ah-ha-admin/ah-ha GitHub Actions scorecard

Public GitHub Actions data, last 30 days. Updated .

Data sourced from public GitHub. GitSpider is not affiliated with or endorsed by this repository's owners. Request removal.

892 min/mo
recoverable (~7% of CI time) · across 96 patterns · ≈$5/mo
Estimated from wall-clock time · public repos pay $0, $ = private-repo equivalent
See all 96 fixes, each with the exact YAML ↓
73.8%
failure rate, 30d
6h 20m
avg time to recover from a failure
70 workflows · 500 runs (16.7/day) · 13,090 CI-min (wall-clock) · ≈$79 at private-repo rates (30d)

Where the minutes go (30d)

CRDA Scan~4,320 min · 14 runs
StackHawk~2,880 min · 10 runs
build~2,880 min · 9 runs
or track on every push →

Waste detected

Biggest wins first, each with the exact config fix.

Docker build without layer cache · build

~864 min/mo · ≈$5/mo

The Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.

- uses: docker/build-push-action@v6
  with:
    cache-from: type=gha
    cache-to: type=gha,mode=max

Full guide: how to fix this →

Workflow failing almost every run · Docker

~7 min/mo

Fails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.

Full guide: how to fix this →

Workflow failing almost every run · CxFlow

~5 min/mo

Fails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.

Full guide: how to fix this →

Workflow failing almost every run · ESLint

~4 min/mo

Fails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.

Full guide: how to fix this →

Workflow failing almost every run · Anchore Grype vulnerability scan

~3 min/mo

Fails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.

Full guide: how to fix this →

Workflow failing almost every run · Sysdig - Build, scan, push and upload sarif report

~3 min/mo

Fails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.

Full guide: how to fix this →

Docker build without layer cache · Anchore Grype vulnerability scan

~1 min/mo

The Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.

- uses: docker/build-push-action@v6
  with:
    cache-from: type=gha
    cache-to: type=gha,mode=max

Full guide: how to fix this →

Workflow failing almost every run · Cloudrail

~1 min/mo

Fails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.

Full guide: how to fix this →

No concurrency control · Docker

~1 min/mo

Add a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

Full guide: how to fix this →

Missing dependency cache · ESLint

~1 min/mo

Set `cache: 'npm'` on your `actions/setup-node` step, or add an `actions/cache@v4` step keyed on your lockfile.

- uses: actions/setup-node@v4
  with:
    node-version: 20
    cache: 'npm'

Full guide: how to fix this →

Docker build without layer cache · Sysdig - Build, scan, push and upload sarif report

~1 min/mo

The Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.

- uses: docker/build-push-action@v6
  with:
    cache-from: type=gha
    cache-to: type=gha,mode=max

Full guide: how to fix this →

Missing dependency cache · NodeJS with Webpack

~1 min/mo

Set `cache: 'npm'` on your `actions/setup-node` step, or add an `actions/cache@v4` step keyed on your lockfile.

- uses: actions/setup-node@v4
  with:
    node-version: 20
    cache: 'npm'

Full guide: how to fix this →

Also found: 84 more config fixes with negligible recoverable minutes — timeouts, retention, path filters

No job timeout · .github/workflows/action.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Anchore Grype vulnerability scan

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · Anchore Grype vulnerability scan

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · .github/workflows/android.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/apisec-scan.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Missing dependency cache · .github/workflows/autofix-ci.yml

~0 min/mo

`actions/setup-go@v4+` caches modules and build output by default, so upgrading to v4 or newer is the fix.

# actions/setup-go@v4+ caches modules and build output by default;
# upgrading to v4 or newer is the fix.
- uses: actions/setup-go@v5
  with:
    go-version: '1.22'

Full guide: how to fix this →

No job timeout · .github/workflows/autofix-ci.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

System packages reinstalled every run · .github/workflows/autofix-ci.yml

~0 min/mo

System packages install from the network on every run with no cache. Cache them (cache-apt-pkgs-action) or check whether the runner image already has the tool.

- uses: awalsh128/cache-apt-pkgs-action@latest
  with:
    packages: <your packages>
    version: 1.0

Full guide: how to fix this →

No job timeout · .github/workflows/azure-pipelines.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · C/C++ CI

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · CxFlow

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Cloudrail

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · Cloudrail

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · .github/workflows/cmake.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Codacy Security Scan

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · Codacy Security Scan

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · .github/workflows/codeql.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · CRDA Scan

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Dart

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Datree Workflow

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/dependency-review.yaml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Docker Image CI

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Docker build without layer cache · Docker Image CI

~0 min/mo

The Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.

- uses: docker/build-push-action@v6
  with:
    cache-from: type=gha
    cache-to: type=gha,mode=max

Full guide: how to fix this →

No job timeout · Docker

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No path filters on triggers · Docker

~0 min/mo

Runs on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.

on:
  pull_request:
    paths:
      - 'src/**'
      - 'package.json'

Full guide: how to fix this →

No job timeout · .NET

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · ESLint

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · ESLint

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · .github/workflows/ethicalcheck.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Ruby Gem

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Go

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Missing dependency cache · .github/workflows/gradle.yml

~0 min/mo

Set `cache: 'gradle'` on your `actions/setup-java` step, or add an `actions/cache@v4` step keyed on your build file.

