⚡ Engineering War Stories from the Trenches

When Big Tech Breaks
& How They Fix It

The postmortems they published. The outages they survived. The fixes that saved millions of users. Read the real story — not the press release.

Case Studies

Companies

∞

Things Broke

100%

No Fiction

Netflix Chaos Engineering ★ 5.0

Netflix Unleashed a Monkey With a Weapon in Its Own Data Center — On Purpose

It was 2011 and Netflix had just migrated hundreds of microservices to AWS. Their architecture was distributed, horizontally scaled, and theoretically fault-tolerant. But theory and production are different things. The only way to know if a system could survive failures was to cause failures — constantly, deliberately, during business hours, and in production. So they built a monkey.

July 19 2011 blog published Business-hours instance killing 10 Simian Army members +3

Read full story →

Hotstar Live Streaming ★ 5.0

When MS Dhoni Got Out: How Hotstar Survived 25 Million Concurrent Users

July 9th, 2019. India vs New Zealand, Cricket World Cup semi-final. MS Dhoni walks to the crease and 1.1 million new viewers join Hotstar every single minute. Then he gets run out — and 24 million people hit the back button almost simultaneously.

25.3M peak concurrent 1.1M users/min growth 5.7 Tbps bandwidth +3

Read full story →

GitHub Databases

How GitHub Upgraded 1200 MySQL Hosts Without Dropping a Single Query

MySQL 5.7 was hitting end-of-life, and GitHub's production database fleet spanned 1,200 hosts, 300 terabytes of data, and 5.5 million queries every second. Getting from here to MySQL 8.0 without disrupting 100 million developers was going to take more than a weekend.

1,200+ MySQL hosts upgraded 300+ TB data migrated 5.5M queries/sec maintained +3

Read full story →

Slack Reliability

Slack Built a Big Red Button to Drain an Entire Data Center in Five Minutes

On June 30, 2021, a network link connecting one AWS availability zone failed — and Slack users felt it, despite Slack running in multiple availability zones. The postmortem question was brutal: why did a single AZ failure affect users at all? The answer drove 18 months of architecture work.

2021-06-30 AZ outage trigger 1.5 years migration time AZ drain in <5 minutes +3

Read full story →

Cloudflare Reliability

Cloudflare Fixed a React Security Vulnerability and Broke the Entire Network

In late 2025, Cloudflare was rolling out a fix for a React security vulnerability. To do so, they needed to disable an internal testing tool with a global killswitch. The killswitch, unexpectedly, triggered a bug that sent HTTP 500 errors across Cloudflare's entire global network. This was the third major configuration-related global outage in two years.

Dec 2025 global outage React CVE fix triggered outage Global killswitch bug +3

Read full story →

LinkedIn Messaging

LinkedIn Needed a Message Queue. They Built the One the Entire Internet Runs On.

In 2010, LinkedIn was drowning in data it couldn't move. Every ML model, every recommendation engine, every real-time feature was starving because there was no reliable way to get activity data from the website into the systems that needed it. Jay Kreps, Jun Rao, and Neha Narkhede spent a year building a fix. They named it after Franz Kafka. The rest of the internet adopted it.

1B events/day at launch (2011) 1T messages/day by 2015 7T messages/day by 2019 +3

Read full story →

Google Performance

Google Built a Free Design Tool That Generates Production Code From a Sentence — Then Added Multiplayer

At Google I/O 2025, Sundar Pichai demoed a tool that turned a plain English description into a complete mobile UI in under 30 seconds. Figma charges $15 per editor per month for collaborative design. Google Stitch does it free. A year later, Google added real-time multiplayer, a streaming design agent, and voice input. The design industry noticed.

Launched I/O May 20 2025 Galileo AI acquisition → Stitch rebrand Gemini 2.5 Pro multimodal core +3

Read full story →

Google Distributed Systems

Google's Gemini Omni Is the First AI That Creates From Anything — Here Is What That Actually Means

For three years, Google built Gemini to be 'natively multimodal.' At I/O 2026, they finally demonstrated what that phrase means in practice. Gemini Omni takes a photo, an audio clip, a video, and a text description — all at once — and produces a new video that reflects all of them simultaneously. This is not four models chained together. It is one.

Announced I/O May 19 2026 Any-to-any: text+image+audio+video → video Flash release: 10s clips, Gemini app + YouTube Shorts +3

Read full story →

GitHub Distributed Systems

GitHub Built the Internet's Code Platform — Then AI Agents Broke It

Between May 2025 and April 2026, GitHub experienced 257 incidents — 48 of them major outages. That's roughly one significant disruption every single week. The culprit wasn't a security breach, a botched deployment, or a rogue engineer. It was the thing GitHub had spent years celebrating: AI. Specifically, agentic AI workflows that turned one human developer's footprint into hundreds of commits, thousands of CI minutes, and a dozen simultaneous PR operations — all at once, across millions of accounts. GitHub had been built for humans. Agents are not human.

