema RegistrySchema Registry: A schema registry is a central store of API or message schemas and their versions, letting p…
Schema ValidationSchema Validation: Schema validation checks that a payload conforms to a defined schema: correct types, requi…
ScopeScope: A scope is a named permission attached to an OAuth token that limits what actions the token may perfor…
ScorecardScorecard: A scorecard is a set of automated checks that grade a service against standards (test coverage, pi…
Sealed SecretSealed Secret: A sealed secret is a secret encrypted with a controller-held public key so the ciphertext can…
seccompseccomp: seccomp (secure computing mode) is a Linux kernel feature that filters which system calls a process…
Secret RotationSecret Rotation: Secret rotation is periodically replacing stored secrets such as API keys, database password…
Secret ScanningSecret Scanning: Secret scanning searches code, commits, and history for exposed credentials such as API keys…
Secret ScanningSecret Scanning: Secret scanning detects credentials (API keys, tokens, private keys) committed to a reposito…
Secrets ManagerSecrets Manager: A secrets manager is a system that securely stores, controls access to, and audits secrets s…
Security TestSecurity Test: A security test evaluates software for vulnerabilities, misconfigurations, and weaknesses that…
Seed DataSeed Data: Seed data is the baseline rows loaded into a fresh database so an application can start (reference…
Self-ServiceSelf-Service: Self-service in platform engineering means developers can provision resources or run actions (c…
Semantic API VersioningSemantic API Versioning: Semantic API versioning applies semantic versioning (MAJOR.MINOR.PATCH) to an API, w…
Semantic ReleaseSemantic Release: Semantic release is an automated release workflow that determines the next version number f…
Semantic VersioningSemantic Versioning: Semantic versioning (SemVer) is a version scheme of MAJOR.MINOR.PATCH where MAJOR marks…
SerializationSerialization: Serialization is converting an in-memory object into a byte or text format (JSON, protobuf) fo…
Serialization FormatSerialization Format: A serialization format is the encoding used to turn in-memory data into bytes for stora…
Serverless ContainerServerless Container: A serverless container runs a container image on demand without managing servers or clu…
Service AccountService Account: A service account is a non-human identity used by an application or automation to authentica…
Service AccountService Account: A service account is a non-human identity used by an application, pipeline, or workload to a…
Service AccountService Account: A service account is a non-human identity used by an application, pipeline, or workload to a…
Service Account TokenService Account Token: A service account token is a credential issued to a service (not a person) so pipeline…
Service DiscoveryService Discovery: Service discovery is the mechanism by which services find the network location of other se…
Service DiscoveryService Discovery: Service discovery is the mechanism by which services find the network addresses of other s…
Service LevelService Level: A service level describes a target for a service behavior, typically expressed as a Service Le…
Service Level Agreement (SLA)Service Level Agreement (SLA): A service level agreement is a formal contract between a provider and a custom…
Service Level Agreement (SLA)Service Level Agreement (SLA): A service level agreement is a contractual commitment about a service, such as…
Service Level Indicator (SLI)Service Level Indicator (SLI): A service level indicator is a quantitative measure of a service's behavior, s…
Service Level Objective (SLO)Service Level Objective (SLO): A service level objective is a target value or range for a service level indic…
Service MeshService Mesh: A service mesh is an infrastructure layer that manages service-to-service traffic (mutual TLS,…
Service MeshService Mesh: A service mesh is an infrastructure layer that manages service-to-service communication (routin…
Service OwnershipService Ownership: Service ownership is the model where the team that builds a service is accountable for ope…
Shallow CloneShallow Clone: A shallow clone (`git clone --depth 1`) fetches only recent history up to a set depth instead…
ShardingSharding: Sharding splits one logical dataset across multiple databases (shards) by a shard key, so each serv…
ShebangShebang: A shebang is the `#!` line at the top of a script that tells the kernel which interpreter to run it…
ShimShim: A shim is a small compatibility layer that intercepts calls and adapts them, for example translating a…
SidecarSidecar: A sidecar is a helper container that runs alongside a main container, sharing its lifecycle and netw…
Sidecar ContainerSidecar Container: A sidecar container is a helper container that runs alongside the main application contain…
Sidecar ProxySidecar Proxy: A sidecar proxy is a helper container deployed alongside an application container in the same…
SigstoreSigstore: Sigstore is an open-source project for signing and verifying software artifacts using short-lived,…
Single Sign-On (SSO)Single Sign-On (SSO): Single sign-on lets a user authenticate once with an identity provider and then access…
Site Reliability EngineeringSite Reliability Engineering: Site reliability engineering (SRE), originated at Google, applies software-engi…
Small BatchesSmall Batches: Working in small batches means integrating and releasing changes frequently in small increment…
Soak TestingSoak Testing: Soak testing (endurance testing) runs a sustained load over hours or days to surface problems t…
SOC 2SOC 2: SOC 2 is an auditing framework, defined by the AICPA, that reports on a service organization's control…
Soft DeleteSoft Delete: A soft delete marks a row as deleted (for example by setting a `deleted_at` timestamp) instead o…
Software Bill of Materials (SBOM)Software Bill of Materials (SBOM): A software bill of materials (SBOM) is a machine-readable inventory of eve…
Software Bill of Materials (SBOM)Software Bill of Materials (SBOM): An SBOM is a formal, machine-readable inventory of all components, librari…
Software CatalogSoftware Catalog: A software catalog is a machine-readable inventory of an organization services, libraries,…
Software Composition Analysis (SCA)Software Composition Analysis (SCA): SCA inventories a project's open-source and third-party dependencies and…
Software TemplateSoftware Template: A software template is a parameterized starter (scaffold) that generates a new service or…
Source MapSource Map: A source map is a file that maps positions in compiled, minified, or bundled output back to the o…
Sparse CheckoutSparse Checkout: Sparse checkout (`git sparse-checkout set <paths>`) populates only a chosen subset of a repo…
Spike TestingSpike Testing: Spike testing subjects a system to a sudden, sharp jump in traffic to check whether it can abs…
Spot NodeSpot Node: A spot node is a cheap, interruptible cloud instance that the provider can reclaim on short notice…
StabilizationStabilization: Stabilization is the work of driving a release build toward reliability by fixing defects and…
Standard Error (stderr)Standard Error (stderr): Standard error (stderr, file descriptor 2) is the separate stream a process writes d…
Standard Input (stdin)Standard Input (stdin): Standard input (stdin, file descriptor 0) is the default stream a process reads input…
Standard Output (stdout)Standard Output (stdout): Standard output (stdout, file descriptor 1) is the default stream a process writes…
State FileState File: A state file is the record an IaC tool keeps of the resources it manages, mapping configuration t…
State LockingState Locking: State locking prevents concurrent operations from writing to the same infrastructure state fil…
State LockingState Locking: State locking prevents two runs from modifying the same IaC state at once by acquiring a lock…
StatefulSetStatefulSet: A StatefulSet manages pods with stable identities and ordered, graceful deployment and scaling,…
Static AnalysisStatic Analysis: Static analysis examines source code without running it, detecting bugs, security issues, an…
Static Application Security Testing (SAST)Static Application Security Testing (SAST): SAST analyzes application source code, bytecode, or binaries with…
Static LinkingStatic Linking: Static linking copies the machine code of needed library functions directly into the final ex…
Status CodeStatus Code: A status code is the three-digit HTTP number in a response that signals the result: 2xx success,…
Stress TestingStress Testing: Stress testing pushes a system beyond its expected capacity to find its breaking point and ob…
Structured LoggingStructured Logging: Structured logging records log entries as machine-parseable data (typically JSON key-valu…
StubStub: A stub is a test double that returns fixed, canned responses to calls made during a test, letting you c…
SubmoduleSubmodule: A submodule embeds one Git repository inside another at a fixed commit, tracked in a `.gitmodules`…
SubshellSubshell: A subshell is a child shell process created by wrapping commands in `( ... )`, by a pipeline, or by…
sudosudo: sudo ("superuser do") runs a single command as another user, usually root, after checking a policy in `…
Supply Chain AttackSupply Chain Attack: A supply chain attack compromises software by targeting its dependencies, build tools, o…
Supply Chain SecuritySupply Chain Security: Supply chain security is the practice of protecting every step that produces and deliv…
Symbol TableSymbol Table: A symbol table is the index inside an object file or executable that maps names (functions, glo…
Symbolic LinkSymbolic Link: A symbolic link (symlink) is a special file that points to another path by name. Created with…
Taint and TolerationTaint and Toleration: A taint repels pods from a node unless the pod carries a matching toleration, letting y…
Taint and TolerationTaint and Toleration: A taint marks a node to repel pods that do not tolerate it; a toleration on a pod lets…
Target TripleTarget Triple: A target triple is a string that identifies the platform a compiler should build for, conventi…
Technical DebtTechnical Debt: Technical debt is the implied future cost of choosing an easy or quick solution now over a be…
Temporary CredentialsTemporary Credentials: Temporary credentials are short-lived access tokens that expire after minutes or hours…
Temporary CredentialsTemporary Credentials: Temporary credentials are short-lived access tokens issued for a limited time (and oft…
Test DatabaseTest Database: A test database is a disposable database instance used only by the test suite, isolated from d…
Test DoublesTest Doubles: Test doubles are stand-in objects that replace real dependencies during a test. The five canoni…
Test RunnerTest Runner: A test runner is the tool that discovers, executes, and reports on tests, for example Jest, pyte…
Test SetTest Set: A test set is data held out and touched only once, at the end, to estimate how a finished model wil…
Test-Driven DevelopmentTest-Driven Development: Test-driven development (TDD) is a practice where you write a failing test first, th…
Test-Driven DevelopmentTest-Driven Development: Test-driven development (TDD) is a practice of writing a failing test before writing…
Think TimeThink Time: Think time is a deliberate pause a virtual user waits between requests to mimic real human behavi…
Third-Party Action RiskThird-Party Action Risk: Third-party action risk is the supply-chain exposure from using actions you do not c…
Thread SafetyThread Safety: Thread safety is the property of code that behaves correctly when accessed by multiple threads…
Threat ModelThreat Model: A threat model is a structured analysis of a system that identifies its assets, potential attac…
Threshold GateThreshold Gate: A threshold gate is a pipeline check that passes or fails based on whether a measured value c…
ThroughputThroughput: Throughput is the amount of work a system completes per unit of time, commonly measured in reques…
Thundering HerdThundering Herd: The thundering herd problem is when many processes wake or act simultaneously, for example a…
TLS TerminationTLS Termination: TLS termination is decrypting incoming HTTPS traffic at a load balancer or reverse proxy, so…
tmpfstmpfs: tmpfs is a filesystem that lives in RAM (and swap) rather than on disk, so reads and writes are fast b…
ToilToil: Toil, in SRE terms, is manual, repetitive, automatable operational work that scales with load and produ…
Token ExpiryToken Expiry: Token expiry is the time (the `exp` claim) after which a token is no longer valid, bounding how…
Token ExpiryToken Expiry: Token expiry is the lifetime after which a token is rejected. Short expiries limit the window a…
Token RevocationToken Revocation: Token revocation is invalidating a token before it naturally expires, used when a credentia…
Token ScopeToken Scope: A token scope is a permission attached to a credential that bounds what it can do, such as `repo…
Traffic MirroringTraffic Mirroring: Traffic mirroring (shadowing) sends a copy of live requests to a new version without retur…
Traffic PolicyTraffic Policy: A traffic policy is a rule set that controls how requests are routed and treated between serv…
Traffic ShiftingTraffic Shifting: Traffic shifting gradually moves a percentage of live requests from an old version to a new…
Traffic ShiftingTraffic Shifting: Traffic shifting is gradually routing a percentage of requests from an old version to a new…
Training DataTraining Data: Training data is the labeled or observed data a model learns patterns from during training. It…
TransactionTransaction: A transaction groups one or more statements into a single unit that either fully commits or full…
Transitive Closure (Dependencies)Transitive Closure (Dependencies): The transitive closure of a dependency set is every package reachable by f…
TranspilationTranspilation: Transpilation (source-to-source compilation) translates code from one high-level language or l…
Tree ShakingTree Shaking: Tree shaking is a dead code elimination technique that removes exports never imported anywhere,…
Tree ShakingTree Shaking: Tree shaking is a build optimization that removes exports and modules that are never imported a…
Trust PolicyTrust Policy: A trust policy is the part of an IAM role that specifies which principals are allowed to assume…
TyposquattingTyposquatting: Typosquatting is publishing a malicious package under a name that closely resembles a popular…
Unique ConstraintUnique Constraint: A unique constraint guarantees that no two rows share the same value in a column or set of…
Unix SocketUnix Socket: A Unix domain socket is an inter-process communication endpoint addressed by a filesystem path r…
UptimeUptime: Uptime is the total time a system has been running and reachable without interruption. Availability i…
Validation SetValidation Set: A validation set is data held out from training and used to tune hyperparameters and select m…
Value Stream MappingValue Stream Mapping: Value stream mapping is a technique for diagramming every step from idea to production…
VaultVault: A vault is a secrets-management system that stores and controls access to tokens, passwords, certifica…
VendoringVendoring: Vendoring is committing a copy of your dependencies into your own repository (for example Go's `ve…
Version BumpVersion Bump: A version bump is the act of incrementing a project version number (major, minor, or patch) to…
Version PinningVersion Pinning: Version pinning is specifying an exact dependency version (for example `lodash@4.17.21`) ins…
Version RangeVersion Range: A version range is a constraint that allows any matching version of a dependency, such as `^1.…
Version SolvingVersion Solving: Version solving is the constraint-satisfaction algorithm inside dependency resolution that s…
VEX DocumentVEX Document: A VEX (Vulnerability Exploitability eXchange) document is a machine-readable statement assertin…
Virtual UserVirtual User: A virtual user (VU) is a simulated client in a load test that issues requests and follows a scr…
VulnerabilityVulnerability: A vulnerability is a weakness in software, configuration, or design that an attacker can explo…
