TL;DR — On 2026/6/22, GitHub suspended my account without warning for the second time. But this time was nothing like 4/29: the website update function never went down, the newsletter service I had been preparing launched successfully, and the deployment pipeline was not disrupted at all. paulkuo.tw kept running as though nothing had happened. The difference was a decoupled architecture I had spent two weeks rebuilding after the first incident. This was that resilient system’s real-world examination. It passed — but it also exposed a new blind spot.

▶ Listen to Summary
AI-synthesized voice, cloned from the author's own voice

On the afternoon of June 22nd, I was wrapping up the newsletter subscription feature for paulkuo.tw. The backend had already been deployed, end-to-end tests had all passed, and I had an AI sync progress to the project dashboard. That was when a warning appeared in the conversation window — that line of red text, familiar enough to be jarring, surfaced again:

Your account was suspended

GitHub had cut me off again.

Two months earlier, that same line had made it impossible for me to develop or publish normally for two full weeks. That day was 4/29, and I wrote a complete engineering post-mortem under Startup & the Super-Individual: my GitHub account had been suspended without warning, without a clear reason, and without prior notice. In that moment, everything — writing, version control, CI, deployment — nearly went down at once. I spent two weeks rebuilding a five-layer resilient architecture to restore normal operations.

This time the suspension was equally unannounced, but the outcome was different. My website update function did not go down. The newsletter launched successfully. The deployment pipeline was not blocked. paulkuo.tw kept running as though nothing had happened.

GitHub was no gentler this time. Same cold indifference, same sudden cutoff, same 403, same absence of prior notice. What was different was the system I had designed in between. When the first incident happened, that architecture did not yet exist. When the second incident happened, it successfully absorbed the impact of the GitHub suspension.

What Did the Second GitHub Suspension Actually Break — and What Did It Leave Intact?

After the suspension, I went through the system layer by layer to see what had been affected. What got blocked was primarily the “record and sync” category. The core processes responsible for “running and publishing” kept going.

After the 6/22 GitHub suspension, actual status of each layer of paulkuo.tw: red paths were disrupted by the account suspension; green paths bypassed GitHub and continued operating normally

In practice, three things were blocked: git push to the primary GitHub repository failed, project dashboard sync on GitHub was interrupted, and every operation that depended on GitHub identity — both command-line tools and API calls — returned 403 across the board.

But what continued to run was both more numerous and more consequential. Code was still being pushed to Codeberg and GitLab, two independent git hosts, completely unaffected. Work history commits were supposed to reach all three remotes; GitHub was blocked, but Codeberg and GitLab received them normally. The deployment pipeline ran via wrangler, pushing directly to Cloudflare using Cloudflare’s own token — no relationship to the GitHub account whatsoever. The website, newsletter, and APIs all ran normally on Cloudflare. The Notion mirror of the project dashboard was also fine, because it reads from files in the code repository, not from the GitHub API.

In the current architecture, functions bound to GitHub identity were naturally blocked; everything that does not pass through GitHub survived. That is what I spent two weeks rebuilding after 4/29.

Why Was Deployment Completely Unaffected This Time?

The lesson from 4/29 was this: many people think they are only keeping their code on GitHub, but in practice they have handed over their deployment lifeline as well.

My old deployment chain looked like this: push to GitHub, GitHub Actions gets triggered, Cloudflare Pages auto-deploys. Convenient, standard, seemingly clean. The problem was that GitHub Actions was the mandatory passage in that chain. The moment an account is suspended, the chain breaks in the middle. The code was on my own machine — but “publishing” was no longer under my control.

The first time I was suspended, I had the content, I had the files, I had the website — and I could not get any of it out. So when I rebuilt, I separated the deployment chain. The current flow: build locally, push directly to Cloudflare Pages via wrangler, using Cloudflare’s own API token. Not a single link in that chain requires GitHub to be alive.

As a result, even with the GitHub account suspended on 6/22, the newsletter’s backend and frontend were still deployed, validated, and launched on schedule. I actually went back to check the website’s status only after the account had been suspended: the subscription page was normal, the form was functional, and the mailing flow completed end to end. At that moment I had a clear sense of what decoupling actually means. Whether GitHub is online or not no longer determines whether my website can publish.

📊 Two Suspensions Compared

  • 4/29, First Suspension: Entire lifeline severed. Two weeks to rebuild; resumed publishing only then.
  • 6/22, Second Suspension: Zero website downtime. New feature launched on schedule that same day.
  • Between the two events: The five-layer decoupled architecture served as insurance when the second suspension hit.