257 incidents — May 2025 to April 2026 48 major outages, 112+ hours total downtime 57 GitHub Actions outages in 12 months +5

Read full story →

OpenAI Reliability

OpenAI Deployed a Tool to Monitor Kubernetes — and It Took Down All of Kubernetes

On December 11, 2024, OpenAI deployed a new telemetry service designed to improve Kubernetes observability. Within 29 minutes, it had crashed the Kubernetes control plane across every cluster. ChatGPT, the API, and Sora were all unavailable for over four hours. The engineers trying to fix it couldn't run kubectl. The control plane that manages clusters was down — and it was the only way back in.

3:16 PM → 7:38 PM PST (4h 22min) ALL OpenAI services affected Kubernetes control plane down in most large clusters +3

Read full story →

AWS Distributed Systems

A Race Condition in DynamoDB's DNS Took Down Snapchat, Fortnite, Ring, and Half the Internet for 15 Hours

It was 11:48 PM PDT on October 19, 2025. Two automation processes inside AWS's DynamoDB DNS management system were doing the same job simultaneously — one fast, one painfully slow. The slow one was just finishing up when the fast one, having already completed, triggered a cleanup job that deleted the slow one's work. In that moment, every DNS record for DynamoDB in the world's busiest cloud region vanished. Snapchat went dark for 375 million daily users. Fortnite lobbies dissolved mid-match. Ring cameras stopped recording. The UK's HMRC tax authority went offline. For 15 hours, the internet's largest database service had no address.

October 19–20, 2025 — 15-hour outage in US-EAST-1 Root cause: race condition between two DNS Enactor processes DynamoDB offline for ~3 hours; EC2 cascade lasted 12+ more hours +5

Read full story →

Google Distributed Systems

Google's Own Cleanup Job Crashed Cloud Services Across 4 Continents — and Then Made Recovery Worse

On May 29, 2025, a Google engineer deployed new quota-checking code to Service Control — the system that authorizes every single API request across Google Cloud. The code had a bug: it couldn't handle a null value. But the bug was invisible during deployment because it could only be triggered by a specific type of policy data that hadn't appeared yet. Two weeks later, on June 12, an automated system pushed a routine policy update containing blank fields. The policy data replicated globally within seconds. Every Service Control binary in every region hit the null pointer, crashed, and refused to restart without eating itself. Spotify went down. Discord went down. Snapchat went down. Google's own status page went down. And when engineers deployed the fix, the restart surge overwhelmed the infrastructure — making the recovery worse than the crash.

June 12, 2025 — 7+ hour outage across North America, Europe, Far East, Africa Root cause: null pointer exception in Service Control binary from May 29 code change No feature flag protection and no error handling on the new code path +5

Read full story →

Discord Databases

How Discord Migrated Trillions of Messages and Fired Their Garbage Collector

It is 2022 and Discord's on-call engineers are babysitting a 177-node database cluster, manually rebooting nodes after Java GC pauses spiral out of control. The system holding every message ever sent is becoming the thing everyone fears touching most.

177 → 72 nodes p99 latency 15ms (was 40–125ms) 9-day migration (was 3-month est.) +3

Read full story →

Discord Reliability

Discord Killed the MacBook Dev Environment and Never Looked Back

Discord's engineering team had tripled in size and was drowning in a swamp of 'works on my machine' bugs — some engineers running macOS, some Ubuntu, all of them slowly. The solution was radical: no one gets a local dev environment anymore.

3x engineering org growth Mac→V1→V2 (two migrations) Began 2020, V2 done 2023 +3

Read full story →

Netflix Distributed Systems

Netflix Hit the AWS Instance Ceiling and Built a Workflow Engine That Scales Forever

Netflix's Meson orchestrator was handling hundreds of thousands of daily data and ML jobs — and running out of machine. Vertically scaling on AWS had a hard ceiling, and the workflows were doubling in size every year. The only way out was a complete architectural rethink.

2M+ jobs/day at peak Hundreds of thousands of workflows Meson → Maestro 2020 +3

Read full story →

Slack Reliability

Slack's Worst Day: When a Better Cache Manager Made Everything Worse

On February 22, 2022, Slack went down for many users — including the engineer designated as Incident Commander, who was authoring the postmortem from a position of personal experience. The culprit was a new component that worked exactly as designed.

Feb 22 2022 outage Consul rollout to 75% of fleet Cache hit rate collapsed +3

Read full story →

Stripe Databases

How Stripe Moves Petabytes Between Database Shards Without Stopping the Money

Stripe processed over $1 trillion in payment volume in 2023 while maintaining 99.999% uptime — five nines, fewer than 6 minutes of downtime all year. The infrastructure secret is a database platform called DocDB and a migration engine that moves petabytes of financial data between shards without any application knowing it happened.

$1T+ payment volume 2023 99.999% uptime achieved 5M database queries/sec +3

Read full story →

Slack Distributed Systems

Slack Rewrote Its Core Architecture for Enterprise — Because the Old One Was a Lie

Slack was built for teams in single workspaces. Enterprise customers were using it across dozens of workspaces simultaneously — and the architecture had never been designed for that. Every major enterprise feature was a workaround on top of a foundation that assumed one workspace per person. Slack spent two years rebuilding the foundation.