Wait TimeWait Time: Wait time is the portion of a change lifecycle spent idle in a queue rather than being actively wo…
Wall-Clock TimeWall-Clock Time: Wall-clock time (elapsed or real time) is the actual time that passes from a job start to it…
Warm CacheWarm Cache: A warm cache is a cache already populated with the entries a build needs, so the run starts with…
Affinity rulesAffinity rules guide the scheduler to place a pod near specific nodes or other pods, expressed as preferred o…
ChangesetsChangesets is a release workflow where contributors add small intent files describing each change, which tool…
Environment protection rulesEnvironment protection rules gate deployments to an environment behind required approvals, wait timers, or br…
File mode bitsFile mode bits are the permission and type flags on a file that encode who may read, write, or execute it, us…
Intercepting routesIntercepting routes display a destination route within the current context, such as opening a detail page as…
Move semanticsMove semantics transfer ownership of a resource from one object to another without copying, leaving the sourc…
Owner, group, otherOwner, group, and other are the three permission classes Unix applies to each file, granting separate read, w…
Parallel routesParallel routes let one layout render multiple independent route slots at once, so distinct sections of a pag…
Ports and adaptersPorts and adapters is the pattern where an application defines interface ports for its needs and adapters imp…
Release gate criteriaRelease gate criteria are the explicit conditions a build must satisfy to pass a release gate, such as tests…
Requests and limitsRequests and limits are the two values that declare how much CPU and memory a container is guaranteed and how…
Runner diagnostic logsRunner diagnostic logs are detailed internal logs from the CI runner process itself, capturing how it set up…
Server-sent eventsServer-sent events let a server push a one-way stream of updates to a browser over a single long-lived HTTP c…
Taint and tolerationTaints and tolerations are a Kubernetes mechanism that lets a node repel pods unless those pods explicitly to…
Taints by conditionTaints by condition are taints the control plane automatically adds to a node when it enters a bad state, rep…
Four golden signalsThe four golden signals are latency, traffic, errors, and saturation, a compact set of metrics that together…
Golden signalsThe golden signals are four core service-health metrics, latency, traffic, errors, and saturation, that give…
Vendored dependenciesVendored dependencies are third-party packages committed directly into a project's repository so builds do no…
Background processA background process runs without holding the foreground of a shell, letting the shell accept other commands…
Base imageA base image is the starting container image a build extends with FROM, providing the OS and runtime foundati…
Baseline comparisonA baseline comparison evaluates a new version against a known-good reference running in the same conditions,…
Basic blockA basic block is a straight-line sequence of instructions with one entry and one exit, used as the unit of an…
Bind mountA bind mount makes an existing directory or file appear at a second path, so the same content is reachable fr…
Blameless cultureA blameless culture treats incidents as failures of systems and processes rather than people, encouraging hon…
Blast radius limitA blast radius limit is a cap on how much of a system or user base a change can affect at once, containing th…
Blue-green database migrationA blue-green database migration keeps two database states in sync so traffic can cut over to the new schema a…
Blue-green load balancerA blue-green load balancer is a traffic router that switches all requests from an old environment to a new on…
Blue-green service swapA blue-green service swap cuts traffic from a live environment to an identical idle one by repointing the rou…
Borrow checkerA borrow checker is a compile-time analysis that enforces rules about references so a program cannot use memo…
Bot accountA bot account is a non-human identity that performs automated actions like opening pull requests, clearly lab…
Bounded contextA bounded context is a boundary within a domain model where a particular set of terms and rules apply consist…
Branch deployA branch deploy publishes a deployment built from a specific branch, letting teams preview or release work fr…
Bridge jobA bridge job is a special pipeline job whose only purpose is to trigger a downstream pipeline, acting as the…
Build cacheA build cache stores intermediate build outputs so unchanged work can be reused across runs instead of recomp…
Build farmA build farm is a managed pool of machines dedicated to running builds, providing the shared compute that dis…
Build metadata fileA build metadata file captures facts about how an artifact was produced, such as the commit, build time, and…
Build minuteA build minute is the standard unit of CI billing: one minute of a runner executing a job, often weighted by…
Build provenance attestationA build provenance attestation is signed metadata describing how, where, and from what source an artifact was…
Build secret mountA build secret mount exposes a credential to a single build step at runtime without baking it into any image…
BuildKit frontendA BuildKit frontend translates a build definition such as a Dockerfile into the low-level build graph that Bu…
Bundle analyzerA bundle analyzer is a tool that visualizes a build output, showing which modules and dependencies take up th…
Bundle size budgetA bundle size budget caps the byte size of compiled JavaScript or CSS bundles, failing the build when a chang…
Burn rate alertA burn rate alert fires when an error budget is being consumed faster than sustainable, signaling that the SL…
Cache hierarchyA cache hierarchy is a layered arrangement of caches where a miss at one level falls through to the next, end…
Cache hitA cache hit occurs when requested data is found in the cache and served directly, avoiding the slower trip to…
Cache keyA cache key is the identifier that determines which cached entry a lookup retrieves, typically derived from t…
Cache missA cache miss occurs when requested data is not in the cache, forcing a slower fetch from the origin and usual…
Cache tagA cache tag is a named label on a cached entry that groups related items so they can be looked up and purged…
Calling convention (ABI)A calling convention in an ABI defines how functions pass arguments, return values, and preserve registers so…
Canary cohortA canary cohort is the limited group of users or traffic that gets a new release first, acting as an early wa…
Capacity providerA capacity provider tells a container scheduler where and how to obtain compute, letting it scale the underly…
Caret rangeA caret range allows version updates that do not change the leftmost non-zero version component, permitting c…
CDN edgeA CDN edge is a geographically distributed cache server that serves content from close to the user, cutting l…
cert-manager issuerA cert-manager issuer is a resource that represents a certificate authority and tells cert-manager how to obt…
Change advisoryA change advisory is a review process that assesses and approves significant changes before release, weighing…
Change calendarA change calendar is a shared schedule of planned deployments, maintenance, and freeze windows, giving teams…
Change data capture streamA change data capture stream emits a continuous feed of row-level inserts, updates, and deletes from a databa…
Change ticket referenceA change ticket reference links a deployment or commit to an approved change record, so every release traces…
Check runA check run is a single test or validation reported against a commit, with a status, conclusion, and optional…
Chroot jailA chroot jail changes a process apparent root directory so it can only see files under a chosen subtree, prov…
Annotation (CI)A CI annotation is a structured message attached to a workflow run or specific file and line, surfacing an er…
Environment file (CI)A CI environment file is a runner-provided file a step writes to in order to set environment variables, outpu…
Circuit breakerA circuit breaker stops calling a failing dependency for a cooldown period to prevent cascading failures and…
Client componentA client component is a UI component whose JavaScript ships to the browser and runs there, enabling state, ef…
Cluster autoscaler controllerA cluster autoscaler controller adds or removes worker nodes so that pending pods can schedule and underused…
Cluster IPA cluster IP is a stable virtual address assigned to a service that is reachable only inside the cluster and…
Clustered indexA clustered index determines the physical order of rows in a table, so the data itself is stored sorted by th…
Code quality reportA code quality report is a pipeline artifact summarizing maintainability issues, like complexity and duplicat…
Code signing certificateA code signing certificate is a digital certificate used to cryptographically sign software, proving its publ…
Code splitting strategyA code splitting strategy is the plan a build uses to break a bundle into smaller chunks loaded on demand, so…
Cold cacheA cold cache is one that is empty or freshly started, so early requests miss and must be served from the slow…
Cold startA cold start is the delay incurred when a job must wait for a brand-new machine to provision, boot, and regis…
Cold storage tierA cold storage tier holds rarely accessed data at very low cost in exchange for higher retrieval latency and…
Collector pipelineA collector pipeline is the chain of receivers, processors, and exporters that telemetry flows through inside…
Command handlerA command handler is the component that receives a command requesting a change, validates it, and executes th…
Commit statusA commit status is a simple state (success, failure, pending, error) that an external system attaches to a co…
Compiler cacheA compiler cache stores the output of compiling a translation unit keyed on its inputs, so an identical compi…
Compliance scanA compliance scan is an automated check that evaluates code, configuration, or infrastructure against regulat…
Composite actionA composite action bundles multiple workflow steps into a single reusable action, packaging common step seque…
Composite indexA composite index spans multiple columns in a defined order, accelerating queries that filter or sort on thos…
Composite stepA composite step is one of the steps bundled inside a composite action, letting several commands and actions…
Concurrency groupA concurrency group is a named key that limits how many workflow runs sharing it can execute at once, cancell…
Connection pooling strategyA connection pooling strategy reuses a managed set of open database connections across requests to avoid the…
Connection stringA connection string is a single text value holding the parameters needed to connect to a database, such as ho…
Conntrack tableThe conntrack table is the kernel record of active network connections used for NAT and stateful filtering, w…
Consensus quorumA consensus quorum is the minimum number of nodes that must agree for a distributed system to commit a decisi…
Consumer groupA consumer group is a set of consumers that share the work of reading a topic, with each partition assigned t…
Container registryA container registry is a storage and distribution service for container images, where builds push and deploy…
Content trust policyA content trust policy requires container images to be cryptographically signed and verified before they may…
ContinuationA continuation represents the rest of a computation at a given point, as a value that can be invoked later to…
Contract test consumerA contract test consumer is the client side of a contract test that records the requests and responses it exp…
Contract test providerA contract test provider is the service side of a contract test that replays a consumer contract against the…
Contract testA contract test verifies that two services agree on the shape of their interaction, catching breaking API cha…
CFG (control flow graph)A control flow graph represents a function as basic blocks connected by edges showing every path execution ca…
Control plane componentA control plane component is a management service that schedules workloads, stores cluster state, and drives…
Controlling terminalA controlling terminal is the terminal associated with a session that delivers keyboard signals and identifie…
Conventional changelogA conventional changelog is a release notes document generated automatically from structured commit messages…
Copy-on-write forkA copy-on-write fork shares the parent memory pages with the child read-only and copies a page only when one…
Coverage gateA coverage gate is a CI rule that fails a build when test coverage falls below a set threshold, enforcing a m…
Covering indexA covering index contains every column a query needs, so the engine can answer it from the index alone withou…
Cron scheduleA cron schedule uses a five-field time expression to trigger jobs at recurring times, such as nightly builds…
CSI secret driverA CSI secret driver mounts secrets from an external store directly into a pod as files via the container stor…
Custom executorA custom executor is a runner mode that delegates job environment setup and teardown to user-provided scripts…
Custom resource definitionA custom resource definition extends the Kubernetes API with a new object type, letting operators manage appl…
DaemonSet controllerA DaemonSet controller ensures a copy of a pod runs on every eligible node in a cluster, commonly used for lo…
DAGA DAG is a directed acyclic graph of jobs where edges express dependencies and no cycles exist, defining a va…
Dark launchA dark launch ships a feature to production turned off or hidden, so it can be tested in the real environment…
DAST scanA DAST scan tests a running application from the outside by sending crafted requests, finding vulnerabilities…
Backfill (data)A data backfill populates historical or missing records after the fact, filling gaps so a new table, column,…
Data fetching waterfallA data fetching waterfall is a chain of requests that run one after another because each waits on the previou…
Data mapperA data mapper is a layer that moves data between objects and a database while keeping the two independent, so…
Data mutationA data mutation is an operation that creates, updates, or deletes server state, unlike a read, and usually re…
Data plane componentA data plane component is the part of a system that carries and processes actual workload traffic, following…
Deadlock (database)A database deadlock occurs when two transactions each hold a lock the other needs, so neither can proceed unt…
Database indexA database index is an auxiliary data structure that lets the engine find rows matching a query quickly, avoi…
Dead letter exchangeA dead letter exchange receives messages that a queue cannot deliver or process, routing them aside for inspe…
Dead man switchA dead man switch alert is one that fires when an always-on signal goes missing, verifying that the monitorin…
Declarative pipelineA declarative pipeline describes the desired stages and outcomes of CI/CD, letting the system figure out how…
Dependency graphA dependency graph maps how components or packages depend on one another, used to order builds, detect cycles…
Dependency proxyA dependency proxy is a caching layer that sits in front of an upstream registry, storing pulled images or pa…
Dependency review gateA dependency review gate is a CI check that inspects added or changed dependencies in a pull request and bloc…
Deployment annotationA deployment annotation is a marker placed on monitoring charts at the moment of a release, making it easy to…
Deployment approval chainA deployment approval chain is the ordered set of sign-offs a release must collect before it ships, routing i…
Deployment environmentA deployment environment is a named target like staging or production that a pipeline deploys to, with its ow…
Deployment freezeA deployment freeze is a defined period when production releases are paused, used around high-risk windows li…
