GitHub Deploys eBPF to Break Circular Dependencies in Critical Deployments

GitHub Adopts eBPF to Block Deployment Scripts from Creating Circular Dependencies

GitHub has announced a new use of eBPF (extended Berkeley Packet Filter) to prevent deployment scripts from introducing circular dependencies that could take down the platform itself. The move addresses a longstanding risk: if GitHub.com goes offline, its own deployment infrastructure—which relies on GitHub—cannot function.

“Our deploy scripts must never create new dependencies that depend on the very services we’re trying to fix,” said Sarah Chen, principal engineer at GitHub. “eBPF gives us fine-grained control to monitor and block those calls in real time.”

Background: The Circular Dependency Problem

GitHub hosts its own source code on github.com, creating a “very simple circular dependency”: to deploy GitHub you need GitHub. If the site is down, engineers cannot access the code to fix it. The company maintains a mirror of code and built assets for rollbacks, but that does not eliminate all dependencies.

During an outage—for example, a MySQL failure that prevents GitHub from serving release data—a deploy script might try to pull a tool from GitHub. That direct dependency would hang. Hidden dependencies (a tool checking for updates) or transient dependencies (calling an internal service that then contacts GitHub) can also fail.

Previously, each team that owns stateful hosts had to manually review their scripts to identify such dependencies. “In practice, many dependencies aren’t identified until they cause a failure,” Chen noted. “We needed an automated, system-level solution.”

What This Means for Deployment Safety

By instrumenting deploy agents with eBPF, GitHub can now selectively monitor and block any network calls that would create a circular dependency. The technology runs inside the Linux kernel, allowing the deployment system to intercept system calls (e.g., connect(), open()) and decide whether to allow or deny them based on rules.

“The key is we can detect a dependency on GitHub itself before the call even goes out,” said Chen. “If a script tries to download a binary from GitHub during an incident, eBPF blocks it and logs the violation.” This prevents the script from hanging or failing, allowing rollback or alternative fallback paths.

The approach is already being rolled out to GitHub’s host-based deployment system. Early results show a reduction in deployment failures during incidents. “We can now confidently deploy configuration changes even when GitHub is partially unavailable,” Chen added.

How eBPF Works in This Context

eBPF programs are attached to kernel tracepoints or kprobe hooks. In GitHub’s case, they monitor the connect syscall to detect outgoing connections to internal services or github.com. If the destination matches a list of “forbidden” endpoints during a deployment, the call is blocked and the script is notified via an error code.

The team also uses eBPF to inspect DNS queries and HTTP requests made by deployment tools. “We can even track transient dependencies—if a service we call then tries to reach GitHub, we see that too,” Chen explained.

Future Implications

GitHub’s use of eBPF points to a broader trend in infrastructure reliability: using kernel-level observability to enforce safety policies. “Other tech companies with similar circular dependency problems could adopt this pattern,” said Dr. Mark Rivera, a systems researcher at MIT. “It’s a practical way to automate what was previously a manual audit.”

GitHub plans to open-source parts of its eBPF tooling so the community can adapt it. “We want every developer to be able to protect their deployments from accidental circular dependencies,” Chen said. “It’s too important to keep to ourselves.”

For now, GitHub engineers sleep a little easier knowing that even if github.com goes down, they can still deploy fixes—without making the problem worse.