2 years development time Workspace-centric → org-wide Thousands of APIs refactored +3

Read full story →

Slack Reliability

Slack Cut Deploy-Related Customer Impact by 90% in Eighteen Months

73% of Slack's customer-facing incidents were being triggered by Slack itself — by its own code deploys. The team stopped treating each outage as a one-off and started treating deploy safety as a program, with metrics, milestones, and automated rollbacks. Eighteen months later, customer impact hours were down 90%.

73% incidents from own deploys 90% reduction in impact hours Manual → automatic rollbacks +3

Read full story →

Atlassian Reliability

How a Two-Line Script Silently Deleted 883 Customer Cloud Sites

At 07:38 UTC on April 5th, 2022, a maintenance script begins its run — methodical, peer-reviewed, totally routine. Twenty-three minutes later, 883 Atlassian Cloud sites have been permanently deleted, and the company's own incident management tool, Opsgenie, is one of the casualties.

883 sites deleted 14 days max outage 775 customers affected +3

Read full story →

Netflix Live Streaming

65 Million Streams: How Netflix Rebuilt Its Guts for Live

November 15, 2024: 65 million people log on to watch Mike Tyson fight Jake Paul, the largest live sports stream in history. Behind the scenes, Netflix engineers are white-knuckling a system they built from scratch — one where a single bad video segment, a CDN request storm, or a missed 2-second write deadline means millions of viewers see a black screen.

65M concurrent streams 113ms → 25ms p50 latency 200Gbps+ read throughput +3

Read full story →

Stripe Performance

Stripe Converted 3.7 Million Lines of JavaScript in One Pull Request on a Sunday

On Sunday, March 6, 2022, Stripe merged a single pull request that converted their entire largest JavaScript codebase from Flow to TypeScript. 3.7 million lines of code. Hundreds of engineers arrived Monday morning to start writing TypeScript. The migration had been invisible until it wasn't.

3.7M lines converted in 1 PR Single Sunday deploy Largest JS codebase at Stripe +3

Read full story →

GitHub Reliability

The Test That Broke GitHub: A Failover Drill Goes Live

June 29, 2023, 17:39 UTC: GitHub engineers initiate a planned live failover test of their brand-new second Internet edge facility — six months of infrastructure work designed to eliminate a single point of failure. Within seconds, instead of validating their redundancy, they've created an outage that takes GitHub offline for millions of developers across North America and South America.

32-minute outage 2-min detect-to-revert US East + South America +3

Read full story →

Shopify Databases

Shopify Sharded a Rails Database With Vitess and the App Never Knew It Happened

The Shop app was growing exponentially. Its single MySQL database was approaching vertical scaling limits. Shopify needed horizontal sharding — but they had a Rails monolith that expected a single database, and a system that couldn't have downtime during a commerce platform used by millions daily.

KateSQL → Vitess migration user_id as sharding key VTGate transparent to app +3

Read full story →

Shopify Databases

Shopify's Engineers Hunted Deadlocks at 19 Million Queries per Second

During Black Friday and Cyber Monday 2023, Shopify's MySQL fleet was handling 19 million queries per second. At that scale, even rare deadlock patterns become common enough to cause real incidents. The engineering team published a detailed playbook for diagnosing and eliminating MySQL deadlocks in high-concurrency production environments.

19M MySQL QPS at BFCM peak 58M requests/min app servers 99.999%+ uptime maintained +3

Read full story →

Cloudflare Reliability

Cloudflare's Datacenter Partner Failed and the Control Plane Went Dark for 40 Hours

On November 2, 2023, Cloudflare's primary datacenter partner experienced a power failure. The control plane — the system that lets customers configure DNS, firewall rules, and every Cloudflare service — went dark. It stayed dark, in various forms, for nearly 40 hours. The postmortem introduced a concept Cloudflare hadn't had before: Code Orange.

Nov 2–4 2023 outage ~40 hours control plane down Flexential datacenter failure +3

Read full story →

Cloudflare Reliability

A Database Permission Change in ClickHouse Took Down 28% of Cloudflare's HTTP Traffic

On November 2, 2023 — the same day as the control plane datacenter failure — Cloudflare also experienced a separate six-hour global outage. The cause: a database permission change in ClickHouse generated a corrupt configuration file that was silently propagated to every server in Cloudflare's Bot Management system, crashing it globally.

Nov 2 2023 outage 28% HTTP traffic impacted 6 hours total duration +3

Read full story →

Netflix Performance

Netflix Made Their Workflow Orchestrator 100x Faster by Rewriting the Engine Nobody Thought Was Slow

Maestro had been running Netflix's data and ML workflows successfully for two and a half years. Then Live, Ads, and Games drove sub-hourly scheduling requirements that revealed the orchestrator's overhead — not in crashes or alerts, but in slow step launches that nobody had measured. The fix was a complete engine rewrite that delivered 100x throughput improvement.