Deployment gateA deployment gate is a check, manual or automated, that must pass before a release is allowed to proceed to t…
Deployment tierA deployment tier is a label classifying an environment by its role, such as development, staging, or product…
Deployment windowA deployment window is an allowed time period for releasing changes, chosen to minimize user impact and ensur…
DeschedulerA descheduler periodically evicts pods that are now sub-optimally placed so the scheduler can reposition them…
Destination ruleA destination rule configures how traffic is handled after routing to a service, defining subsets, load-balan…
Deterministic buildA deterministic build produces the same output from the same inputs every time, with no run-to-run variation…
Deterministic timestampA deterministic timestamp is a fixed, source-derived time used in a build instead of the wall clock, so outpu…
Dirty readA dirty read happens when a transaction reads data another transaction has changed but not yet committed, ris…
Distributed buildA distributed build splits compilation and test work across many machines in parallel, cutting wall-clock bui…
Distributed lockA distributed lock coordinates exclusive access to a shared resource across multiple processes or machines so…
Distributed transactionA distributed transaction spans multiple databases or services and must either commit everywhere or roll back…
Distroless imageA distroless image contains only your application and its runtime dependencies, with no shell, package manage…
DNS policyA DNS policy controls how a pod resolves names, choosing whether it uses cluster DNS, the node resolver, or a…
Docker actionA Docker action is a CI action packaged as a container image, so its tools and dependencies are bundled and r…
Docker machine executorA Docker machine executor is a legacy autoscaling runner mode that spins up cloud VMs on demand, each running…
Domain eventA domain event is a record that something meaningful happened in the business domain, named in past tense and…
Downstream pipelineA downstream pipeline is a pipeline triggered by another pipeline, running after and in response to its upstr…
Dynamic child pipelineA dynamic child pipeline is a child pipeline whose configuration is generated at runtime by an earlier job, l…
Dynamic import boundaryA dynamic import boundary is the point where a module is loaded lazily with an import call, marking where a b…
Dynamic importA dynamic import loads a JavaScript module on demand at runtime, returning a promise, which enables code spli…
Dynamic linkerA dynamic linker loads the shared libraries a program depends on at startup and binds its references to the f…
Faker libraryA faker library generates realistic-looking fake values such as names, emails, and addresses, used to populat…
Fan-in barrierA fan-in barrier is a synchronization point where a job waits for all of its parallel upstream jobs to finish…
Feature branchA feature branch is a short-lived branch where a single feature or fix is developed in isolation before mergi…
Feature flag (GitLab)A feature flag lets teams turn functionality on or off at runtime without deploying, decoupling code release…
Feature toggleA feature toggle is a runtime switch that turns a feature on or off without deploying, decoupling code releas…
Federated identity configA federated identity config lets a cloud trust tokens issued by an external provider, so a pipeline can authe…
File descriptor tableA file descriptor table is the per-process list that maps small integer descriptors to the open files, socket…
File variableA file variable is a CI variable whose value the runner writes to a temporary file, exposing the file's path…
FinalizerA finalizer is a Kubernetes marker that blocks deletion of a resource until a controller completes cleanup wo…
Flaky test detectorA flaky test detector identifies tests that pass and fail nondeterministically by analyzing run history, so u…
Flaky testA flaky test passes and fails intermittently on the same code, usually due to timing, ordering, or environmen…
Foreign keyA foreign key is a column whose values must match a key in another table, linking rows across tables and enfo…
Forward declarationA forward declaration tells the compiler a name exists and its type before its full definition, letting code…
Freeze windowA freeze window is a period during which non-essential deployments are paused, often around peak business eve…
Full table scanA full table scan reads every row in a table to satisfy a query, which is slow on large tables and usually si…
FunctorA functor is a type that can be mapped over, applying a function to the values it contains while preserving i…
Gated deploymentA gated deployment requires a release to pass explicit checks or approvals before it can proceed, stopping th…
Gateway resourceA gateway resource defines how external traffic enters a mesh or cluster, configuring the ports, protocols, a…
GeneratorA generator is a function that can pause and resume, producing a sequence of values one at a time on demand r…
RebaseA git rebase replays your commits on top of another branch, producing a linear history instead of a merge com…
Package registry (GitLab)A package registry is a built-in store where a project publishes and consumes packages in standard formats, i…
Go/no-go decisionA go/no-go decision is the final ruling on whether a release proceeds, made by weighing gate results and risk…
Golden datasetA golden dataset is a curated, version-controlled set of reference inputs and expected outputs used to valida…
Golden fileA golden file is a stored reference output that a test compares against, flagging any difference as a failure…
Graceful shutdown windowA graceful shutdown window is the time a process is given after a polite stop signal to finish work and clean…
Grok patternA grok pattern is a named, reusable regular-expression template used to match and extract fields from semi-st…
Group runnerA group runner is a self-managed runner shared across all projects in a group or organization, rather than de…
Group variableA group variable is a CI variable defined at the group level so every project in that group inherits it, cent…
Hard linkA hard link is an additional directory entry pointing to the same inode as a file, so multiple names refer to…
Header guardA header guard is a preprocessor pattern that ensures a header file is included only once per translation uni…
Headless browserA headless browser is a real browser running without a visible UI, used in CI to automate page rendering and…
Headless serviceA headless service has no cluster IP and instead returns the addresses of its individual pods, so clients can…
Health check grace periodA health check grace period is a window after a new instance starts during which failed health checks are ign…
Heartbeat monitorA heartbeat monitor expects a periodic check-in signal and raises an alert when that signal stops arriving, c…
HeartbeatA heartbeat is a periodic signal a component sends to show it is alive, letting peers detect failure when the…
Helm releaseA Helm release is a named, versioned installation of a Helm chart into a Kubernetes cluster, tracked so it ca…
Helm values overrideA Helm values override is configuration supplied at install time that replaces a chart default, customizing a…
Hermetic buildA hermetic build depends only on explicitly declared, pinned inputs and is isolated from the host, so it prod…
Hermetic toolchainA hermetic toolchain is a build toolchain pinned and packaged as an explicit input, so builds do not depend o…
Higher-order functionA higher-order function takes other functions as arguments or returns a function as its result, treating beha…
Horizontal pod autoscalerA horizontal pod autoscaler is a Kubernetes controller that adds or removes pod replicas for a workload based…
Hot storage tierA hot storage tier holds frequently accessed data with low retrieval latency at a higher per-gigabyte storage…
HotfixA hotfix is an urgent, narrowly scoped patch applied directly to a released version to fix a critical product…
Husky hookA Husky hook is a Git hook managed by the Husky tool, letting a project run checks like linting or tests auto…
Hydration mismatchA hydration mismatch happens when the markup a client renders during hydration differs from the server HTML,…
JavaScript actionA JavaScript action is a CI action that runs as a Node program directly on the runner, starting fast and work…
Job matrixA job matrix expands a single job definition into many parallel jobs across combinations of variables like OS…
Job summaryA job summary is custom Markdown a CI job writes to surface results, tables, or links directly on the run pag…
Job timeoutA job timeout is the maximum time a CI job may run before the system cancels it, preventing a stuck or runawa…
Offset (Kafka)A Kafka offset is the sequential position of a message within a partition, used by consumers to track which r…
Kill switchA kill switch is a feature toggle whose purpose is to instantly disable a risky feature or integration in pro…
Kubeconfig contextA kubeconfig context is a named bundle of cluster, user credentials, and namespace that determines which Kube…
Kubernetes executorA Kubernetes executor runs each CI job as a pod in a cluster, using Kubernetes to schedule, isolate, and clea…
Kustomize overlayA Kustomize overlay is a set of patches layered onto a shared base of Kubernetes manifests to produce an envi…
Latency budget gateA latency budget gate fails a release when response times exceed an allowed budget, ensuring a new version do…
Latency budgetA latency budget is the maximum allowed time for an operation, divided among its stages so each component kno…
Launch templateA launch template is a versioned specification of how to start an instance, capturing the image, instance typ…
Leader election protocolA leader election protocol lets a group of replicas agree on a single active leader so that only one instance…
LeaseA lease is a time-bounded grant of a resource or role to one holder, which expires automatically unless renew…
License allowlistA license allowlist is a curated set of approved software licenses, letting a pipeline reject any dependency…
Lifetime (references)A lifetime is the span during which a reference is valid, used by the compiler to guarantee a reference never…
Lighthouse budgetA Lighthouse budget sets thresholds for performance metrics and resource sizes that a page must meet, failing…
Limit rangeA limit range sets default, minimum, and maximum resource values for pods and containers in a namespace, cons…
Linux capabilityA Linux capability is a fine-grained privilege carved out of the all-powerful root account, letting a process…
Linux namespaceA Linux namespace gives a group of processes their own isolated view of a system resource, such as process ID…
Liveness probeA liveness probe checks whether a running container is still healthy, restarting it automatically when the pr…
Load balancer IPA load balancer IP is the external address provisioned for a LoadBalancer service, the public entry point tha…
Load testA load test measures how a system behaves under expected and peak traffic, checking throughput, latency, and…
Loading skeletonA loading skeleton is a placeholder UI that mimics the shape of content while it loads, giving a sense of str…
Locked dependency treeA locked dependency tree is the full set of resolved dependency versions and hashes captured in a lockfile, s…
LockfileA lockfile records the exact resolved versions and hashes of every dependency, so installs are deterministic…
Log parserA log parser extracts structured fields from raw log lines, turning unstructured text into queryable key-valu…
Log shipperA log shipper is an agent that collects log lines from files or streams on a host and forwards them to a cent…
Machine userA machine user is a dedicated account created for automation rather than a person, so pipelines and bots act…
Managed runnerA managed runner is CI compute operated by a third party that handles provisioning, scaling, isolation, and m…
Mandatory file lockA mandatory file lock is enforced by the kernel, blocking conflicting reads or writes even from programs that…
Manual gateA manual gate is a deployment checkpoint that pauses the pipeline until a human explicitly approves it to con…
Masked variableA masked variable is a value the CI runner redacts from log output, replacing it with asterisks so secrets do…
Memory poolA memory pool preallocates a block of memory and hands out fixed-size chunks from it, making allocation and r…
Merge queueA merge queue serializes pull-request merges, testing each against the latest main, so the branch stays green…
Merge trainA merge train queues merge requests and tests each one against the combined result of those ahead of it, so t…
ExemplarAn exemplar is a sample trace ID attached to a metric data point, letting you jump from an aggregate metric s…
Module registryA module registry is a versioned catalog of reusable infrastructure-as-code modules that teams can publish, d…
MonadA monad is a type that wraps values and provides a way to chain operations that each return a wrapped value,…
Monorepo affected graphA monorepo affected graph is the set of projects impacted by a change, computed from the dependency graph so…
MonorepoA monorepo stores many projects or services in a single shared version-control repository rather than splitti…
Multi-project pipelineA multi-project pipeline is a setup where a pipeline in one project triggers and links to a pipeline in anoth…
Multi-stage buildA multi-stage build uses several stages in one Dockerfile to compile in a heavy stage but ship only the slim…
Multi-window alertA multi-window alert combines a fast short window and a slower long window so it fires quickly on severe issu…
Mutable tagA mutable tag is a container or artifact tag that can be reassigned to new content over time, such as latest,…
Mutating webhookA mutating webhook is a Kubernetes admission callback that can modify an incoming resource, such as injecting…
Mutation score thresholdA mutation score threshold is a minimum mutation testing score a build must meet, measuring not just coverage…
Named pipeA named pipe is a special file on disk that lets two unrelated processes communicate by one writing bytes int…
Natural keyA natural key is a primary key drawn from meaningful business data that is already unique, such as an email a…
Negative cacheA negative cache stores the fact that a lookup failed or a value is absent, so repeated misses can be answere…
Network policy ruleA network policy rule defines which pods may send or receive traffic in Kubernetes, enforcing segmentation at…
Nice valueA nice value is a priority hint that biases how much CPU time the scheduler gives a process; a higher nicenes…
Notification channelA notification channel is a configured delivery destination for alerts, such as email, chat, SMS, or a pager…
MirrorA mirror is a complete local copy of an upstream package registry or repository, kept in sync so builds can f…
Pact brokerA pact broker is a service that stores and shares contract test artifacts between consumers and providers, tr…
Page faultA page fault occurs when a program accesses a virtual page not currently in physical memory, prompting the ke…
Paging policyA paging policy sets the rules for when an alert actually pages a human versus being logged quietly, protecti…
Parent-child pipelineA parent-child pipeline is a structure where a parent pipeline triggers child pipelines within the same proje…
Partition keyA partition key is the value used to decide which partition a message or record goes to, controlling distribu…
Perceptual hashA perceptual hash is a fingerprint of an image that stays similar when the image is slightly altered, letting…
Performance budgetA performance budget is a set of limits on metrics like load time and asset size that a project commits to st…
Performance scoreA performance score is a composite number, often zero to one hundred, that a tool computes by weighting sever…
Persistent volume claimA persistent volume claim is a Kubernetes request for storage of a given size and access mode that binds a po…
Phantom readA phantom read happens when a transaction re-runs a range query and finds new rows that another committed tra…
