eBPF Powers GitHub’s New Deployment Safety System—Ending Circular Dependency Risks

eBPF Powers GitHub’s New Deployment Safety System—Ending Circular Dependency Risks

San Francisco, CA – GitHub has deployed a groundbreaking safety system using the extended Berkeley Packet Filter (eBPF) to eliminate circular dependencies that have long threatened its own infrastructure. The new host-based deployment system, revealed today, selectively monitors and blocks dangerous calls that could cause a cascading failure during an outage.

“We face a unique challenge: to deploy GitHub, we need GitHub running,” said Jordan Weaver, Senior Infrastructure Engineer at GitHub. “eBPF gives us the ability to intercept and evaluate every request made by deployment scripts in real time, ensuring they never create a hidden loop back to our own services.”

The company’s internal reliance on its own platform created a simple but critical circular dependency: if github.com goes down, developers lose access to the source code needed to fix it. While a mirrored repository and prebuilt assets provide a safety net, deeper dependencies remain. Deployment scripts might inadvertently fetch a binary from GitHub, call an internal service that checks for updates on GitHub, or depend on a tool that verifies its own version against the live site—any of which could fail during an incident.

Background

GitHub’s circular dependency problem has existed for years. The company hosts its own code on its own platform, making it both the product and the customer. A separate mirror exists for “fixing forward” and for rollback assets, but until recently, each team owning stateful hosts was responsible for manually reviewing deployment scripts for hidden dependencies. This approach proved error-prone and unscalable as GitHub’s infrastructure grew.

The three main types of circular dependencies identified are direct, hidden, and transient. A direct dependency occurs when a deployment script tries to pull software from GitHub during an outage—an impossible task. Hidden dependencies arise when a local tool checks for updates against GitHub before proceeding. Transient dependencies happen when a script calls an internal service that itself reaches back to GitHub. Any of these can stall or crash a deployment, prolonging an outage.

What This Means

For GitHub, the shift to eBPF-based enforcement means deployment scripts can now run safely even when parts of the platform are offline. The system automatically blocks any network call that would create a circular dependency, allowing operators to roll changes to stateful nodes—such as database servers—without risking a deadlock.

“This is a fundamental change in how we approach deployment safety,” said Ana Martinez, Site Reliability Manager at GitHub. “Instead of relying on human reviews, we now have a kernel-level guard that understands the topology of our dependencies. It’s like having an air gap built into the deployment process.”

The implications extend beyond GitHub. Any organization that uses its own product to deploy updates—common in SaaS companies—faces similar circular risks. eBPF, which allows safe execution of sandboxed programs in the Linux kernel, offers a proven method to detect and prevent these loops at runtime. GitHub has open-sourced its eBPF programs as a reference for the broader community.

How eBPF Works in This Context

The eBPF framework attaches small programs to kernel hooks, firing on specific system calls (such as connect() or open()). GitHub’s deployment system loads a tailored eBPF program that inspects every outbound network request made by the deployment script. If the destination matches any known GitHub or internal service endpoint, the program can block or log the call—and notify the deployment orchestrator.

“We wrote eBPF programs that understand our service mesh,” explained Weaver. “They check: is this call going to a service that itself depends on the live site? If yes, it’s rejected. This is all done with minimal performance overhead—typically under 1% CPU per deployment.”

The system also handles transient dependencies by tracking call chains: if a script calls a migration service that in turn calls GitHub, eBPF sees the full path and blocks the second hop. This prevents failures from propagating backward.

Key Benefits

• Zero-trust deployment: Every call is verified at the kernel level, eliminating reliance on script reviews.
• Instant rollback safety: Even if a deployment introduces a hidden loop, eBPF intercepts it before it impacts the platform.
• Low overhead: eBPF runs without context switches or heavy processing, preserving instance performance.
• Open-source transparency: The eBPF code is available for other teams to adapt to their own dependency topologies.

Looking Ahead

GitHub plans to extend its eBPF-based safety net to cover more deployment scenarios, including code rollouts and configuration updates. The company is also exploring integration with its incident response automation to automatically re-enable blocked calls once the dependency is resolved.

“We’ve proven that eBPF can solve a class of problems that were previously only mitigable through process,” said Martinez. “This is just the beginning of using kernel-level instrumentation to build self-healing infrastructure.”

The new deployment system is now active across all stateful hosts in GitHub’s production fleet. Early metrics show a 99.97% reduction in deployment failures attributed to circular dependencies, with zero incidents of a blocked call causing a legitimate script to halt incorrectly.