100x throughput improvement 2.5 years before overhead visible Sub-hourly scheduling trigger +3

Read full story →

Netflix Performance

Netflix's Containers Were Fighting Their Own CPUs — and Losing

Netflix ran millions of containers per day on modern multi-core CPUs. The containers performed well on benchmarks. In production, under certain workloads, they were mysteriously slower than expected — slower than the hardware should have allowed. The culprit was CPU topology: the operating system was scheduling container workloads in ways that violated modern CPU cache architecture. They called the investigation 'Mount Mayhem.'

Mount Mayhem investigation Modern multi-core CPU topology NUMA and cache locality +3

Read full story →

Netflix Reliability

Netflix Streamed Live Sports for Millions — and the Hard Part Wasn't the Video

When Netflix began streaming live events — boxing, NFL games, comedy specials — the engineering challenge wasn't encoding or delivery. It was building the human infrastructure: the operations team, the escalation paths, the real-time decision systems, and the runbooks that let engineers respond to live event failures in seconds, not minutes.

Live events at Netflix scale Sub-second escalation paths NFL Christmas Day 2023 +3

Read full story →

Figma Databases

Figma's Database Grew 100x in Four Years — Here's How a Small Team Kept It From Toppling

In 2020, Figma ran on a single Postgres instance on AWS's largest available machine. Four years later, that database had grown nearly 100x. Some tables had swelled to several terabytes and billions of rows. The Postgres vacuum process — the background job that keeps Postgres alive — was causing reliability incidents. They had months of runway left before hitting the IOPS ceiling. A small databases team had nine months to fix it.

100x DB growth since 2020 Single instance → horizontal shards 9-month migration +3

Read full story →

Datadog Reliability

Datadog Went Dark for 24 Hours and Came Back With a Different Philosophy

On March 8, 2023, Datadog — the platform engineers use to know when their own infrastructure is broken — broke. For more than 24 hours, across five regions on three cloud providers, metrics stopped arriving, logs disappeared, and dashboards showed nothing. The people whose job was to fix it couldn't see what was happening. It cost $5 million. It changed how Datadog thinks about building software.

24h+ global outage $5M revenue loss 50–60% Kubernetes nodes lost +3

Read full story →

OpenAI Databases

OpenAI Runs ChatGPT for 800 Million Users on One PostgreSQL Instance — and It Works

ChatGPT has 800 million users. It handles millions of database queries per second. And it runs on a single primary PostgreSQL instance on Azure — one writer, backed by about fifty read replicas. No sharding. No distributed SQL. Just Postgres, pushed further than almost anyone thought possible through obsessive optimization and ruthless operational discipline.

800M users, 1 primary PG instance ~50 read replicas globally Millions of QPS, p99 <20ms +3

Read full story →

Uber Security

Uber Had 150,000 Secrets Scattered Across 25 Vaults — So They Built One Platform to Rule Them

150,000 secrets. 25 separate vaults. Hundreds of teams managing their own credentials in their own ways, some in plain text in version control. At Uber's scale — 5,000 microservices, 5,000 databases, 500,000 analytical jobs per day — secrets sprawl is not a compliance problem. It is an incident waiting to happen. A team of ten engineers decided to fix it.

150,000 secrets managed 25 vaults → 6 managed vaults 5,000 microservices secured +3

Read full story →

Shopify Reliability

The 80% Problem: Why Getting an LLM System to 'Works in Demo' Is 20% of the Work

Every team building with LLMs discovers the same brutal truth: 80% quality arrives in a few weeks. The final 15% — the gap between 'impressive demo' and 'product I'd trust with my customers' — takes the rest of the time. Shopify's Flow agent and Sidekick teams lived this curve and came back with a systematic playbook. It is mostly about measurement.

LLM judge: 0.02 → 0.61 Kappa 300-example hand-crafted benchmark Production mirroring closes gap in 2 weeks +3

Read full story →

IBM Distributed Systems

Quantum Computing Just Beat the Best Classical Computer — Here Is the Engineering That Made It Happen

On May 6, 2026, Q-CTRL ran a materials science simulation on an IBM quantum computer in 2 minutes. The best classical supercomputer needed over 100 hours to reach the same accuracy — and then gave up. The day before, IBM's quantum computers simulated a 12,635-atom protein with Cleveland Clinic and RIKEN, 40 times larger than anything attempted six months prior. After 30 years of promises, quantum advantage arrived. Here is what actually changed.

3,000× speedup over best classical (May 6 2026) 12,635-atom protein simulated (May 5 2026) 120 qubits, 10,000+ two-qubit gates +3

Read full story →

Spotify Reliability

Spotify Changed a Filter Order in Their Proxy — Then Every Server in the World Crashed at Once

On April 16, 2025, Spotify's engineering team made a change they deemed low risk: reordering the custom filters inside their Envoy Proxy perimeter. They applied it to all regions simultaneously. Within two minutes, every Envoy instance worldwide had crashed. And then the restart loop began — a loop Kubernetes itself was powering, killing each new server as fast as it came back up. 675 million users couldn't load the app. Asia Pacific stayed up, and the reason why told the engineers exactly what was broken.