Pinned digestA pinned digest references a dependency or image by its exact content hash instead of a tag, guaranteeing you…
Pipeline secret scopeA pipeline secret scope defines which jobs, stages, or environments may read a given secret, narrowing exposu…
Pipeline trigger tokenA pipeline trigger token is a secret credential that lets an external system start a pipeline through the CI…
Pixel diffA pixel diff counts or visualizes the individual pixels that differ between two images, often with a toleranc…
Pod disruption budgetA pod disruption budget limits how many pods of a workload can be voluntarily taken down at once, protecting…
Pod security standardA pod security standard is a predefined set of security restrictions, privileged, baseline, or restricted, th…
Poison messageA poison message is one a consumer repeatedly fails to process, causing it to be redelivered over and over an…
Policy as code gateA policy as code gate evaluates infrastructure plans or deployments against machine-readable rules and blocks…
Policy enforcement pointA policy enforcement point is the place in a pipeline where a policy decision is actually applied, allowing o…
PolyrepoA polyrepo splits a codebase across many separate repositories, typically one per service or library, each wi…
Post stepA post step is cleanup logic an action registers to run automatically at the end of a job, after the main ste…
Pre stepA pre step is setup logic an action registers to run before the job's main steps begin, used to prepare the e…
Pre-release versionA pre-release version is a semver identifier marking an unstable release, such as an alpha or beta, that ordi…
Prefetch hintA prefetch hint tells the browser to fetch a likely-needed resource at low priority during idle time, so it i…
Preload hintA preload hint tells the browser to fetch a resource the current page needs at high priority early, so a crit…
Prepared statementA prepared statement is a precompiled SQL template with placeholders for values, letting the database reuse t…
Preprocessor directiveA preprocessor directive is an instruction handled before compilation that includes files, defines macros, or…
Preview environmentA preview environment is an ephemeral deployment of a pull request, giving reviewers a live URL to test the c…
Problem matcherA problem matcher is a regex configuration that scans build log output and turns matching lines into structur…
Process groupA process group is a set of related processes that can be signaled together, used by shells to manage all the…
Product typeA product type groups several values together at once, like a struct or tuple, so a value carries all of its…
Progressive rollout percentageA progressive rollout percentage is the share of traffic or users sent to a new version at each stage, increa…
Progressive rolloutA progressive rollout releases a change to an increasing share of traffic or users in stages, monitoring heal…
Property-based testA property-based test checks that a property holds across many automatically generated inputs, rather than as…
Protected variableA protected variable is a CI variable exposed only to pipelines running on protected branches or tags, keepin…
Provenance attestation stepA provenance attestation step is a pipeline stage that records how an artifact was built and from what inputs…
Proxy cacheA proxy cache sits between your builds and an upstream registry, caching fetched dependencies locally so repe…
Pseudo terminalA pseudo terminal is a software pair that emulates a hardware terminal, letting programs that expect a termin…
Pull-through cacheA pull-through cache is a registry that fetches an image from upstream on the first request, stores it, and s…
PushgatewayA pushgateway is an intermediary that accepts pushed metrics from short-lived jobs and holds them so a pull-b…
QoS classA QoS class categorizes a pod as guaranteed, burstable, or best-effort based on its resource requests and lim…
Quarantine listA quarantine list is the set of known-flaky tests moved out of the blocking suite so they no longer fail buil…
Query handlerA query handler is the component that answers a read request by fetching and shaping data, without changing a…
Query planA query plan is the step-by-step strategy a database chooses to execute a SQL statement, including which inde…
Quorum readA quorum read queries enough replicas that their responses overlap with the replicas a write touched, ensurin…
Rate limit filterA rate limit filter is a proxy component that counts requests and rejects those exceeding a configured rate,…
Rate limitA rate limit caps how many requests a client may make in a time window, protecting a service from overload an…
Rate limiter strategyA rate limiter strategy is the algorithm that caps how many operations a client may perform in a window, such…
Rate limiting headerA rate limiting header is an HTTP response header that tells a client its remaining request quota and when th…
Read modelA read model is a data representation optimized for queries and display, often denormalized and kept separate…
Readiness probeA readiness probe checks whether a container is ready to accept traffic, removing it from the load balancer u…
Reconciliation loopA reconciliation loop is the continuous control process that observes actual state, compares it to desired st…
Recording ruleA recording rule precomputes a metrics query on a schedule and stores the result as a new series, so dashboar…
Redacted variableA redacted variable is a pipeline value marked sensitive so the CI system hides it in logs and UI, treating i…
Register machineA register machine is an execution model whose instructions read and write a set of named registers instead o…
Registry mirrorA registry mirror is a local copy of an upstream container registry that serves image pulls faster and reduce…
Regression testA regression test verifies that previously working functionality still works after a change, catching newly i…
Release candidateA release candidate is a pre-release build believed ready to ship, published for final testing before becomin…
Release markerA release marker is a recorded event noting that a particular version shipped at a particular time, serving a…
Relocation tableA relocation table lists the places in an object file whose addresses must be patched once the final load add…
Remote build executorA remote build executor is a worker that runs build actions on a separate machine, letting a build tool offlo…
Remote cache backendA remote cache backend is shared storage where build and test caches live so many machines and CI runs can re…
Remote cacheA remote cache stores build outputs in a shared, networked location so they can be reused across machines, CI…
Remote state backendA remote state backend stores infrastructure-as-code state in a shared, durable location so teams and CI runn…
Render-blocking resourceA render-blocking resource is an asset, typically synchronous CSS or script, the browser must process before…
ReplicaSetA ReplicaSet is a Kubernetes controller that maintains a specified number of identical pod replicas, recreati…
Repository secretA repository secret is a credential stored on a single repository and available to its workflows, keeping a p…
Reproducible buildA reproducible build produces bit-for-bit identical output every time from the same source, letting anyone in…
Reproducible toolchainA reproducible toolchain is a pinned, deterministic set of compilers and tools that produces byte-identical o…
Required reviewerA required reviewer is a person or team whose approval is mandatory before a pull request or deployment can p…
Reserved instance commitmentA reserved instance commitment trades a one or three year usage promise for a discounted hourly rate on cloud…
Resource attributeA resource attribute describes the entity producing telemetry, such as service name, version, or host, and is…
Resource group (GitLab)A resource group is a CI mechanism that forces jobs sharing a named group to run one at a time, serializing a…
Resource hintA resource hint is a browser directive such as preconnect, dns-prefetch, preload, or prefetch that helps the…
Resource quotaA resource quota caps the total compute, memory, and object counts a namespace may consume, preventing one te…
Retention policyA retention policy defines how long telemetry data is kept before deletion, balancing the value of historical…
Retry budget policyA retry budget policy caps the fraction of traffic that may be retries, preventing retry storms from overwhel…
Retry policy (mesh)A mesh retry policy automatically re-sends a failed request to a backend up to a set number of times under de…
Reusable workflowA reusable workflow is a complete workflow that other workflows can call with inputs, letting teams share CI…
Revalidation tagA revalidation tag is a label on cached data so that, after a mutation, an app can invalidate exactly the ent…
Review appA review app is a temporary, isolated deployment of a branch or merge request, spun up by CI so reviewers can…
Rollback budget policyA rollback budget policy defines the time and conditions under which a deployment must be reverted, ensuring…
Rollback budgetA rollback budget is the acceptable rate or count of rollbacks over a period, used as a signal of release qua…
RollforwardA rollforward fixes a broken release by deploying a new corrected version forward, rather than reverting to t…
Rollout health gateA rollout health gate pauses or halts a progressive deployment when live health signals breach thresholds, st…
Route handlerA route handler is server-side code mapped to a URL path that processes a request and returns a response, use…
Runbook stepA runbook step is a single, explicit instruction within a runbook that guides a responder through one action…
Runner concurrency limitA runner concurrency limit is the maximum number of jobs a runner or fleet may execute at once, capping paral…
Runner groupA runner group is a named collection of CI runners with shared access policies, used to control which reposit…
Runner labelA runner label is a tag attached to a CI runner that a job uses to target the right machine, such as its OS,…
Runner labels expressionA runner labels expression is the set of labels a job requests so the CI scheduler routes it to a runner that…
Runtime chunkA runtime chunk is a small bundle holding the loader and module bookkeeping a bundler injects, kept separate…
Saturation metricA saturation metric measures how full a system's most constrained resource is, warning when it nears the limi…
Savings planA savings plan is a cloud cost commitment to a fixed hourly spend over a term in exchange for discounted rate…
Schema registry checkA schema registry check validates a proposed data or message schema against a central registry in CI, rejecti…
Scoped deploy keyA scoped deploy key is a credential granting access to a single repository, often read-only, so a pipeline ge…
Scoped variableA scoped variable is a CI variable whose visibility is limited to a particular environment or condition, so i…
Scrape intervalA scrape interval is how often a metrics system pulls fresh values from a target, setting the time resolution…
Sealed secretA sealed secret is an encrypted secret safe to store in Git, which only an in-cluster controller can decrypt…
Seccomp filterA seccomp filter restricts which system calls a process may make, shrinking the kernel surface a sandboxed or…
Secret rotation policyA secret rotation policy defines how often credentials are replaced and how the change propagates, limiting h…
Security baselineA security baseline is the agreed minimum set of controls a build or environment must meet, used as the refer…
Self-hosted runnerA self-hosted runner is a CI worker you provision and operate yourself, rather than using the CI provider's h…
Semantic diffA semantic diff compares two versions by their meaning rather than raw text, treating reformatting or reorder…
Server actionA server action is a server-side function a client can invoke directly to mutate data, letting forms run back…
Server componentA server component renders only on the server, sending its result to the client without shipping its own Java…
Service account keyA service account key is a long-lived credential tied to a non-human service identity, used by automation to…
Service account tokenA service account token is a credential that lets a workload authenticate to the Kubernetes API as a non-huma…
Service graphA service graph is a map of services as nodes and their request dependencies as edges, derived from traces to…
SLIA service level indicator (SLI) is the actual measured value of a reliability metric, like the percentage of…
SLOA service level objective (SLO) is a target value for a reliability metric, such as 99.9% availability, that…
Service locatorA service locator is a registry that code asks for its dependencies at runtime, returning the implementation…
Service meshA service mesh is an infrastructure layer that manages service-to-service traffic, adding routing, security,…
Service worker cacheA service worker cache is a programmable store that a service worker uses to intercept requests and serve res…
Session leaderA session leader is the process that creates a session, grouping process groups together and typically owning…
Setup actionA setup action installs and configures a specific language or tool version on a runner, putting it on the pat…
Sharding keyA sharding key is the field used to decide which shard a record belongs to, determining how data and load are…
Shared objectA shared object is a library file loaded into memory at runtime and shared by multiple programs, rather than…
Shared workerA shared worker is a background thread that multiple browser tabs or windows from the same origin can connect…
Shell executorA shell executor runs CI job commands directly on the host machine's shell, with no container isolation, reus…
Short-lived tokenA short-lived token is an access token with a brief expiry, often minutes, that limits how long a stolen cred…
SidecarA sidecar is a helper container that runs alongside a main application container, adding capabilities like pr…
Signal handlerA signal handler is a function a program registers to run when it receives a particular signal, letting it re…
SLSA levelA SLSA level is a graded rung of the Supply-chain Levels for Software Artifacts framework, describing how str…
Smoke test gateA smoke test gate runs a small set of critical checks right after deployment and blocks promotion if any fail…
Smoke testA smoke test is a quick, shallow check that core functionality works at all, run early to catch obviously bro…
Snapshot diffA snapshot diff is the comparison between a freshly captured snapshot and a stored one, highlighting what cha…
Snapshot testA snapshot test records a serialized output on first run and fails later runs when the output changes, catchi…
Soak testA soak test runs a system under a sustained, realistic load for a long period to reveal problems that only em…
Socket read timeoutA socket read timeout is the maximum time a program waits for data on a socket before giving up, preventing a…
Supply chain attackA supply chain attack compromises software by tampering with a dependency, build system, or distribution chan…
Span attributeA span attribute is a key-value pair attached to one span in a trace, recording details about that operation…
Spot instance interruptionA spot instance interruption is the cloud provider reclaiming a discounted spot instance on short notice, req…
Spot instanceA spot instance is spare cloud capacity sold at a deep discount that the provider can reclaim with little not…
Squash mergeA squash merge combines all commits of a pull request into a single commit on the target branch, keeping main…
Squashed imageA squashed image is a container image whose build layers have been collapsed into one, hiding intermediate co…
Stack frameA stack frame is the block of stack memory for one function call, holding its arguments, local variables, and…
Stack machineA stack machine is a virtual machine whose instructions operate on an operand stack, pushing and popping valu…
StatefulSet replicaA StatefulSet replica is a pod managed with a stable ordinal identity and persistent storage, used for statef…
