JovieInc/Jovie GitHub Actions scorecardPublic GitHub Actions data, last 30 days. Updated 7/11/2026, 5:16:14 AM.
Data sourced from public GitHub. GitSpider is not affiliated with or endorsed by this repository's owners. Request removal.
Biggest wins first, each with the exact config fix.
Security ScanningAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueMerge Queue Auto-EnrollConcurrency group has no `cancel-in-progress: true`, so superseded runs queue instead of cancelling. Add it to supersede stale runs.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueCITests run under an auto-retry wrapper — each retry re-bills the same minutes and masks the flaky tests it papers over. Track, fix or quarantine the flakes, then drop the wrapper.
Dependabot Auto-MergeAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueDependabot Auto-MergeNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15CodeQL Security AnalysismacOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.
jobs:
build:
runs-on: ubuntu-latest # ~10x cheaper than macos-latestCodeQL Security AnalysisThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestClaude CodeNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Claude Codecheckout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereSecurity ScanningNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Security ScanningThe schedule fires at minute :00 — GitHub's peak window, where scheduled runs get delayed or skipped. Shift to any other minute for the same cadence with less contention.
on:
schedule:
- cron: '53 6 * * *' # was '0 6 * * *' — any non-:00 minute avoids the herdSecurity Scanningcheckout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereScope Judgecheckout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereAuto-PR on Agent Push`upload-artifact` has no `retention-days`, so artifacts keep up to 90 days (storage cost). Set e.g. `retention-days: 7`.
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
retention-days: 7Fork PR GateRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'Agent PR Verify Readycheckout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereCI Branching GuardSet `cache: 'pnpm'` on your `actions/setup-node` step, or add an `actions/cache@v4` step keyed on your lockfile.
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'pnpm'Slop GateNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Brand ScrubNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Merge Queue Auto-EnrollNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Merge Queue Auto-EnrollRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'Claude Review (gbrain-aware)checkout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereAuto-Ready Agent DraftsNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15PR Conflict HandlerNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Auto-Resolve Conflictscheckout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough here# No concurrency control — applies to: Security Scanning, Dependabot Auto-Merge
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Concurrency without cancel-in-progress — applies to: Merge Queue Auto-Enroll
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# No job timeout — applies to: Dependabot Auto-Merge, Claude Code, Security Scanning, Slop Gate, Brand Scrub, Merge Queue Auto-Enroll, Auto-Ready Agent Drafts, PR Conflict Handler
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15
# Premium runners (macOS / Windows) — applies to: CodeQL Security Analysis
jobs:
build:
runs-on: ubuntu-latest # ~10x cheaper than macos-latest
# Scheduled workflow runs in forks — applies to: CodeQL Security Analysis
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest
# Full-history clone (fetch-depth: 0) — applies to: Claude Code, Security Scanning, Scope Judge, Agent PR Verify Ready, Claude Review (gbrain-aware), Auto-Resolve Conflicts
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough here
# Scheduled at the top of the hour — applies to: Security Scanning
on:
schedule:
- cron: '53 6 * * *' # was '0 6 * * *' — any non-:00 minute avoids the herd
# Artifacts at default retention — applies to: Auto-PR on Agent Push
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
retention-days: 7
# No path filters on triggers — applies to: Fork PR Gate, Merge Queue Auto-Enroll
on:
pull_request:
paths:
- 'src/**'
- 'package.json'
# Missing dependency cache (pnpm) — applies to: CI Branching Guard
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'pnpm'Each snippet is representative — merge into the named workflow files rather than pasting wholesale.
This scorecard is a one-time snapshot. Install the free GitHub App to track this repo continuously: new regressions caught as they land, trends over time, on your public and private repos. Team adds the offending commit on the PR + Slack alerts.
Install & monitor this repo →Not ready to install? Get this report by email. No spam, unsubscribe anytime.