12:18–15:45 UTC (3h 27min) 675M MAU affected 48,000+ Downdetector peak reports +3

Read full story →

Airbnb Databases

Airbnb's Fraud Detection Runs on a Graph of 7 Billion Nodes — Here's Why They Rebuilt It From Scratch

Airbnb's identity graph connects 7 billion nodes and 11 billion edges — every user, every device, every listing, every relationship that might reveal a fraudster trying to create a duplicate account or collude on a fake transaction. The third-party vendor powering it required periodic manual reboots to stay stable. Queries that needed 8 hops of graph traversal were hitting 5-second P99 latencies. In 2024, a small team rebuilt the entire thing internally. The results were not incremental.

7B nodes, 11B edges 5M new edges/day P99 read: 5.0s → 2.5s (-49%) +3

Read full story →

GitHub · Distributed Systems

GitHub Built the Internet's Code Platform — Then AI Agents Broke It

The Story

We started executing our plan to increase GitHub's capacity by 10X in October 2025, with a goal of substantially improving reliability and failover. By February 2026, it was clear that we needed to design for a future that requires 30X today's scale. The main driver is a rapid change in how software is being built. Since the second half of December 2025, agentic development workflows have accelerated sharply.

— Vlad Fedorov, CTO of GitHub — GitHub Engineering Blog, April 28, 2026

For most of its existence, GitHub has been one of the most reliable platforms on the internet. Developers took it for granted the way they take electricity for granted — always on, always there, a utility so dependable it disappeared into the background. That changed in 2025. Not because GitHub's engineers got worse. Not because the codebase got sloppier. But because something fundamental changed about who — or more precisely, what — was using GitHub. AI coding agents arrived at scale, and they didn't behave anything like the human developers the platform was built for.

The numbers tell the story with uncomfortable clarity. In 2024, GitHub logged 119 service incidents, including 26 major ones — frustrating, but manageable, with an average resolution time of roughly 106 minutes. Then, between May 2025 and April 2026, incident monitoring service IncidentHub tracked 257 separate incidents, of which 48 were classified as major outages. February 2026 alone produced 37 incidents — the worst month on record. GitHub Actions, the platform's CI/CD automation backbone, suffered 57 outages in the same 12-month stretch. On May 15, 2026, a single Actions degradation caused 42% of all Actions runs to fail at peak impact. Developers worldwide woke up to red CI pipelines and spent hours debugging their own code — before eventually realizing it wasn't their code at all.

THE CORE PROBLEM: AGENTS DON'T BEHAVE LIKE HUMANS

A human developer on a free GitHub account might generate a few commits and a handful of CI runs in a working day. An AI agent on the same account can generate hundreds of commits, dozens of PRs, and thousands of Actions minutes in a single afternoon. GitHub's 2025 Octoverse report celebrated nearly 1 billion commits. By early 2026, GitHub COO Kyle Daigle shared a more alarming figure: the platform was handling 275 million commits every single week — on pace for 14 billion in 2026 if growth held linear. That's a 14x annual increase. It wasn't 14x more developers. It was agents treating GitHub's API like a utility and consuming at machine speed.

Problem

GitHub Was Built for Human-Paced Development

GitHub's architecture was designed for a world where developers work at human speed: open a PR, push commits over hours or days, wait for CI to run, merge when green. The platform's capacity planning, its database schemas, its job queues, its rate limits — all calibrated for a workflow where one human generates a bounded amount of activity per session. That assumption held for 17 years.

Cause

AI Agents Changed the Economics of Every GitHub Operation

GitHub CTO Vlad Fedorov identified the mechanism: a single pull request can simultaneously touch Git storage, mergeability checks, branch protection, GitHub Actions, search, notifications, permissions, webhooks, APIs, background jobs, caches, and databases. A human merging one PR triggers this chain once. An AI agent framework running hundreds of concurrent sessions triggers it thousands of times simultaneously. AI-agent PRs alone jumped from 4 million in September 2025 to 17 million in March 2026 — a 325% increase in six months. Actions usage went from 500 million minutes per week in 2023 to 2.1 billion minutes in a single week in early 2026.

Solution

10x Plan Became 30x Plan — And They Were Still Behind

GitHub began a 10x capacity scaling initiative in October 2025. By February 2026, that plan was already obsolete — the real demand required 30x. Simultaneously, GitHub was running a migration to Azure, with 12.5% of all traffic on Azure Central US and a target of 50% by July 2026. Running a platform migration alongside an AI-driven traffic explosion is the engineering equivalent of rebuilding an airplane's engines at 35,000 feet.

Result

Cascading Failures and High-Profile Departures

The pressure produced not just performance degradation but engineering failures. On April 23, 2026, an incomplete feature flag silently reverted commits across 658 repositories and 2,092 pull requests — the UI showed green checkmarks while code was being rewritten underneath. On April 27, a botnet attack overwhelmed the Elasticsearch backend and took GitHub Search offline for hours. On April 28, Mitchell Hashimoto — GitHub user #1299, co-founder of HashiCorp, joined February 2008 — announced that Ghostty was leaving GitHub. The Zig programming language project also migrated away.