Static libraryA static library is an archive of object files whose needed code is copied directly into an executable at lin…
Statistical significance gateA statistical significance gate flags a canary difference as real only when it is unlikely to be random noise…
Status checkA status check is a pass/fail signal a pipeline reports back to a commit or pull request, often required befo…
Step outputA step output is a named value one workflow step exports so later steps or jobs can read it, passing data thr…
Step timeoutA step timeout is the maximum time an individual step may run before CI cancels just that step, isolating a h…
Subject claimA subject claim is the field in an identity token that names who or what the token represents, used by access…
Sum typeA sum type holds a value that is exactly one of several named alternatives, each potentially carrying differe…
Surrogate keyA surrogate key is an artificial identifier, such as an auto-incrementing number or UUID, used as a primary k…
Suspense boundaryA suspense boundary wraps part of a UI so that while its data or code is loading, a fallback is shown, lettin…
Symbolic link targetA symbolic link target is the path a symlink stores and points to; the link is a small file holding that path…
Symlink swap deployA symlink swap deploy releases a new version by repointing a current symlink to a fully prepared release dire…
Synthetic check gateA synthetic check gate runs scripted, simulated user transactions against a live deployment to verify behavio…
Synthetic transactionA synthetic transaction is a scripted, automated user journey run on a schedule against a service to verify t…
System loggerA system logger is the service that collects log messages from the kernel and programs and routes them to fil…
Systemd unitA systemd unit is a configuration file describing a resource systemd manages, such as a service, socket, moun…
Tail callA tail call is a function call that is the last action in a function, allowing the current stack frame to be…
Target groupA target group is a named set of backend endpoints that a load balancer routes traffic to and runs health che…
Target tripleA target triple is a string like x86_64-unknown-linux-gnu that identifies the architecture, vendor, OS, and A…
Task definition revisionA task definition revision is an immutable, numbered version of a container task spec, so each deploy creates…
Test doubleA test double is a stand-in for a real dependency in a test, such as a mock, stub, fake, or spy, used to isol…
Test factoryA test factory is a helper that builds valid test objects on demand with sensible defaults, letting tests ove…
Test impact graphA test impact graph maps which tests depend on which source files, so a change can run only the affected test…
Test retry budgetA test retry budget caps how many automatic retries a CI run may use to mask flaky failures, preventing retri…
ThunkA thunk is a deferred computation wrapped as a value, evaluated only when forced, often used to implement laz…
Tilde rangeA tilde range allows patch-level updates within a fixed minor version, accepting bug fixes while holding the…
Time series databaseA time series database is a store optimized for timestamped data points, using time-based partitioning and co…
Timeout policyA timeout policy sets the maximum time a proxy will wait for a backend response before giving up and returnin…
Token exchange flowA token exchange flow is trading one trusted token for another, letting a pipeline swap its identity token fo…
TokenizerA tokenizer is the part of a compiler or interpreter that splits raw source text into a stream of tokens such…
Tool cacheA tool cache is a directory of preinstalled language and tool versions on a runner that setup actions can use…
ToolchainA toolchain is the coordinated set of tools used to build software, such as the compiler, linker, and build s…
Tracing JITA tracing JIT records the actual sequence of operations executed on a hot path and compiles that linear trace…
Isolation levelAn isolation level sets how much one transaction can see of others in progress, trading consistency guarantee…
Transitive dependencyA transitive dependency is one you do not require directly but pull in indirectly because a dependency of you…
Transitive pinA transitive pin fixes the version of an indirect dependency, one pulled in by another package rather than de…
Translation unitA translation unit is the complete source seen by the compiler after preprocessing one source file, the unit…
Trust relationshipA trust relationship is the policy defining which external identities a role or resource will accept, control…
Ulimit hard limitA ulimit hard limit is the absolute ceiling for a resource that bounds the soft limit; only a privileged proc…
Ulimit soft limitA ulimit soft limit is the currently enforced ceiling on a process resource, such as open files, that a proce…
Umask valueA umask value is a per-process mask that clears permission bits from newly created files and directories, set…
Unit of workA unit of work tracks changes to objects during a business operation and commits them together as a single co…
Unix domain socketA Unix domain socket is an endpoint for fast communication between processes on the same machine, addressed b…
Validating webhookA validating webhook is a Kubernetes admission callback that accepts or rejects a resource without modifying…
Vault agent injectorA vault agent injector adds a sidecar to a pod that authenticates to Vault and writes fetched secrets into a…
Vendor chunkA vendor chunk is a separate bundle file that holds third-party library code, kept apart from application cod…
Version bump strategyA version bump strategy is the rule a project follows to decide whether a release increments the major, minor…
Version manifestA version manifest is a file recording the exact versions of components in a release, giving one authoritativ…
Version rangeA version range is a constraint that allows a set of acceptable dependency versions rather than a single exac…
Vertical pod autoscalerA vertical pod autoscaler is a Kubernetes component that recommends or sets CPU and memory requests for pods…
Virtual memory pageA virtual memory page is a fixed-size block of a process address space that the system maps to physical memor…
Virtual serviceA virtual service defines routing rules in a mesh, matching requests by attributes like path or header and di…
Visibility timeoutA visibility timeout is the period after a message is received during which it is hidden from other consumers…
Visual baselineA visual baseline is the stored reference screenshot that visual regression tests compare new renders against…
Visual diffA visual diff compares a rendered screenshot against a baseline image and flags pixel-level changes, catching…
Vulnerability allowlistA vulnerability allowlist records specific known findings that were reviewed and accepted, so a scanner can i…
Warm cacheA warm cache is already populated with frequently needed data, so most requests hit it and are served quickly…
Warm pool (cloud)A cloud warm pool is a set of pre-initialized instances kept stopped or paused so a scaling group can bring t…
Warm poolA warm pool is a set of pre-booted, idle machines kept ready so CI jobs can start immediately instead of wait…
Watchdog timerA watchdog timer counts down and triggers a recovery action, like a restart, unless a healthy process periodi…
Weak referenceA weak reference points to an object without keeping it alive, so the object can still be collected and the r…
Web workerA web worker runs JavaScript on a background thread separate from the main UI thread, communicating via messa…
Webhook receiverA webhook receiver is an HTTP endpoint that accepts alert or event payloads pushed by another system, letting…
WebhookA webhook is an HTTP callback that a system sends to a URL you specify when an event occurs, enabling event-d…
Wildcard certificateA wildcard certificate secures all direct subdomains of a domain with one certificate, such as covering any h…
Workflow commandA workflow command is a specially formatted log line a step prints to instruct the runner to set output, mask…
Workflow runA workflow run is a single execution of a CI workflow triggered by an event, containing all the jobs and step…
Workload identity poolA workload identity pool lets external workloads authenticate to a cloud using their own identity tokens, map…
Write modelA write model is the domain representation focused on enforcing business rules and consistency when state cha…
Write-back cacheA write-back cache acknowledges a write immediately and persists it to the backing store later, trading durab…
Zero-downtime deployA zero-downtime deploy releases a new version without any interruption to users, by overlapping old and new i…
Zero-downtime schema changeA zero-downtime schema change alters a live database without interrupting service, using non-blocking operati…
Accessibility testingAccessibility testing in CI runs automated checks against a web page to catch accessibility violations, like…
Action metadataAction metadata is the manifest file that declares an action's name, inputs, outputs, and how it runs, tellin…
DeduplicationAlert deduplication collapses repeated notifications for the same underlying issue into a single alert, so re…
Alert routingAlert routing maps each alert to the right destination based on its labels, deciding which team, channel, or…
AlertmanagerAlertmanager is a component that receives fired alerts and handles grouping, deduplication, silencing, and ro…
allow_failureallow_failure is a pipeline setting that lets a job fail without failing the overall pipeline, useful for non…
Accessibility auditAn accessibility audit checks a UI against standards like WCAG, flagging issues such as missing labels, low c…
ACME challengeAn ACME challenge is the proof step where a certificate authority verifies you control a domain before issuin…
Action cacheAn action cache stores files keyed by a string so later workflow runs can restore dependencies or build outpu…
Action input defaultAn action input default is the value an action uses for a declared input when the caller does not provide one…
Action outputAn action output is a named value an action exposes after it runs, which later steps can reference to pass da…
Admission control policyAn admission control policy validates or mutates resources as they are submitted to the cluster, enforcing ru…
Admission controllerAn admission controller intercepts requests to a cluster and validates or mutates them against policy before…
Admission webhookAn admission webhook is an HTTP callback the Kubernetes API server invokes to validate or mutate a resource b…
Advisory file lockAn advisory file lock coordinates access only among programs that choose to check for it; the kernel does not…
Aggregate rootAn aggregate root is the single entity through which all access to a cluster of related domain objects flows,…
SilenceA silence temporarily mutes alerts matching a set of labels for a fixed window, used during planned maintenan…
Alerting ruleAn alerting rule is a condition over metrics that, when it stays true for a set duration, fires an alert that…
ADT (algebraic data type)An algebraic data type composes types as combinations of fields and alternatives, modeling data as products a…
Anonymous pipeAn anonymous pipe is an unnamed in-memory channel that connects the output of one process to the input of ano…
ANSI escape codeAn ANSI escape code is a special character sequence in a text stream that a terminal interprets to set colors…
Anti-corruption layerAn anti-corruption layer translates between your domain model and an external or legacy system so foreign con…
Apdex scoreAn Apdex score condenses response-time data into a single number from 0 to 1 by classifying requests as satis…
Apdex thresholdAn Apdex threshold is the target response time that classifies a request as satisfying; it anchors the Apdex…
Approval workflowAn approval workflow requires a designated person to manually authorize a deployment or action before the pip…
Arena allocatorAn arena allocator carves allocations from one big region and frees them all at once when the arena is reset,…
Artifact promotion pipelineAn artifact promotion pipeline moves one immutable build through stages from test to production, promoting th…
Artifact repositoryAn artifact repository is a managed store for build outputs and dependencies, such as packages, libraries, an…
Artifact signing keyAn artifact signing key is the private key a pipeline uses to sign build outputs, so consumers can verify the…
Assume role chainAn assume role chain is a sequence where one role assumes another, then another, letting a pipeline hop acros…
Atomic deployAn atomic deploy switches traffic to a fully prepared new release in a single instant, so users never see a h…
AttestationAn attestation is a signed, machine-readable statement about a software artifact, such as how it was built, w…
Audience restrictionAn audience restriction checks that a token was issued for the intended recipient, so a token minted for one…
Authorization policyAn authorization policy defines which callers may access which services or paths in a mesh, allowing or denyi…
Auto scaling groupAn auto scaling group is a managed set of identical instances that automatically grows or shrinks to match de…
Automated rollback policyAn automated rollback policy defines the metrics and thresholds that automatically revert a deployment to the…
Automated rollback triggerAn automated rollback trigger is a rule that reverts a deployment automatically when monitored signals cross…
Autoscaling executorAn autoscaling executor is a runner configuration that provisions fresh compute on demand for each job and te…
Autoscaling policyAn autoscaling policy defines the rules and thresholds that decide when capacity is added or removed, includi…
Edge functionAn edge function is small code that runs on a CDN edge close to the user, customizing requests and responses…
Egress gatewayAn egress gateway is a dedicated exit point through which outbound traffic from a cluster or mesh is funneled…
Endpoint sliceAn endpoint slice is a chunked list of the network endpoints backing a service, scaling endpoint tracking bet…
Environment blockAn environment block is the set of name-value variables a process carries and passes to the children it launc…
Environment scopeAn environment scope binds a CI setting or variable to a specific environment, so it applies only to jobs dep…
Environment-scoped secretAn environment-scoped secret is a credential bound to one deployment environment, so a job can read it only w…
Ephemeral build credentialAn ephemeral build credential is a temporary secret issued only for a single build, expiring shortly after so…
Ephemeral environmentAn ephemeral environment is a short-lived, on-demand deployment spun up for a branch or pull request and torn…
Ephemeral previewAn ephemeral preview is a temporary, isolated deployment spun up per pull request so reviewers can exercise t…
Ephemeral runnerAn ephemeral runner is a CI worker that runs exactly one job on a fresh machine, then is destroyed, giving ev…
Error boundaryAn error boundary is a component that catches rendering errors in the subtree below it and shows a fallback U…
Error budgetAn error budget is the amount of unreliability a service is allowed within its SLO, used to balance shipping…
Error rate threshold gateAn error rate threshold gate blocks or rolls back a release when the share of failed requests rises above a s…
Error retry boundaryAn error retry boundary catches a failed UI region and offers a retry action, letting the user re-run the ope…
Escalation policyAn escalation policy defines who is paged for an alert and the order in which responsibility moves to backups…
Eviction thresholdAn eviction threshold is the resource level, such as remaining memory or disk, at which a node starts reclaim…
Exit status codeAn exit status code is the small integer a process returns when it finishes, where zero conventionally means…
Expand-contract migrationAn expand-contract migration changes a schema in backward-compatible steps, first adding new structures, then…
Exponential moving averageAn exponential moving average is a running average that weights recent values more than older ones, smoothing…
