DFE-Digital/single-unique-identifier GitHub Actions scorecardPublic GitHub Actions data, last 30 days. Updated .
Data sourced from public GitHub. GitSpider is not affiliated with or endorsed by this repository's owners. Request removal.
Biggest wins first, each with the exact config fix.
TruffleHog Secret ScanAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueTrivy IaC ScanAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueTrivy Repository ScanAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueTruffleHog Deep Secret ScanAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueTrivy Repository ScanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Trivy Repository ScanThe schedule fires at minute :00 — GitHub's peak window, where scheduled runs get delayed or skipped. Shift to any other minute for the same cadence with less contention.
on:
schedule:
- cron: '27 0 * * *' # was '0 0 * * *' — any non-:00 minute avoids the herdTrivy Repository ScanThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestTruffleHog Secret ScanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15TruffleHog Secret ScanRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'TruffleHog Secret Scancheckout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereTrivy IaC ScanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Trivy IaC ScanRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'TruffleHog Deep Secret ScanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15TruffleHog Deep Secret ScanThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestTruffleHog Deep Secret Scancheckout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereTerraform UI HarnessNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Build, Test, Deploy: "UI Test Harness" SolutionNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Build, Test, Deploy: "Auth Emulator" SolutionNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15# No concurrency control — applies to: TruffleHog Secret Scan, Trivy IaC Scan, Trivy Repository Scan, TruffleHog Deep Secret Scan
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# No job timeout — applies to: Trivy Repository Scan, TruffleHog Secret Scan, Trivy IaC Scan, TruffleHog Deep Secret Scan, Terraform UI Harness, Build, Test, Deploy: "UI Test Harness" Solution, Build, Test, Deploy: "Auth Emulator" Solution
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15
# Scheduled at the top of the hour — applies to: Trivy Repository Scan
on:
schedule:
- cron: '27 0 * * *' # was '0 0 * * *' — any non-:00 minute avoids the herd
# Scheduled workflow runs in forks — applies to: Trivy Repository Scan, TruffleHog Deep Secret Scan
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest
# No path filters on triggers — applies to: TruffleHog Secret Scan, Trivy IaC Scan
on:
pull_request:
paths:
- 'src/**'
- 'package.json'
# Full-history clone (fetch-depth: 0) — applies to: TruffleHog Secret Scan, TruffleHog Deep Secret Scan
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereEach snippet is representative — merge into the named workflow files rather than pasting wholesale.
This scorecard is a one-time snapshot. Install the free GitHub App to track this repo continuously: new regressions caught as they land, trends over time, on your public and private repos. Team adds the offending commit on the PR + Slack alerts.
Install & monitor this repo →Not ready to install? Get this report by email. No spam, unsubscribe anytime.