Peak monthly metrics by early 2026: 90 million merged PRs, 1.4 billion commits, 20 million new repositories. These are not the metrics of a platform being used by developers. These are the metrics of a platform being consumed by machines.

The Two April Incidents That Broke Developer Trust

Two incidents in late April 2026 crystallized the reliability crisis into something personal for every developer who experienced them. The first, on April 23, was a merge queue regression — a bug caused by an incomplete feature flag deployment — that silently reverted commits across 658 repositories and 2,092 pull requests. The terrifying part was not the scope. It was the silence. The UI continued to show green checkmarks and merge confirmations while the system was actively undoing work underneath. Developers had no idea their code had been reverted until they dug into the diff. A platform's most sacred contract with its users is that when it shows a green checkmark, the operation succeeded. GitHub broke that contract.

The second incident, on April 27, was a Search outage triggered by what GitHub described as a likely botnet overwhelming the Elasticsearch backend. Search went down for hours across the platform. Taken individually, either incident could be explained away. Together, in the same week, they were the signal that the accumulated reliability debt had become impossible to ignore.

The Silent Revert: Why the Merge Bug Was So Damaging

The April 23 merge queue bug was technically a data integrity issue — code that had been merged was reverted without notification. But its deeper damage was psychological. Developers depend on version control's fundamental promise: what you commit is preserved, what you merge is recorded. A bug that silently breaks this promise doesn't just cause data loss. It causes a loss of confidence in every operation the platform reports as successful. How many other green checkmarks weren't telling the whole story? This is the question that made Mitchell Hashimoto's departure feel less like frustration and more like a considered assessment of risk.

The Mitchell Hashimoto Moment

On April 28, 2026, Mitchell Hashimoto — GitHub user number 1299, co-founder of HashiCorp, creator of Vagrant, Packer, Consul, Terraform, and Vault, one of the most prolific infrastructure engineers in the industry — posted that Ghostty was leaving GitHub. He had visited GitHub almost every day for over 18 years. His post described the decision as 'irrationally sad' but said the platform was no longer a place where he could 'get work done' and 'ship software.' He made a point that resonated across the developer community: the problem was not Git itself — the distributed version control system remained excellent. The problem was the surrounding infrastructure: issues, pull requests, GitHub Actions. The platform built around Git was failing.

GITHUB USER #1299: WHY THE NUMBER MATTERS

Mitchell Hashimoto is GitHub user #1299 — one of the earliest accounts on the platform, joined February 2008, three years after GitHub's 2005 founding. His departure is not symbolically significant because he is famous. It is symbolically significant because he is the kind of developer GitHub was built for: a serious, high-output infrastructure engineer who had chosen GitHub without question for 18 years. When the person who never had reason to question the platform starts questioning it, something has fundamentally changed.

257

Total incidents tracked between May 2025 and April 2026 by IncidentHub — roughly five per week, every week, for twelve months straight

Major outages in the same period, producing over 112 hours of total significant downtime across the platform

30x

The scale GitHub needed to design for by February 2026 — triple the 10x plan they had launched just four months earlier in October 2025

2,092

Pull requests silently reverted by the April 23 merge queue bug across 658 repositories — with no notification to affected developers

The Fix

The Engineering Response: Ruby to Go, Monolith to Services, Single Cloud to Multi-Cloud

GitHub's CTO Vlad Fedorov publicly outlined the engineering response in his April 28 blog post. The plan has three interlocking components, each targeting a different layer of the scaling problem. Together they represent one of the most significant architectural transformations GitHub has undertaken since its founding.

GitHub's five-layer engineering response to the agentic AI scaling crisis, as outlined by CTO Vlad Fedorov in April 2026

Problem Layer	Root Cause	GitHub's Fix
Language / Runtime	Ruby monolith has GIL (Global Interpreter Lock), limiting CPU parallelism — cannot efficiently use all available cores under high concurrency	Rewriting performance-critical services from Ruby to Go — Go's goroutine model handles massive concurrency without the GIL bottleneck
Infrastructure	Single-cloud (Microsoft Azure-only migration) creates concentrated failure risk and limits horizontal scaling options	Multi-cloud deployment strategy — 12.5% on Azure Central US in early 2026, targeting 50% by July 2026 with additional cloud providers
Service Isolation	A single PR cascades through 10+ interconnected subsystems — Git storage, Actions, search, notifications, permissions, webhooks — so any bottleneck in one propagates to all	Isolating critical services (Git and Actions especially) into independent failure domains so a degradation in one subsystem cannot cascade to others
Capacity Planning	10x scaling plan (October 2025) became obsolete by February 2026 as AI agent traffic doubled the required headroom	30x capacity design — automated scaling for agent-driven burst load patterns rather than human-paced steady-state assumptions
Feature Safety	April 23 merge queue regression was caused by an incomplete feature flag that allowed a new code path to activate without full safeguards	Strengthened feature flag discipline — no code path that affects data integrity ships without complete flag protection and staged rollout verification

Why the Ruby-to-Go Rewrite Is the Right Call

Ruby served GitHub extraordinarily well for 18 years. It enabled rapid product development, contributed to GitHub's culture, and its Rails framework made the web application layer elegant and maintainable. But Ruby's Global Interpreter Lock (GIL) is a fundamental constraint: even on a 64-core server, a Ruby process can only execute one thread of Ruby code at a time. For human-paced web traffic, this limitation is manageable. For AI agent workflows that generate thousands of concurrent operations, the GIL is a hard ceiling. Go's goroutine model — lightweight threads managed by the Go runtime that can run across all available CPU cores without a GIL — is architecturally suited for exactly the concurrency profile that AI agents create. The rewrite is not about language preference. It is about physics.