External secretAn external secret is a resource that syncs a value from an outside secret store into a cluster secret, keepi…
HTTP long pollAn HTTP long poll is a single held-open HTTP request that the server answers only when data arrives or a time…
IaC workspaceAn infrastructure-as-code workspace is a named, isolated instance of state that lets the same configuration m…
Idempotency tokenAn idempotency token is a unique key a client attaches to a request so a server can detect and ignore duplica…
Idempotent applyAn idempotent apply produces the same final state no matter how many times it runs, making no changes when re…
Identity provider configAn identity provider config registers a trusted token issuer with a system, telling it which issuer URL and s…
Image digestAn image digest is a cryptographic hash that uniquely and immutably identifies the exact contents of a contai…
Image layerAn image layer is one filesystem diff in a container image; layers stack to form the final filesystem and are…
Image manifest listAn image manifest list is a multi-architecture index that points at per-platform image manifests so one tag s…
Image pull secretAn image pull secret holds registry credentials a node uses to authenticate and download container images fro…
Immutable tagAn immutable tag is a container or artifact tag that can never be reassigned after it is first pushed, guaran…
Import mapAn import map is a browser feature that maps module specifiers to URLs, letting bare import names resolve wit…
in-toto attestationAn in-toto attestation is a standardized signed statement format that binds a subject artifact to a predicate…
Incremental buildAn incremental build recompiles only the parts of a project affected by a change, reusing prior outputs for e…
Ingress classAn ingress class names which ingress controller should handle a given ingress resource, letting multiple cont…
Inhibition ruleAn inhibition rule suppresses lower-priority alerts while a related higher-priority alert is firing, cutting…
Init containerAn init container runs to completion before the main application container starts, handling setup like migrat…
Init systemAn init system is the first process the kernel starts; it boots and supervises other services and adopts orph…
InodeAn inode is the on-disk record that stores a file metadata and the location of its data blocks, while the fil…
Inotify watchAn inotify watch is a Linux registration that notifies a program when a specific file or directory changes, p…
Instance refreshAn instance refresh is a controlled, rolling replacement of the instances in a scaling group so they pick up…
Instance variableAn instance variable is a CI variable defined at the whole platform instance level, available to every projec…
Instrumentation libraryAn instrumentation library is code that generates telemetry for a specific framework or client, emitting span…
Interruptible jobAn interruptible job is one the CI system may cancel automatically when a newer pipeline supersedes it, freei…
Iterator protocolAn iterator protocol is the standard interface a type implements to be traversed element by element, typicall…
N+1 queryAn N+1 query is a performance problem where fetching a list runs one query, then one extra query per row to l…
Object file (compiled)An object file holds machine code and data for one compiled translation unit, with unresolved references the…
OCI artifactAn OCI artifact is any content stored in an OCI registry using the image manifest format, letting registries…
ExporterAn exporter is the pipeline stage that sends processed telemetry out of a collector to a destination backend,…
ProcessorA processor is a pipeline stage that transforms telemetry inside a collector, doing work like batching, filte…
ReceiverA receiver is the pipeline stage that accepts incoming telemetry into a collector, supporting protocols by wh…
Organization secretAn organization secret is a credential defined once at the org level and shared across many repositories, avo…
Origin serverAn origin server is the authoritative source of content that a CDN pulls from and caches, handling requests t…
Orphan processAn orphan process is one whose parent has exited; it keeps running and is adopted by the init system, which b…
Overlay filesystemAn overlay filesystem stacks a writable layer on top of read-only layers, presenting a merged view while keep…
SBOMA software bill of materials (SBOM) is a complete inventory of the components and dependencies that make up a…
SBOM attachmentAn SBOM attachment is a software bill of materials bound to a release artifact, listing its components so con…
SLI measurementAn SLI measurement is the actual observed value of a service-level indicator, such as the measured success ra…
SLO targetAn SLO target is the specific reliability goal a service commits to, such as a percentage of successful reque…
SSH executorAn SSH executor runs CI job commands on a remote machine by connecting over SSH, using that host's environmen…
Uptime SLAAn uptime SLA is a contractual commitment to a minimum availability percentage over a period, often with cred…
Anti-affinityAnti-affinity tells the scheduler to keep matching pods apart, for example spreading replicas onto different…
Anti-entropyAnti-entropy is a background process that periodically compares replicas and repairs differences, ensuring di…
Artifact retentionArtifact retention is the policy controlling how long CI build outputs, logs, and test results are stored bef…
At-least-once deliveryAt-least-once delivery guarantees a message is delivered at least one time, accepting possible duplicates in…
At-most-once deliveryAt-most-once delivery sends each message zero or one time, avoiding duplicates but accepting that a message m…
Attestation verificationAttestation verification is the step where a consumer checks a signed attestation against policy before trust…
Audit log retentionAudit log retention is the policy defining how long records of who did what in a system are kept, so evidence…
Auto-instrumentationAuto-instrumentation adds telemetry to an application automatically at startup or load time, capturing traces…
Automated canary judgmentAutomated canary judgment is software that decides whether a canary release is healthy by comparing its metri…
axe-coreaxe-core is an open-source accessibility testing engine that scans rendered HTML for WCAG violations and is e…
Backpressure controlBackpressure control is a mechanism that signals a fast producer to slow down when a downstream consumer cann…
BaggageBaggage is key-value context that travels with a request alongside trace identifiers, letting downstream serv…
Bake timeBake time is a deliberate waiting period after a deploy, during which a release is monitored before traffic i…
Bisecting a failureBisecting a failure is a binary search over commits to find the exact change that introduced a regression by…
Black-box monitoringBlack-box monitoring tests a system from the outside as a user would, checking observable behavior like respo…
Blast radiusBlast radius is the scope of damage a single failure, change, or compromise can cause across systems, users,…
Blocking IOBlocking IO pauses the calling thread until an input or output operation finishes, so the thread cannot do ot…
Bounded quantificationBounded quantification constrains a generic type parameter to be a subtype of some bound, so code can rely on…
BoxingBoxing wraps a value type in a heap-allocated object so it can be used where a reference or common interface…
Branch protectionBranch protection enforces rules on important branches, like required reviews and status checks, before chang…
Break-glass accessBreak-glass access is an emergency path to elevated privileges for urgent incidents, deliberately high-fricti…
Breaking change detectionBreaking change detection is automated analysis that compares a change against a prior version to flag modifi…
Brotli compressionBrotli is a compression algorithm widely used for HTTP responses that typically achieves smaller text payload…
Browser performance testingBrowser performance testing measures front-end performance metrics for a page in CI, so a change's impact on…
Buffered outputBuffered output collects written data in memory and flushes it in larger chunks, improving efficiency but del…
Build avoidanceBuild avoidance is the practice of skipping work whose inputs are unchanged, reusing cached outputs instead o…
Build matrix explosionBuild matrix explosion is the rapid growth in job count when a CI matrix multiplies across many variables, pr…
Build metadata (semver)Build metadata is the semver suffix after a plus sign that annotates a version with build info but is ignored…
Build promotionBuild promotion is moving one already-built artifact through environments unchanged, so the exact binary test…
Build provenanceBuild provenance is signed metadata describing how an artifact was built, including its source, inputs, and b…
Build reproducibilityBuild reproducibility is the property that building the same source in the same environment yields a bit-for-…
Build shardingBuild sharding splits a build or test suite into independent slices that run on separate machines in parallel…
Bulkhead isolationBulkhead isolation partitions resources so a failure or overload in one part of a system cannot exhaust share…
Burn rateBurn rate is how fast an error budget is being consumed relative to its allowance, used to decide how urgentl…
BytecodeBytecode is a compact, platform-independent instruction set produced by a compiler and executed by a virtual…
Cache evictionCache eviction is the removal of entries from a cache to make room or enforce limits, using policies like lea…
Cache hit ratioCache hit ratio is the fraction of cache lookups served from the cache rather than recomputed or refetched, a…
Cache invalidationCache invalidation is the act of removing or marking cached entries as stale when the underlying data changes…
Cache scopeCache scope defines the boundary within which a cache entry is shared and reusable, such as per branch, per r…
Cache stampede protectionCache stampede protection prevents many clients from all recomputing the same missing entry at once when a ho…
Cache warmingCache warming pre-populates a cache before it is needed so the first real requests hit a ready cache instead…
Cache warmingCache warming is the deliberate preloading of a cache with likely-needed data before traffic arrives, so earl…
Canary analysisCanary analysis compares a new release serving a small slice of traffic against the stable version to decide…
Canary bake timeCanary bake time is how long a canary release runs under real traffic before being judged, ensuring enough da…
Canary ingress routingCanary ingress routing sends a small, controlled share of inbound traffic to a new release at the ingress lay…
ccacheccache is a compiler cache for C and C++ that speeds rebuilds by reusing the output of earlier compilations o…
Certificate pinningCertificate pinning hard-codes which certificate or public key a client accepts for a host, blocking connecti…
Certificate renewalCertificate renewal is replacing a TLS certificate before it expires, ideally automatically, so services keep…
Cgroup resource controlCgroup resource control uses Linux control groups to limit and account for the CPU, memory, and IO that a gro…
Change failure rateChange failure rate is the share of deployments that cause a failure requiring remediation, one of the four D…
Chaos engineeringChaos engineering deliberately injects failures into a system to test its resilience and find weaknesses befo…
Debug logging (ACTIONS_STEP_DEBUG)CI debug logging is a verbose mode, toggled by a setting, that makes the runner and actions emit extra diagno…
Circuit breaking (mesh)Mesh circuit breaking caps concurrent connections and pending requests to a service so an overloaded backend…
Claim mappingClaim mapping is the rule set translating fields inside an identity token into attributes a system uses for a…
Clean architectureClean architecture organizes code into concentric layers where dependencies point inward, keeping business ru…
Closure conversionClosure conversion is a compiler transformation that turns nested functions capturing variables into plain fu…
Cluster federationCluster federation coordinates multiple clusters as one logical system, syncing resources and policy so workl…
Code coverageCode coverage measures the percentage of source code executed by a test suite, indicating which parts are exe…
commitlintcommitlint is a tool that checks commit messages against a configured convention, rejecting commits that do n…
CSE (common subexpression elimination)Common subexpression elimination removes redundant computations by reusing a previously computed result inste…
Conditional accessConditional access grants permissions only when defined conditions hold, such as a specific branch, environme…
Connection pool exhaustionConnection pool exhaustion happens when all reusable connections in a pool are in use, so new requests must w…
Consistent hashingConsistent hashing maps keys and nodes onto a ring so that adding or removing a node remaps only a small frac…
Container scanning (GitLab)Container scanning inspects a built container image for known vulnerabilities in its operating system package…
ContravarianceContravariance reverses subtyping direction, so a consumer of a supertype can stand in where a consumer of a…
cosign verifycosign verify is the Sigstore command that checks an artifact's signature and attestations against an expecte…
CovarianceCovariance preserves subtyping direction, so a generic over a subtype is a subtype of the same generic over a…
CQRSCQRS separates the model used to change data from the model used to read it, letting writes and reads be desi…
Cross-compilationCross-compilation builds executables for a different platform than the one doing the build, such as compiling…
Cumulative layout shiftCumulative layout shift measures how much visible content unexpectedly moves during load, scoring visual stab…
CurryingCurrying transforms a function of several arguments into a chain of functions each taking one argument and re…
Data transfer costData transfer cost is the cumulative charge for moving data between cloud zones, regions, and services, separ…
Dead code eliminationDead code elimination is a compiler or bundler optimization that removes code which can never affect the prog…
Dead letter routingDead letter routing moves messages that repeatedly fail processing to a separate queue so they can be inspect…
DefunctionalizationDefunctionalization replaces first-class functions with data tags dispatched by a single apply function, remo…
Dependency confusionDependency confusion is a supply-chain attack where a malicious public package with a private package's name…
Dependency inversionDependency inversion is the principle that high-level modules and low-level details should both depend on abs…
Dependency lockfile driftDependency lockfile drift is when the committed lockfile no longer matches the manifest or installed packages…
Dependency pinningDependency pinning fixes dependencies to exact versions (or hashes) instead of ranges, so builds are predicta…
Deploy token scopeDeploy token scope is the set of permissions and resources a deploy token may act on, defining exactly which…
Deployment frequencyDeployment frequency is how often an organization successfully releases to production, a core DORA measure of…
Deregistration delayDeregistration delay is the time a load balancer keeps serving in-flight requests while draining a target bei…
Desired stateDesired state is the declared target configuration of a system that automation continuously works to make the…
Layer cachingLayer caching reuses unchanged container image layers across builds, so only the layers affected by a change…
DownsamplingDownsampling reduces the resolution of older time series by aggregating many fine-grained points into fewer s…
Draft modeDraft mode is a per-session toggle that bypasses static caching so editors can preview unpublished content li…
Drift detectionDrift detection finds differences between the desired state declared in code and the actual live state of inf…
Drift remediationDrift remediation is the act of correcting differences between a system's actual state and its declared desir…