- uses: actions/setup-java@v4
  with:
    distribution: 'temurin'
    java-version: '21'
    cache: 'gradle'

Full guide: how to fix this →

No job timeout · .github/workflows/gradle.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/jekyll-gh-pages.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

cancel-in-progress on a deploy workflow · .github/workflows/jekyll-gh-pages.yml

~0 min/mo

This looks like a deploy/release workflow with `cancel-in-progress: true`, which cancels queued runs too — a queued deploy is silently dropped when a newer run arrives. Use a group-only `concurrency:` block on deploys.

concurrency:
  group: ${{ github.workflow }}
  # queued deploys run in order; none are dropped

Full guide: how to fix this →

No job timeout · Makefile CI

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · MobSF

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · MobSF

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · MSBuild

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Premium runners (macOS / Windows) · MSBuild

~0 min/mo

macOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.

jobs:
  build:
    runs-on: ubuntu-latest  # ~10x cheaper than macos-latest

Full guide: how to fix this →

No job timeout · Microsoft C++ Code Analysis

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Artifacts at default retention · Microsoft C++ Code Analysis

~0 min/mo

`upload-artifact` has no `retention-days`, so artifacts keep up to 90 days (storage cost). Set e.g. `retention-days: 7`.

- uses: actions/upload-artifact@v4
  with:
    name: build
    path: dist/
    retention-days: 7

Full guide: how to fix this →

Premium runners (macOS / Windows) · Microsoft C++ Code Analysis

~0 min/mo

macOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.

jobs:
  build:
    runs-on: ubuntu-latest  # ~10x cheaper than macos-latest

Full guide: how to fix this →

Scheduled workflow runs in forks · Microsoft C++ Code Analysis

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · njsscan sarif

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · njsscan sarif

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · .github/workflows/nowsecure-mobile-sbom.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · .github/workflows/nowsecure-mobile-sbom.yml

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · .github/workflows/nowsecure.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/ops.static-analysis.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/ossar.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Premium runners (macOS / Windows) · .github/workflows/ossar.yml

~0 min/mo

macOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.

jobs:
  build:
    runs-on: ubuntu-latest  # ~10x cheaper than macos-latest

Full guide: how to fix this →

No job timeout · PSScriptAnalyzer

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · PSScriptAnalyzer

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

Missing dependency cache · .github/workflows/publish.yaml

~0 min/mo

Set `cache: 'npm'` on your `actions/setup-node` step, or add an `actions/cache@v4` step keyed on your lockfile.

- uses: actions/setup-node@v4
  with:
    node-version: 20
    cache: 'npm'

Full guide: how to fix this →

No job timeout · .github/workflows/publish.yaml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/pylint.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/pysa.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Missing dependency cache · .github/workflows/python-app.yml

~0 min/mo

Set `cache: 'pip'` on your `actions/setup-python` step, or add an `actions/cache@v4` step keyed on your requirements/lock file.

- uses: actions/setup-python@v5
  with:
    python-version: '3.12'
    cache: 'pip'

Full guide: how to fix this →

No job timeout · .github/workflows/python-app.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/python-package-conda.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/python-publish.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · R

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Premium runners (macOS / Windows) · R

~0 min/mo

macOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.

jobs:
  build:
    runs-on: ubuntu-latest  # ~10x cheaper than macos-latest

Full guide: how to fix this →

No job timeout · .github/workflows/rubocop.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Ruby on Rails CI

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · .github/workflows/rust-clippy.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Missing dependency cache · Rust

~0 min/mo

Add `Swatinem/rust-cache@v2` (the de-facto cargo cache), or an `actions/cache@v4` step keyed on `Cargo.lock`.

- uses: Swatinem/rust-cache@v2

Full guide: how to fix this →

No job timeout · Rust

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Semgrep

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · Semgrep

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · SOOS DAST Scan

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · StackHawk

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · StackHawk

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No concurrency control · Mark stale issues and pull requests

~0 min/mo

Add a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

Full guide: how to fix this →

No job timeout · Mark stale issues and pull requests

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · Mark stale issues and pull requests

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · .github/workflows/static.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Missing dependency cache · .github/workflows/super-linter.yml

~0 min/mo

Set `cache: 'npm'` on your `actions/setup-node` step, or add an `actions/cache@v4` step keyed on your lockfile.

