Eli Lilly built simpler, more secure, and more performant developer environments and cloud pipelines using GitHub services like GitHub Actions and GitHub Codespaces. By turning on Codespaces enterprise-wide, the company reaped the security benefits of isolated computing environments. It improved developer experience, slashed cloud costs, and accelerated developer onboarding time from two weeks to 15 minutes. Eli Lilly also replaced an old and inefficient deployment pipeline with a faster, more secure option using Actions and OpenID Connect (OIDC), reducing deployment times from 15 minutes to three minutes.
Chris Johnson, Technical Lead at Eli Lilly, explains how you can apply the same strategies in your own organization to improve security, increase efficiency, and optimize developer happiness.
In this video, you will learn:
How to both simplify and accelerate your existing processes with GitHub Actions and Codespaces.
Why using isolated computing instances in Codespaces improves security.
How you can accelerate your onboarding times.
Video Transcript
Chris Johnson: Hi, my name is Chris Johnson. I'm a tech lead at Eli Lilly and Company. And one of the things that I'm very passionate about is creating new solutions to help simplify processes, and that's why I'm really excited to share with you the benefits that Lilly has seen in adopting GitHub services. It really has simplified our existing processes and made everything easier to manage. It was also surprisingly easy for us to get started and roll out these services for our users, and I'm wanting to show you how it can help reduce your enterprise headaches as well.
[00:00:37] Now, some background on Eli Lilly and Company. Lilly was founded over 146 years ago in Indianapolis, and it's still headquartered there today. We have more than 36,000 employees worldwide and have research and manufacturing sites in more than seven countries with our products marketed in over 120 countries in the world. If you'd like to learn more, go to Lilly.com. I wanted to highlight this first, because GitHub's security model and repository hierarchy structure has allowed Lilly to easily enable new services that GitHub has launched. The reason being is that most of the new services inherit this base security model, which allows for user ownership and a greater level of autonomy. As we evaluate new GitHub services that launch, it's been far easier for Lilly to adopt them when they inherit this base security structure.
[00:01:26] Now for Codespaces, it just launched over a year ago, and we enabled it across our entire enterprise as soon as it launched. Delivering a solution that offered isolated ephemeral cloud computing has been a major challenge for Lilly in the last few years, to stand up securely across our whole enterprise. Because of Codespace's security model, the isolated ephemeral compute inside GitHub's Cloud was a major win with our information security team. This provided a remote development environment external to Lilly, where packages and libraries could be installed, which weren't being installed locally on Lilly-connected devices. Access to Codespaces was also managed through a mix of organizational controls and the inherited security model for the repositories. It offered a simple self-service solution to a problem that Lilly has struggled with since we were moving to the cloud. And the value we saw with Codespaces came immediately. And from our research IT organization, they went from two weeks of onboarding a new developer to a project, down to just 15 minutes.
[00:02:25] Our research organization had stood up their own cloud compute offerings before, but when Codespaces was available, they immediately switched over and they saw better development experience, reduced cloud costs, and no more worrying about the cloud infrastructure maintenance or those headaches with that. We also found value for Codespaces in the area that we didn't think of initially, which was working with our external contractors. Previously, we would've had to onboard them to Lilly, set up and manage a special compute environment, which was also costly and required a lot of maintenance. This was not a great developer experience for our contractors working with Lilly. But, thanks to Codespaces, we've been able to retire those existing development environments and have them use and deliver their work directly through Codespaces.
[00:03:11] Now Dependabot and GitHub advanced security have been absolutely critical in our mission to protect Lilly with these services being enabled for our entire organization. It gave us insights into vulnerabilities for our internal projects since enabling these features organization-wide. We've worked very closely with GitHub as our partner in how to troubleshoot and remediate some of these vulnerabilities at scale. We partnered with GitHub through their fast track program and it's given us a great deal of insight and suggested patterns as well that we've implemented to get a better handle on managing our 17,000 repositories. Security is always an ongoing journey, and having GitHub as a partner has really helped in reducing our threat landscape.
[00:03:55] Now, as a software engineer, we show value by delivering solutions to our customers. Lilly's gone through a few iterations of internal cloud pipeline to help standardize and accelerate our users to deliver their solutions faster to their customers. When working in a central IT services for a large organization such as Lilly, we've taken on the mindset of the customer of my customer, and we work to make sure that our customers look good and deliver value to their customers so that we all succeed together.
[00:04:26] Our partnership with GitHub has made it so easy on us to deliver value to our internal customers, and this is seen especially in GitHub Actions. When we look at our first cloud pipeline, we are running this through an on-premise Jenkins server that was pushing changes into multiple cloud accounts. The process was taking around 10 to 15 minutes for the jobs to start up and then another 10 minutes, depending on the size of it, to actually deploy to a specific cloud account for that project. Overall, this process was very managed, opinionated, and required a large amount of support to maintain and troubleshoot issues. There was also security concerns as well with this architecture. And with those issues, we promptly shut down our cloud pipeline in favor of cloud pipeline version two.
[00:05:11] Our cloud pipeline V2 was a more cloud native approach to setting up pipelines that would connect back into GitHub. It was more self-service, less opinionated than the first. We also provided ourselves a lot of starter templates for our users to help streamline some of their cloud security practices. We saw a lot better performance around deployments, which were now only taking around 10 to 15 minutes on average.
[00:05:37] There was still less for us to maintain, but it still required the main pipeline to be maintained and updated for major versions, and a lot of consulting on how to actually use it. Now, Lilly has a lot of different hosting options as different parts of our business have different requirements and different vendors that we work with. So when we were looking forward from our pipeline V2, we realized it's very opinionated and it only works with one of our cloud providers. If we tried to scale and support other offerings, we would need to replicate that functionality in each cloud, which goes against these principles of staying dry or don't repeat yourself. When you find yourself repeating a solution, it's better to take a step back and refactor it. So that's exactly what we did.
[00:06:21] We took a step back and we looked to see what GitHub was offering for deployment to the cloud. Of course, it was Actions, but what was new in the Actions for this past year was GitHub Actions, OIDC provider. This solution was a major win for us, and with the collaboration of our cloud and our information security teams, we were able to roll this pattern out to all of our cloud accounts. This allowed for our developers to fully take advantage of the self-service model and deploy any way they want and to whichever cloud they want to, so long as it's all running through GitHub Actions. Our goal was to be less opinionated and reduce our amount of support needed for our cloud pipelines.
[00:07:05] With GitHub Actions, that's been extremely easy, and our developers are much happier using Actions. From our early performance results on projects that have migrated from our V2 pipeline to our new V3 Actions pipeline are pretty impressive. They've gotten down to an average of just three minutes per deployment compared to the 10 minutes that they were seeing on our average project size. And even our larger projects that were taking 20 minutes to deploy are also taking just three minutes to deploy, so our customers are delivering value faster.
[00:07:37] Working with GitHub and adopting the solutions that they have rolled out has given us a better development experience, faster deployments, a more secure environment, and significant cloud compute savings as well. As a larger organization, the ability to simplify and enable our developers is usually a challenge. However, where we've partnered with GitHub, they've made it extremely easy for us to deliver to our customers. Next year, we're going to be running a proof of concept for GitHub Copilot, and we're excited for Universe and to see what is coming up next for us to adopt. Where Lilly has partnered with GitHub, with Codespaces, Actions, and all their other services, we're very excited for the future. And thank you all for joining this session today.