Dynamic linkingDynamic linking resolves a program's library dependencies at load time from shared libraries on the system, r…
Eager loadingEager loading fetches related data upfront in a single combined query, so associations are already available…
Edge renderingEdge rendering runs page rendering on servers in a global network near the user, cutting round-trip latency v…
Egress transfer costEgress transfer cost is the charge a cloud provider applies to data leaving its network, such as traffic to t…
Environment promotionEnvironment promotion advances a release from one environment to the next, such as staging to production, aft…
Error budget burnError budget burn is the rate at which failures consume the allowed unreliability under an SLO, showing how q…
Replay (events)Event replay reprocesses a stored stream of past events to rebuild state, populate a new read model, or recov…
Event sourcingEvent sourcing stores state as an append-only log of events rather than current values, rebuilding state by r…
Exactly-once deliveryExactly-once delivery is the guarantee that a message is processed one and only one time, with neither loss n…
Exhaustiveness checkingExhaustiveness checking is a compile-time analysis that verifies a pattern match handles every possible case,…
External traffic policyExternal traffic policy controls whether inbound external traffic to a service is routed to pods on any node…
Fan-out/fan-inFan-out splits work into many parallel jobs; fan-in gathers their results into a single downstream step, a co…
Feature branch testingFeature branch testing runs the full test suite against a branch before it merges, catching regressions in is…
First contentful paintFirst contentful paint measures the time from navigation until the browser renders the first content, such as…
Flaky quarantineFlaky quarantine isolates known-flaky tests so they no longer block the pipeline, while still running them an…
FulcioFulcio is Sigstore's certificate authority that issues short-lived signing certificates bound to an OIDC iden…
FuzzingFuzzing feeds a program large volumes of random or malformed input to uncover crashes, hangs, and security vu…
Generational garbage collectionGenerational garbage collection groups objects by age and collects short-lived young objects more often than…
Geo routingGeo routing sends each request to a backend chosen by the geographic location of the client, such as serving…
GitOpsGitOps uses a git repository as the single source of truth for infrastructure and deployments, with automatio…
Graceful shutdownGraceful shutdown lets a process finish in-flight work and release resources cleanly before exiting, instead…
Head-based samplingHead-based sampling decides whether to record a trace at its start, before the outcome is known, applying a f…
Hexagonal architectureHexagonal architecture isolates core application logic from external concerns through ports, with adapters co…
HTTP/2HTTP/2 is a major revision of the HTTP protocol that multiplexes many requests over one connection and compre…
HTTP/3HTTP/3 is the version of HTTP that runs over QUIC instead of TCP, avoiding head-of-line blocking and speeding…
Idempotency key handlingIdempotency key handling uses a client-supplied unique token to ensure a retried request is processed at most…
IdempotencyAn idempotent operation produces the same result whether it runs once or many times, making retries and re-ru…
Image promotionImage promotion moves the exact same tested container image through environments like staging to production,…
Incident severityIncident severity is a graded label classifying how serious an incident is, driving the urgency, escalation,…
Incremental linkingIncremental linking updates only the changed parts of an existing executable instead of relinking the whole b…
Infrastructure driftInfrastructure drift is divergence between the real state of cloud resources and the state declared in infras…
Init container orderingInit container ordering is the rule that init containers in a pod run one at a time in sequence, each finishi…
Instruction schedulingInstruction scheduling reorders machine instructions to keep the CPU pipeline busy and hide latencies, withou…
Inversion of controlInversion of control is a design style where a framework or container, rather than your own code, decides whe…
Island architectureIsland architecture renders a page as mostly static HTML with small interactive regions, or islands, that hyd…
ISR revalidationISR revalidation regenerates a static page in the background after a set interval, serving the cached version…
Job controlJob control is the shell feature that lets you start, suspend, resume, and move commands between the foregrou…
Just-in-time accessJust-in-time access grants a permission only at the moment it is needed and revokes it shortly after, so no s…
JIT (just-in-time compilation)Just-in-time compilation translates code to native machine instructions at runtime, often focusing effort on…
Keyless signingKeyless signing signs artifacts using short-lived certificates tied to a workload identity, so there are no l…
kube-proxy modekube-proxy mode is the mechanism kube-proxy uses to implement service routing on a node, such as iptables or…
Largest contentful paintLargest contentful paint measures when the largest visible element, such as a hero image or heading block, fi…
Latency-based routingLatency-based routing directs each client to the backend region that gives it the lowest measured network lat…
Lazy bindingLazy binding defers resolving the address of an external function until the first time it is actually called,…
Lazy evaluationLazy evaluation delays computing an expression until its value is actually needed, and may skip it entirely i…
Lazy loading (data)Lazy loading defers fetching related data until it is actually accessed, avoiding upfront queries for associa…
Lead time for changesLead time for changes is the time from a commit being made to that commit running in production, a core DORA…
License complianceLicense compliance scanning detects the open-source licenses of a project's dependencies and flags any that v…
Line bufferingLine buffering flushes output each time a newline is written, so complete lines appear promptly while still b…
Link-time optimizationLink-time optimization defers parts of compiler optimization until link time, letting the toolchain optimize…
lint-stagedlint-staged runs linters and formatters only on the files staged for commit, making pre-commit checks fast by…
Log groupingLog grouping collapses a block of build output into a named, expandable section in the CI log so long runs st…
Log rotationLog rotation periodically archives and replaces active log files so they do not grow without bound, keeping a…
Long pollingLong polling holds a client request open until the server has data or a timeout passes, reducing empty respon…
Loop unrollingLoop unrolling replicates a loop body multiple times per iteration to cut loop overhead and expose more instr…
Loop-invariant code motionLoop-invariant code motion hoists computations whose result does not change across iterations out of a loop s…
Mark and sweepMark and sweep is a garbage collection algorithm that marks all reachable objects, then sweeps away the unmar…
Masked log outputMasked log output is when a CI system replaces known secret values in build logs with placeholders, keeping c…
Mean time between failuresMean time between failures is the average operational time between consecutive failures of a system, a measur…
Mean time to acknowledgeMean time to acknowledge is the average time between an alert firing and a responder accepting it, measuring…
Mean time to detectMean time to detect is the average delay between when an incident begins and when monitoring or a human first…
MTTRMean time to recovery (MTTR) is the average time it takes to restore service after a failure, a key DORA reli…
MemoizationMemoization caches the result of a function for a given set of inputs so repeated calls with the same argumen…
Message acknowledgmentMessage acknowledgment is the signal a consumer sends to confirm it has processed a message, telling the brok…
Message orderingMessage ordering is the guarantee about the sequence in which a messaging system delivers messages, often pre…
Metric cardinalityMetric cardinality is the number of distinct time series a metric produces, driven by the unique combinations…
Module federationModule federation lets separately built and deployed JavaScript applications share code at runtime, loading e…
Monomorphization (generics)Monomorphization compiles generic code into a separate specialized copy for each concrete type it is used wit…
Multi-clusterMulti-cluster is an architecture that runs workloads across several separate clusters for scale, isolation, r…
Multi-window multi-burnMulti-window multi-burn alerting combines fast and slow burn-rate checks over different time windows to catch…
Mutation testingMutation testing measures test-suite quality by deliberately introducing bugs and checking whether the tests…
needs:artifactsneeds:artifacts is a pipeline setting that controls whether a dependent job downloads the artifacts produced…
Network segmentationNetwork segmentation divides a network into isolated zones with controlled traffic between them, limiting how…
Node affinityNode affinity is a Kubernetes scheduling rule that attracts or restricts pods to nodes matching specified lab…
Node pressureNode pressure is a condition signaling that a node is low on a resource such as memory, disk, or process IDs,…
Non-blocking IONon-blocking IO returns immediately when an operation cannot complete yet, letting a single thread interleave…
NotarizationNotarization is submitting signed software to a platform vendor for an automated security scan, after which i…
OIDC federationOIDC federation lets a CI job exchange a short-lived identity token for cloud credentials, removing the need…
On-demand revalidationOn-demand revalidation invalidates and rebuilds cached pages or data in response to an explicit event, like a…
Onion architectureOnion architecture layers an application around a central domain model, with each outer ring depending only o…
OPA GatekeeperOPA Gatekeeper is a Kubernetes admission controller that enforces Open Policy Agent rules, rejecting resource…
Operator reconciliationOperator reconciliation is the loop in which a Kubernetes operator compares the desired state of a custom res…
Optimistic lockingOptimistic locking detects conflicting updates at commit time by checking a version field, rather than holdin…
Optimistic UIOptimistic UI updates the interface at once as if an action succeeded, before the server confirms, then recon…
Outlier detectionOutlier detection automatically ejects a backend instance from the load-balancing pool when it returns too ma…
Ownership (memory)Ownership is a model where each resource has a single owning variable responsible for freeing it, making clea…
p95 latencyp95 latency is the value below which 95 percent of requests complete, a percentile metric that captures the s…
Partial applicationPartial application fixes some of a function arguments in advance to produce a new, more specialized function…
Partial hydrationPartial hydration attaches client behavior to only the interactive parts of a server-rendered page, leaving s…
Partition tolerancePartition tolerance is a distributed system's ability to keep operating when network failures split nodes int…
Pattern matchingPattern matching inspects a value against a set of shapes, selecting a branch and binding parts of the value…
Peephole optimizationPeephole optimization improves code by examining a small sliding window of instructions and replacing ineffic…
Peer authenticationPeer authentication configures whether workloads must use mutual TLS for inbound traffic, setting the identit…
Percentile latencyPercentile latency reports the response time below which a given share of requests fall, such as p50 or p99,…
Pessimistic lockingPessimistic locking takes a lock on data as soon as it is read, blocking other transactions from changing it…
Pipeline as codePipeline as code defines CI/CD pipelines in version-controlled files alongside the application, rather than i…
Pod affinityPod affinity and anti-affinity are Kubernetes rules that schedule pods near or away from other pods based on…
Pod priorityPod priority is a numeric value attached to a pod that tells the scheduler how important it is, influencing s…
Pod topology spreadPod topology spread constraints tell the scheduler to distribute matching pods evenly across domains like zon…
Port forwardingPort forwarding redirects network traffic arriving on one host and port to a different host or port, exposing…
PIC (position-independent code)Position-independent code runs correctly regardless of the address it is loaded at, by addressing data and ca…
Post-deploy verificationPost-deploy verification is the automated checks run right after a release to confirm the new version is heal…
Predictive test selectionPredictive test selection uses a model of past results to run only the tests most likely affected by a change…
PreemptionPreemption is when a scheduler evicts lower-priority pods to free resources so a pending higher-priority pod…
Privileged action approvalPrivileged action approval requires a second authorized person to sign off before a high-impact operation run…
PGO (profile-guided optimization)Profile-guided optimization feeds runtime profiling data back into the compiler so it can optimize based on h…
Progressive deliveryProgressive delivery rolls out a change gradually to expanding audiences with automated checks, so issues sur…
Pull mirroringPull mirroring keeps a repository in sync by periodically fetching changes from an upstream remote, making th…
Pull-based deploymentIn pull-based deployment, an agent inside the target environment fetches and applies the desired state, rathe…
Push mirroringPush mirroring automatically pushes changes from a source repository to an external remote, keeping a downstr…
Push-based deploymentIn push-based deployment, the CI/CD pipeline actively connects to the target environment and applies the new…
Queue depthQueue depth is the number of jobs waiting for an available runner, a key signal of whether CI capacity is kee…
RAII (resource acquisition is initialization)RAII ties a resource lifetime to an object lifetime, acquiring it on construction and releasing it automatica…
Read replica routingRead replica routing directs read queries to replica databases while writes go to the primary, scaling read t…
Real user monitoringReal user monitoring captures performance and errors from actual user sessions, showing how the service truly…
Reaping a child processReaping is when a parent calls a wait operation to read a finished child exit status, freeing the kernel slot…
Reference countingReference counting tracks how many references point to an object and frees it automatically when that count d…
Referential integrityReferential integrity is the guarantee that every foreign key value refers to an existing row, so relationshi…
Register allocationRegister allocation is the compiler step that decides which program values are kept in fast CPU registers and…
Registry garbage collectionRegistry garbage collection reclaims storage by deleting image blobs and manifests no longer referenced by an…
Release candidate promotionRelease candidate promotion is advancing a tested build through stages like staging to production, reusing th…
Release notes generationRelease notes generation automatically assembles a summary of what changed in a release from commit messages,…
release-pleaserelease-please automates releases by opening and maintaining a release pull request that accumulates version…
Remote writeRemote write is a mechanism where a metrics agent streams samples to a remote storage backend in near real ti…
Request memoizationRequest memoization deduplicates identical data fetches within one render pass, so several components asking…
Retry with backoffRetry with backoff re-attempts a failed operation after progressively longer waits, often with jitter, to han…
Runbook automationRunbook automation turns documented operational procedures into executable scripts or workflows so responses…
