Discover how Orca Security uses Mergify to secure their main branch and increase developer velocity while improving engineers' lives.
For companies that have all their deployments in the Cloud, Orca Security provides a single SaaS-based cloud security platform for workload and data protection but also cloud security management, vulnerability management, or even compliance management. Orca Security is agentless and frictionless, avoiding interference with production components.
The company employs more than 400 people, half of whom are developers, primarily based in Tel-Aviv, Israël. However, Orca Security also has offices in Belarus and Ukraine.
A few years ago, Orca Security moved its mono-repo to GitHub. This move was motivated by the services offered by GitHub and, more particularly, the CI tool they provided. The promise was quite simple to handle: you develop, you create a pull request, you run the CI test, you approve the pull request, and then it's merged.
But once the pull request was merged, they still had to do a quality gate on the new content merged into the main branch. Sometimes, that failed.
If the workflow was scalable enough for a team of 20 people, it became hard to maintain when the team reached 50 and then 100 people. Indeed, working on a mono-repo means every developer pushes changes to the same and unique repository. They were aware the chances of breaking it were incredibly high.
It resulted in broken code caused by conflicts with the main branch, merging outdated pull requests, and dependencies on other pull requests not being respected.
Once broken, they needed to find which pull request broke the code and who was the owner of that particular pull request. This process made tracking root causes uneasy and wasted a ton of time while happening multiple times daily.
This workflow started to annoy the team.
On good days, we can merge up to 50 PRs a day. And by a day, I mean working hours. Infinitely more than before, because without Mergify we had incredibly high chances of breaking the code with 50 PRs.
To avoid that, Orca Security tried to create more quality gates on the developers' side. That crippled them, and their developer velocity crashed.
Fond of building systems, John started to check how other companies — such as Facebook or Google — managed their mono-repo. He found out at this time that Facebook was letting the pull requests being merged, and then they ran the quality gates. If those gates failed, they started hunting down what was the single pull request that caused the problem, reverted that code, and notified the user. Nothing satisfying.
Deepening his research, John discovered an open-source project called Bors. The promise was exciting. They tried to use it, but many issues occurred, from missing features such as managing squashed pull requests to the struggle to integrating Bors into GitHub. They wanted more. At the end of the day, they had closed pull requests and not merged ones.
Moreover, Bors does not offer managed services as an open-source project. To use Bors efficiently, they had to create and staff a dedicated team. Problem: that's neither their expertise nor their job. This was not a cost-efficient option for Orca Security since it would have required two full-time engineers to maintain the system.
Orca Security wanted to rely on a managed service and an expert team. That is how they discovered Mergify. A developer from Orca was in charge of finding alternatives and building POC.
After building one with Mergify, it appeared that Mergify had the best set of features and worked frictionlessly.
The change in developers' lives is amazing. When the code was broken, maybe half of the company was hunting the problem and looking for a solution. Now Mergify automatically finds the faulty PR and sends it back to the owner.
Now the developers just code, create a PR, slap the “Merge” label and then focus on another task. They will be notified if the PR is merged or disembarked.
Orca Security has two workflows that run to sanitize the code before entry into the main branch, and they both work with Mergify.
Their processes are relatively lean: you create a branch, then a pull request, you get it approved, and once satisfied with your pull request, you add a merge label on it. At this point, Mergify takes control of the pull request. Mergify's bot adds the pull request to the merge queue, and it will test the pull request against the main branch. The pull request is merged in if it passes all the tests and checks.
Orca Security was nearly able to do that with Jenkins alone, but only one pull request at a time. Nevertheless, since their CI ran for more than an hour, it wasn't charming. In the best scenario, they could merge 24 pull requests daily.
Thanks to Mergify, its merge queue, and its batch feature, Orca Security can test and merge up to 16 pull requests in one hour in a single batch.
Without Mergify, once the main branch was broken it could take a few days to fix it. And a few hours to break it again. With Mergify, all the problematic PRs are just automatically removed from the queue and will not break the code anymore. The sanitization is done before entering the main branch.
Orca Security no longer cares if there are failures at DockerHub or GitHub and the queue starts to fill up. They know that when everything is fixed, Mergify will merge all the pull requests, and the queue will be empty within a few hours.
On good days, at the end of sprints, for example, Orca Security can merge up to 50 pull requests daily — and only during working hours. According to John, it is "infinitely more than before" because, without Mergify, there were incredibly high chances of breaking the code with 50 pull requests.
Another feature helps them a lot: the event log. A game changer for pull requests' traceability and visibility of what is happening. For example, if the queue is stuck, they spot the problem using the event log and easily and quickly understand what happened.
Orca Security also uses priority management. Most of the time, everything flows perfectly, but sometimes they have a critical pull request that needs to be treated and merged in priority. Orca Security can manage priority to stop all the current actions and focus on this particular pull request.