The Structural Diagnosis: Agents Are Not Billed Like Agents

A deeper structural problem underlies the engineering crisis: GitHub's business model was designed for humans, and its pricing reflects human-scale consumption. A developer on a free GitHub account generates some commits, a few CI runs, and a handful of API calls per day. An AI agent on the same account can generate hundreds of commits, dozens of PRs, thousands of Actions minutes, and tens of thousands of API calls in a single afternoon. The infrastructure cost per 'user' has fundamentally changed, but the pricing model has not yet caught up. As one engineer put it plainly: GitHub's Octoverse 2025 report celebrated nearly 1 billion commits and 36 million new developers. But the 2026 numbers aren't being driven by 36 million new developers showing up. They're being driven by agents that treat GitHub's API like a utility — which it basically is, except utilities charge for consumption.

83 INCIDENTS FROM CAPACITY FAILURES ALONE

83 of GitHub's 257 incidents between May 2025 and April 2026 were caused by load and capacity problems — with indications that many services did not have automatic scaling configured, requiring manual intervention to add capacity during surges. This means that dozens of times, engineers had to notice the problem, escalate it, and manually provision resources before the platform could recover. Automated capacity scaling for burst load is not optional infrastructure. For a platform being consumed by AI agents, it is the minimum viable reliability architecture.

The CVE-2026-3854 Problem: Reliability and Security Compounding

The April week that prompted Hashimoto's departure also included a critical security disclosure: CVE-2026-3854, a CVSS 8.7 remote code execution vulnerability in GitHub's internal Git layer. The flaw allowed an attacker to inject extra header fields via a malformed git push and execute code as the Git service user. GitHub.com was patched within six hours of disclosure. GitHub Enterprise Server patches were released. But Wiz reported that 88% of self-hosted GitHub Enterprise Server instances remained unpatched at time of publication. A platform under reliability stress is also a platform whose administrators are too busy managing incidents to maintain their security posture — the two crises compound each other.

Architecture

GitHub's architecture evolved over 18 years around a core assumption: the unit of load is a human developer. A human opens a PR, waits for review, pushes a few commits, and merges. The platform's service graph — its Git storage layer, its mergeability computation engine, its branch protection evaluation system, its Actions job dispatch queue, its search indexer, its notification fan-out, its webhook delivery pipeline, its permission evaluation layer, its API gateway — was sized and coupled around this human-paced access pattern. Every service in the chain was both a dependency and a dependency of every other service. This architecture was efficient and made GitHub easy to reason about for years.

AI agents broke the architecture's fundamental assumption. An agent doesn't open a PR and wait. An agent opens 50 PRs in parallel, each triggering the full service chain simultaneously. At scale, this creates a concurrency storm that amplifies through every layer of the graph. GitHub CTO Vlad Fedorov described it precisely: a single PR touches Git storage, mergeability checks, branch protection, Actions, search, notifications, permissions, webhooks, APIs, background jobs, caches, and databases. When the number of concurrent PRs scales 4x in six months, the pressure on every one of those systems scales accordingly — and the interconnected failures begin.

A Single GitHub PR: The 10+ Subsystems It Touches

flowchart TD pr["AI Agent Opens PR"] pr --> git["Git Storage\n(commit objects, pack files)"] pr --> merge["Mergeability Engine\n(conflict detection)"] pr --> bp["Branch Protection\n(rule evaluation)"] pr --> actions["GitHub Actions\n(CI job dispatch)"] pr --> search["Search Indexer\n(Elasticsearch update)"] pr --> notif["Notification Fan-out\n(email, web, mobile)"] pr --> perm["Permission Layer\n(repo access check)"] pr --> webhook["Webhook Delivery\n(external integrations)"] pr --> api["API Gateway\n(rate limit tracking)"] pr --> jobs["Background Jobs\n(async processing queue)"] pr --> cache["Cache Invalidation\n(repo metadata)"] pr --> db["Database Writes\n(PR state, comments)"] style pr fill:#24292f,color:#ffffff style actions fill:#ef4444,color:#ffffff style search fill:#ef4444,color:#ffffff

GitHub Actions: Weekly Compute Minutes — The AI Agent Surge

xychart-beta title "GitHub Actions Weekly Compute Minutes" x-axis ["2023", "2024", "H1 2025", "Dec 2025", "Early 2026"] y-axis "Minutes (Millions)" 0 --> 2200 bar [500, 750, 1000, 1500, 2100]

THE RUBY GIL: WHY THE MONOLITH COULDN'T SCALE

Ruby's Global Interpreter Lock (GIL) is a mutex that prevents multiple threads from executing Ruby code simultaneously in the same process. For human-paced web traffic — where a request comes in, does some database work, and returns a response — the GIL is rarely the bottleneck. For AI agent traffic — where thousands of operations arrive concurrently and each one fans out across dozens of internal services — the GIL becomes a hard ceiling. Even on a 64-core server, a Ruby process can use exactly one core at a time for Ruby execution. The fix isn't optimization. It's a different runtime. Go's goroutine scheduler runs across all available CPU cores without a GIL, making it architecturally suited for the concurrency profile that AI agent workflows generate. GitHub's Ruby-to-Go migration for performance-critical services is the right move — not as a language preference, but as a physics constraint.