Runner autoscalingRunner autoscaling automatically adds or removes CI workers based on job demand, so capacity tracks the queue…
Saga orchestrationSaga orchestration coordinates a long-running, multi-service transaction as a sequence of local steps with co…
Scatter-gatherScatter-gather distributes a task across many workers in parallel (scatter) and then collects and merges thei…
sccachesccache is a compiler cache that stores compilation outputs, including in shared cloud storage, so repeated c…
Scope hoistingScope hoisting is a bundler optimization that concatenates modules into a single scope instead of wrapping ea…
Secret inheritanceSecret inheritance is how a called workflow receives secrets from its caller, controlling whether downstream…
Secret scanningSecret scanning automatically searches code, history, and CI logs for exposed credentials like API keys, toke…
Seed dataSeed data is a predefined set of records loaded into a database before tests or a new environment runs, givin…
Segregation of dutiesSegregation of duties splits a sensitive process across roles so no single person controls every step, reduci…
Self-service deploymentSelf-service deployment lets developers ship their own changes through guardrailed automation, without filing…
Semantic releaseSemantic release automates versioning and publishing by deriving the next version number and changelog from c…
Semantic versioningSemantic versioning encodes compatibility in a MAJOR.MINOR.PATCH version number so consumers know the impact…
Service mesh mTLSService mesh mTLS is automatic mutual TLS between workloads, where the mesh sidecars encrypt and authenticate…
Service mesh sidecar injectionService mesh sidecar injection automatically adds a proxy container to each pod so the mesh can manage traffi…
Service topologyService topology is routing that prefers backends close to the client, such as on the same node or zone, to c…
Shadow trafficShadow traffic mirrors real production requests to a new version in parallel, without using its responses, to…
Short pollingShort polling repeatedly sends quick requests at a fixed interval, returning immediately whether or not new d…
Sidecar proxy injectionSidecar proxy injection automatically adds a proxy container alongside each app container so a service mesh c…
SIGCHLDSIGCHLD is the signal the kernel sends a parent process when one of its child processes stops or terminates,…
Signal dispositionSignal disposition is how a process is set to respond to a given signal: run a handler, ignore it, or take th…
Signed provenanceSigned provenance is a cryptographically signed record of how an artifact was built, so consumers can verify…
SIGPIPESIGPIPE is the signal sent to a process that writes to a pipe or socket whose reading end has already been cl…
SigstoreSigstore is an open-source project for signing software artifacts using short-lived keys and identity, with a…
SLSA level 3SLSA level 3 is a supply-chain assurance tier requiring builds to run on a hardened platform that produces si…
SLSASLSA is a security framework that defines graduated levels of build-integrity assurance to harden software su…
Snapshot approvalSnapshot approval is reviewing and accepting a changed test snapshot, confirming the new output is intended b…
Source map uploadSource map upload is the CI step that sends build source maps to an error-tracking service so minified produc…
SOURCE_DATE_EPOCHSOURCE_DATE_EPOCH is a standard environment variable that tells build tools which fixed timestamp to embed, e…
Speed indexSpeed index measures how quickly the visible parts of a page paint during load, giving a score that rewards s…
Stale-while-revalidate cachingStale-while-revalidate caching serves a cached response at once even if expired, then refreshes the entry in…
Stale-while-revalidateStale-while-revalidate is a caching strategy that serves a cached response immediately while fetching a fresh…
State file lockingState file locking prevents two infrastructure-as-code runs from modifying the same state at once, avoiding c…
Static linkingStatic linking bundles a program's library dependencies directly into the executable at build time, producing…
SSA (static single assignment)Static single assignment is an intermediate form where each variable is assigned exactly once, simplifying ma…
Step debugStep debug logging is the per-step verbose mode that prints extra diagnostic detail about how an individual s…
Storage class bindingStorage class binding is how Kubernetes maps a persistent volume claim to a storage class that dynamically pr…
Streaming SSRStreaming server-side rendering sends HTML to the browser in chunks as it is produced, so users see early con…
Strength reductionStrength reduction replaces expensive operations with cheaper equivalent ones, such as turning a multiplicati…
Strong consistencyStrong consistency guarantees that every read returns the most recent committed write, so all clients see the…
Swap spaceSwap space is disk storage the kernel uses to hold memory pages evicted from physical RAM, letting a system r…
Symbol resolutionSymbol resolution is the linker step that matches each reference to a name, such as a function or variable, w…
Synthetic dataSynthetic data is artificially generated data that mimics the structure and statistical properties of real da…
Synthetic monitoringSynthetic monitoring runs scripted probes against a service on a schedule to detect outages and regressions b…
Tail call optimizationTail call optimization reuses the current stack frame for a call in tail position, so deeply recursive tail c…
Tail latencyTail latency is the response time of the slowest requests, the high end of the distribution, which often domi…
Tail-based samplingTail-based sampling decides whether to keep a trace after it completes, so slow or failed traces can be retai…
Task graph cachingTask graph caching stores the output of each task keyed by its inputs so a build tool can replay results for…
TCP keep-aliveTCP keep-alive periodically probes an idle connection to confirm the other side is still reachable, so dead c…
Template instantiationTemplate instantiation is the compiler generating concrete code from a generic template for each specific set…
Test data managementTest data management is the practice of provisioning, refreshing, masking, and tearing down the data that aut…
Test parallelismTest parallelism runs multiple tests at the same time, within a process or across machines, to reduce total t…
Test shardingTest sharding splits a test suite into independent subsets that run on separate machines in parallel, cutting…
Action runs.usingThe runs.using field in an action manifest declares the action's execution model, such as a JavaScript runtim…
Active recordThe active record pattern gives each object both its data and the methods to load, save, and delete itself, c…
Retry keywordThe retry keyword is a pipeline setting that tells CI to automatically rerun a failed job a set number of tim…
Circuit breaker patternThe circuit breaker pattern stops calls to a failing dependency after errors cross a threshold, giving it tim…
Critical pathThe critical path is the longest dependent chain of jobs through a pipeline, which sets the minimum possible…
Zombie vs orphanA zombie has finished but its exit status is uncollected, while an orphan is still running but has lost its p…
Ephemeral port rangeThe ephemeral port range is the band of port numbers the system temporarily assigns to the local side of outg…
Epoll interfaceEpoll is a Linux mechanism for efficiently watching many file descriptors at once and being told which are re…
Error rate signalThe error rate golden signal tracks the fraction of requests that fail, covering explicit errors and response…
etcd storeetcd is a distributed, strongly consistent key-value store that holds the authoritative cluster state for sys…
Eventual consistency modelThe eventual consistency model guarantees that replicas converge to the same value over time once writes stop…
Exec system callThe exec system call replaces the program running in the current process with a new one, keeping the same pro…
Fork system callThe fork system call creates a new process by duplicating the calling one, producing a child that is a near-i…
Four-eyes principleThe four-eyes principle requires at least two people to review or approve a sensitive action, so no single in…
GOT (global offset table)The global offset table is a per-module table of addresses that position-independent code reads to reach glob…
Hosted tool cacheThe hosted tool cache is the preinstalled set of tool versions baked into a hosted runner image, exposed thro…
Kernel ring bufferThe kernel ring buffer is an in-memory log of recent kernel messages, viewed with dmesg, that records events…
Latency signalThe latency golden signal measures how long requests take to serve, tracked separately for successful and fai…
Loopback interfaceThe loopback interface is a virtual network device a host uses to talk to itself, routing traffic to the loca…
MTU (maximum transmission unit)The maximum transmission unit is the largest packet size a network link will carry in one piece; larger paylo…
Node port rangeThe node port range is the band of high-numbered ports a cluster can allocate for NodePort services, exposing…
OOM killerThe OOM killer is the Linux mechanism that terminates a process to reclaim memory when the system runs critic…
Outbox patternThe outbox pattern writes events to a database table in the same transaction as the data change, then publish…
Plan and apply cycleThe plan and apply cycle is the infrastructure-as-code workflow of computing a proposed change set, reviewing…
Least privilegeLeast privilege means granting every user, job, or token only the minimum permissions needed to do its task a…
PLT (procedure linkage table)The procedure linkage table is a stub table that routes calls to external functions, enabling their addresses…
RED methodThe RED method monitors request-driven services using three metrics: rate, errors, and duration, giving a req…
Rekor transparency logRekor is Sigstore's append-only transparency log that records signing events so signatures can be publicly ve…
Repository patternThe repository pattern provides a collection-like interface for accessing domain objects, hiding the details…
Saga patternThe saga pattern manages a long-running business process across services as a sequence of local transactions,…
Saturation signalThe saturation golden signal measures how full a constrained resource is, such as CPU, memory, or a queue, in…
Select system callThe select system call lets a program wait until any of a set of file descriptors becomes ready for IO, or un…
Setgid bitThe setgid bit runs an executable with its group privileges, or on a directory makes new files inherit that d…
Setuid bitThe setuid bit makes an executable run with the privileges of its owner rather than the user launching it, of…
Sticky bitThe sticky bit on a directory restricts file deletion so users can remove only their own files, even in a dir…
Traffic signalThe traffic golden signal measures how much demand a service is handling, such as requests per second, giving…
USE methodThe USE method analyzes resources by utilization, saturation, and errors, a checklist for pinpointing perform…
Wait system callThe wait system call lets a parent process pause until a child terminates and then read the child exit status…
Three-address codeThree-address code is an intermediate representation where each instruction has at most three operands, typic…
Time to interactiveTime to interactive measures when a page has rendered and reliably responds to user input quickly, marking th…
ToilToil is manual, repetitive operational work that scales with service size and adds no lasting value, making i…
Total blocking timeTotal blocking time sums how long the main thread was blocked by long tasks between first paint and interacti…
Trace context propagationTrace context propagation passes trace and span identifiers across service boundaries, usually in request hea…
Traffic mirroringTraffic mirroring sends a copy of live requests to a second service for testing while the original still serv…
Traffic shiftingTraffic shifting gradually moves a portion of live requests from an old version to a new one, enabling canary…
Trait object dispatchTrait object dispatch calls a method through a runtime pointer to a table of implementations, choosing behavi…
TrampoliningTrampolining is a technique that runs recursive calls as a loop by returning the next step instead of calling…
Two-phase commitTwo-phase commit is a protocol that coordinates a transaction across multiple systems by first asking all to…
Type erasureType erasure discards specific type parameters at or after compilation, leaving generic code working through…
TyposquattingTyposquatting is publishing malicious packages under names that resemble popular ones, so a typo in a depende…
Ubiquitous languageUbiquitous language is a shared, precise vocabulary used by developers and domain experts alike, reflected di…
Value stream analyticsValue stream analytics measures how long work takes to move through each stage from idea to production, expos…
Variance (types)Variance describes how subtyping between type arguments carries over to subtyping between the generic types b…
VendoringVendoring commits a copy of third-party dependencies directly into your repository instead of fetching them a…
Web middlewareWeb middleware is code that runs before a request reaches a route handler, letting it rewrite, redirect, auth…
Weighted routingWeighted routing splits traffic across two or more targets in proportions you set, such as ninety percent to…
White-box monitoringWhite-box monitoring uses internal metrics, logs, and traces exposed by a system to observe its inner state,…
Workflow dispatchWorkflow dispatch is a manual trigger that lets a user start a CI workflow on demand, optionally passing inpu…
Working directory inheritanceWorking directory inheritance means a child process starts in the same current directory as its parent unless…
Workload identityWorkload identity gives a non-human workload, like a CI job or service, a verifiable identity used to obtain…
Work in ProgressWork in Progress: Work in progress (WIP) is the number of items being worked on at once; limiting WIP reduces…
Work StealingWork Stealing: Work stealing is a scheduling technique where idle workers take pending tasks from busy worker…
Worker NodeWorker Node: A worker node is a machine (VM or physical) in a Kubernetes cluster that runs application pods.…
Workflow PermissionsWorkflow Permissions: Workflow permissions set the access scopes granted to `GITHUB_TOKEN` via the `permissio…
Workload IdentityWorkload Identity: Workload identity lets a running workload authenticate to a cloud API using its own verifi…
Workload IdentityWorkload Identity: Workload identity lets a running workload (a pod, a CI job) authenticate to cloud services…
Workload IdentityWorkload Identity: Workload identity is a mechanism that gives a workload (such as a CI job or Kubernetes pod…
Workspace (Terraform)Workspace (Terraform): A Terraform workspace is a named, isolated instance of state within a single backend,…
Write-Ahead LogWrite-Ahead Log: A write-ahead log (WAL) records changes to durable storage before applying them to the datab…
Write-Ahead Log (WAL)Write-Ahead Log (WAL): A write-ahead log records every change before it is applied to the data files, so a cr…
Zero-DayZero-Day: A zero-day is a vulnerability that is exploited or disclosed before the vendor has released a fix,…
Zero-Downtime MigrationZero-Downtime Migration: A zero-downtime migration changes the schema without taking the application offline,…
Zombie ProcessZombie Process: A zombie process is one that has exited but whose entry remains in the process table because…
Explore other topics
GitHub ActionsWorkflow, runner, and YAML errors - diagnosed and fixed.
Node.js & npmnpm, yarn, and pnpm failures in CI - solved.
DockerBuild, run, compose, and registry errors - explained.
Pythonpip, poetry, venv, and pytest failures - fixed.
Java & JVMMaven, Gradle, and JVM failures in CI - resolved.
GoGo build, module, and test failures - diagnosed.