But This Incident Also Exposed a Blind Spot I Had Not Covered

If the story ended here, it would simply be a case study in “I built a useful system.” But what a real incident illuminates is never only what you got right — it also surfaces the things you never thought of, and sometimes never even saw.

What this incident dug up was a link I had believed was covered by redundancy — and was not.

When I needed to sync progress out, I had two AI assistants working with different methods of connecting to GitHub. I had been treating them as two independent paths: if this one fails, there is still that one. When the GitHub account was suspended, both went down simultaneously. The reason, when stated plainly, is simple: the two AI sessions used different methods, but both ultimately needed to present “my GitHub account” as the credential to open the door. What GitHub suspended was the account identity itself — and naturally every tool using that account failed along with it.

A more concrete analogy: your kitchen has one tap, your bathroom has another. One day the kitchen tap runs dry, and you think, no problem, I will just use the bathroom — only to find the bathroom tap is also dry. Because behind the wall, both taps connect to the same main pipe, the same main valve. You never see the plumbing inside the wall, so you have always assumed they were two independent water sources. My two backup paths were those two taps.

This is called a same-source single point of failure — a form of false redundancy. It is more dangerous than having no backup at all, because it gives you a false sense of security. When you have no backup, you at least know you are exposed. False redundancy makes you believe you are wearing armor — until the moment you are hit, and you discover it was cardboard.

This incident made me see a larger problem: the more complex a system becomes, the deeper that “main pipe” is buried, and the harder it is to see. What we see are two taps, two tools, two options that appear independent — while somewhere out of sight they all connect to the same point. Not being able to see it does not mean it is not there. The dependencies you cannot see are often the most dangerous, precisely because you do not even know they will fail along with everything else.

The more problems a system must solve, the more complex it becomes. Every new service connected, every new tool added, puts a few more lines in the dependency graph behind it — and that graph is already too large for anyone to see in its entirety. This is what Normal Accident Theory, which I wrote about in the previous post, addresses: in a system that is sufficiently complex and tightly coupled, accidents will eventually happen. The only question is when. No one can see all the interconnections in advance, because the interconnections themselves keep growing as the system evolves.

And the risk of complexity tends to originate in the invisible coupling between nodes. A backup path you believe to be independent may share the same failure source as the primary path. The risk is not hidden inside the tools — it is hidden in the relationships between them.

Complexity itself is a concealed risk.

It also brings to mind a detail from the Three Mile Island accident: operators stared at an indicator light reading “command sent” and assumed the valve had closed — when in fact the valve was stuck open. The light was showing “I sent the instruction.” The valve’s actual state was a separate matter entirely. False redundancy is the same kind of illusion: it lets you see two paths, while those two paths share the same root that will break together.

Resilience Is Never Finished — It Is Validated by Reality, One Collision at a Time

The 4/29 incident taught me how to build a resilient architecture. The 6/22 incident taught me something different: drawing the architecture diagram is not enough, and completing the deployment is not the same as being done. It must be tested against reality before you know what is genuinely working and what only feels like it should be working.

This is the question I want to keep verifying under the Startup & the Super-Individual theme. Chaos engineering exercises matter, but an exercise is still a stress test you arrange yourself — however realistic, there is always a residual sense of knowing what comes next. A real incident is different. The 6/22 suspension had no advance notice, was not in my exercise playbook, and was not a test I had set up. It simply happened, and I had to respond immediately with the system I had at hand.

This time I came through: website, deployment, and newsletter all survived. But it also helped me identify a risk. I had believed two AI sessions constituted two independent backup paths. They shared a single identity source — which exposed an oversight in how I had assessed the architecture. The tools themselves were not the issue.

A resilient architecture, then, must be examined by the real world before its actual value is known. More importantly, each examination is an opportunity to update the blind-spot inventory. After the first incident, my list read: five-layer decoupling. After the second incident, I added a new line: multi-path redundancy requires not only counting the number of paths, but verifying that the failure sources are truly independent. A third incident, a fourth, will surely come — each one letting the system accumulate and evolve.

In the previous article I wrote: you should not entrust your lifeline to a single company and then claim to be free.

Two months later, my reflection is this: building a system is not the same as being free. What genuinely holds you up is the ability — when the system is tested by reality — to see the problem clearly, to change the structure, and to take back control.

Whether a third GitHub suspension is coming, I do not know. But this time I do know: when it comes, my system will be better equipped to absorb the blow.

As Alan Watts once said: “The only way to make sense out of change is to plunge into it, move with it, and join the dance.”

That red line may appear one more time. But the next time it does, my website will probably keep running — as though nothing has happened at all.