The Azure Migration Timing Problem

GitHub began migrating traffic to Azure as part of its Microsoft integration — 12.5% of all traffic on Azure Central US in early 2026, with a target of 50% by July 2026. Running this migration simultaneously with a 30x capacity redesign and a Ruby-to-Go rewrite is an extraordinary amount of concurrent infrastructure transformation. Each of these projects is a multi-year undertaking at GitHub's scale. Running all three in parallel reduces the blast radius of each individual change — but increases the cognitive load and coordination complexity for the engineering teams managing them. The timing was not chosen; it was forced by the speed of the AI agent traffic explosion.

Lessons

GitHub's reliability crisis is not a story about a company making engineering mistakes. It's a story about a platform being asked to do something it was never designed for — at a speed that outpaced any reasonable capacity planning horizon. The lessons are as much about the nature of AI agent infrastructure demands as they are about reliability engineering practice.

Your platform's capacity model must be built around its actual consumers — not its original consumers. GitHub was built for human developers. AI agents consume infrastructure at orders of magnitude greater intensity. Any platform that introduces AI-native workflows must remodel its capacity assumptions from scratch, not incrementally adjust from the human baseline.

are not optional for infrastructure that handles data integrity. The April 23 merge queue bug — which silently reverted 2,092 pull requests — was caused by an incomplete feature flag. A complete feature flag would have allowed engineers to disable the affected code path instantly without a full redeployment. For any code path that touches data that developers trust as immutable, flag protection is not a best practice. It is the minimum viable safety mechanism.

A monolith that can't be incrementally scaled will become a single point of failure at sufficient scale. GitHub's Ruby monolith served the platform for 18 years because human-paced traffic was bounded enough that the GIL's concurrency limit never became the primary bottleneck. AI agents removed that bound. The architectural lesson is not that monoliths are bad — it's that every architectural decision encodes assumptions about scale, and those assumptions must be revisited when the scale changes fundamentally.

When critical services are deeply coupled — when a PR touches Git storage, Actions, search, notifications, permissions, and webhooks in a single chain — a failure in any one component becomes a failure across all components. Service isolation is not premature optimization. It is the prerequisite for containing blast radius at scale. GitHub's commitment to isolating Git and Actions into independent failure domains is the architectural move that will have the most long-term impact on reliability.

Trust is the asset that reliability engineering protects. Mitchell Hashimoto didn't leave GitHub because of the April 27 Search outage alone. He left because 257 incidents over 12 months had eroded confidence in the platform as a reliable foundation for serious work. Reliability is not measured in individual incident severities — it is measured in the cumulative effect of failures on whether people trust the platform to do what it says it did. The merge bug's silent revert made this unmistakably concrete.

The Availability-First Mandate

GitHub's leadership response to the crisis was to shift from a growth-at-all-costs philosophy to an availability-first mandate. This means engineering prioritization changes: new feature work is deprioritized relative to stability improvements, scaling infrastructure, and incident remediation. The availability-first mandate is the organizational signal that GitHub recognizes the seriousness of the reliability debt it has accumulated. Whether the engineering plans — Ruby-to-Go, service isolation, 30x capacity, multi-cloud — can be executed faster than the AI agent traffic continues to grow is the open question that will define GitHub's next two years.

WHAT EVERY DEVELOPER SHOULD DO RIGHT NOW

GitHub's instability has a practical implication for every engineering team: treat GitHub as important infrastructure, not invisible infrastructure. Map your team's GitHub dependency surface — CI/CD pipelines, registry mirrors, source-of-truth, identity flows, Actions runners. Know which of your deployments would be blocked if GitHub Actions was degraded for four hours. Have a runbook for 'GitHub is down' that doesn't end with 'wait for GitHub to come back.' Independent CI mirroring, artifact registries with fallback paths, and local Git mirrors of critical dependencies are not paranoia — they are the appropriate response to a platform that has demonstrated it will have five major incidents per week for a year.

GitHub spent 18 years building the platform where the world's code lives, survived Microsoft's acquisition, launched Copilot, and made developers 10x more productive — and then the thing that broke it was all those developers becoming 100x more productive using Copilot. The platform that accelerated AI-assisted development got outrun by AI-assisted development. There is probably a lesson in there somewhere about building infrastructure for the world you are creating, not the world you came from.TechLogStack — built at scale, broken in public, rebuilt by engineers