- uses: actions/setup-node@v4
  with:
    node-version: 20
    cache: 'npm'

Full guide: how to fix this →

No job timeout · .github/workflows/super-linter.yml

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · Sysdig - Build, scan, push and upload sarif report

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · build

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Scheduled workflow runs in forks · build

~0 min/mo

The schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.

jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

Full guide: how to fix this →

No job timeout · NodeJS with Webpack

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Copy every fix as one block (14 snippets, annotated per workflow)
# Docker build without layer cache — applies to: build, Anchore Grype vulnerability scan, Sysdig - Build, scan, push and upload sarif report, Docker Image CI
- uses: docker/build-push-action@v6
  with:
    cache-from: type=gha
    cache-to: type=gha,mode=max

# No concurrency control — applies to: Docker, Mark stale issues and pull requests
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Missing dependency cache (npm) — applies to: ESLint, NodeJS with Webpack, .github/workflows/publish.yaml, .github/workflows/super-linter.yml
- uses: actions/setup-node@v4
  with:
    node-version: 20
    cache: 'npm'

# No job timeout — applies to: .github/workflows/action.yml, Anchore Grype vulnerability scan, .github/workflows/android.yml, .github/workflows/apisec-scan.yml, .github/workflows/autofix-ci.yml, .github/workflows/azure-pipelines.yml, C/C++ CI, CxFlow, Cloudrail, .github/workflows/cmake.yml, Codacy Security Scan, .github/workflows/codeql.yml, CRDA Scan, Dart, Datree Workflow, .github/workflows/dependency-review.yaml, Docker Image CI, Docker, .NET, ESLint, .github/workflows/ethicalcheck.yml, Ruby Gem, Go, .github/workflows/gradle.yml, .github/workflows/jekyll-gh-pages.yml, Makefile CI, MobSF, MSBuild, Microsoft C++ Code Analysis, njsscan sarif, .github/workflows/nowsecure-mobile-sbom.yml, .github/workflows/nowsecure.yml, .github/workflows/ops.static-analysis.yml, .github/workflows/ossar.yml, PSScriptAnalyzer, .github/workflows/publish.yaml, .github/workflows/pylint.yml, .github/workflows/pysa.yml, .github/workflows/python-app.yml, .github/workflows/python-package-conda.yml, .github/workflows/python-publish.yml, R, .github/workflows/rubocop.yml, Ruby on Rails CI, .github/workflows/rust-clippy.yml, Rust, Semgrep, SOOS DAST Scan, StackHawk, Mark stale issues and pull requests, .github/workflows/static.yml, .github/workflows/super-linter.yml, Sysdig - Build, scan, push and upload sarif report, build, NodeJS with Webpack
jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

# Scheduled workflow runs in forks — applies to: Anchore Grype vulnerability scan, Cloudrail, Codacy Security Scan, ESLint, MobSF, Microsoft C++ Code Analysis, njsscan sarif, .github/workflows/nowsecure-mobile-sbom.yml, PSScriptAnalyzer, Semgrep, StackHawk, Mark stale issues and pull requests, build
jobs:
  nightly:
    if: github.repository == 'owner/repo'
    runs-on: ubuntu-latest

# Missing dependency cache (go) — applies to: .github/workflows/autofix-ci.yml
# actions/setup-go@v4+ caches modules and build output by default;
# upgrading to v4 or newer is the fix.
- uses: actions/setup-go@v5
  with:
    go-version: '1.22'

# System packages reinstalled every run — applies to: .github/workflows/autofix-ci.yml
- uses: awalsh128/cache-apt-pkgs-action@latest
  with:
    packages: <your packages>
    version: 1.0

# No path filters on triggers — applies to: Docker
on:
  pull_request:
    paths:
      - 'src/**'
      - 'package.json'

# Missing dependency cache (gradle) — applies to: .github/workflows/gradle.yml
- uses: actions/setup-java@v4
  with:
    distribution: 'temurin'
    java-version: '21'
    cache: 'gradle'

# cancel-in-progress on a deploy workflow — applies to: .github/workflows/jekyll-gh-pages.yml
concurrency:
  group: ${{ github.workflow }}
  # queued deploys run in order; none are dropped

# Premium runners (macOS / Windows) — applies to: MSBuild, Microsoft C++ Code Analysis, .github/workflows/ossar.yml, R
jobs:
  build:
    runs-on: ubuntu-latest  # ~10x cheaper than macos-latest

# Artifacts at default retention — applies to: Microsoft C++ Code Analysis
- uses: actions/upload-artifact@v4
  with:
    name: build
    path: dist/
    retention-days: 7

# Missing dependency cache (pip) — applies to: .github/workflows/python-app.yml
- uses: actions/setup-python@v5
  with:
    python-version: '3.12'
    cache: 'pip'

# Missing dependency cache (cargo) — applies to: Rust
- uses: Swatinem/rust-cache@v2

Each snippet is representative — merge into the named workflow files rather than pasting wholesale.

Want this on every push?

This scorecard is a one-time snapshot. Install the free GitHub App to track this repo continuously: new regressions caught as they land, trends over time, on your public and private repos. Team adds the offending commit on the PR + Slack alerts.

Install & monitor this repo →

Not ready to install? Get this report by email. No spam, unsubscribe anytime.

Share this scorecard: https://gitspider.com/scan/ah-ha-admin/ah-ha
Add the badge to your README

Live CI-health badge → GitSpider badge

[![GitSpider](https://gitspider.com/badge/ah-ha-admin/ah-ha.svg)](https://gitspider.com/scan/ah-ha-admin/ah-ha)