ah-ha-admin/ah-ha GitHub Actions scorecardPublic GitHub Actions data, last 30 days. Updated .
Data sourced from public GitHub. GitSpider is not affiliated with or endorsed by this repository's owners. Request removal.
Biggest wins first, each with the exact config fix.
buildThe Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=maxDockerFails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.
CxFlowFails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.
ESLintFails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.
Anchore Grype vulnerability scanFails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.
Sysdig - Build, scan, push and upload sarif reportFails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.
Anchore Grype vulnerability scanThe Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=maxCloudrailFails or times out on nearly all recent runs, burning minutes to produce only red, and an always-red workflow usually gets ignored. Fix it, or disable the trigger until it's ready.
DockerAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueESLintSet `cache: 'npm'` on your `actions/setup-node` step, or add an `actions/cache@v4` step keyed on your lockfile.
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm'Sysdig - Build, scan, push and upload sarif reportThe Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=maxNodeJS with WebpackSet `cache: 'npm'` on your `actions/setup-node` step, or add an `actions/cache@v4` step keyed on your lockfile.
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm'.github/workflows/action.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Anchore Grype vulnerability scanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Anchore Grype vulnerability scanThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest.github/workflows/android.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/apisec-scan.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/autofix-ci.yml`actions/setup-go@v4+` caches modules and build output by default, so upgrading to v4 or newer is the fix.
# actions/setup-go@v4+ caches modules and build output by default;
# upgrading to v4 or newer is the fix.
- uses: actions/setup-go@v5
with:
go-version: '1.22'.github/workflows/autofix-ci.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/autofix-ci.ymlSystem packages install from the network on every run with no cache. Cache them (cache-apt-pkgs-action) or check whether the runner image already has the tool.
- uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: <your packages>
version: 1.0.github/workflows/azure-pipelines.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15C/C++ CINo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15CxFlowNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15CloudrailNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15CloudrailThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest.github/workflows/cmake.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Codacy Security ScanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Codacy Security ScanThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest.github/workflows/codeql.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15CRDA ScanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15DartNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Datree WorkflowNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/dependency-review.yamlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Docker Image CINo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Docker Image CIThe Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=maxDockerNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15DockerRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'.NETNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15ESLintNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15ESLintThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest.github/workflows/ethicalcheck.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Ruby GemNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15GoNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/gradle.ymlSet `cache: 'gradle'` on your `actions/setup-java` step, or add an `actions/cache@v4` step keyed on your build file.
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
cache: 'gradle'.github/workflows/gradle.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/jekyll-gh-pages.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/jekyll-gh-pages.ymlThis looks like a deploy/release workflow with `cancel-in-progress: true`, which cancels queued runs too — a queued deploy is silently dropped when a newer run arrives. Use a group-only `concurrency:` block on deploys.
concurrency:
group: ${{ github.workflow }}
# queued deploys run in order; none are droppedMakefile CINo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15MobSFNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15MobSFThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestMSBuildNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15MSBuildmacOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.
jobs:
build:
runs-on: ubuntu-latest # ~10x cheaper than macos-latestMicrosoft C++ Code AnalysisNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Microsoft C++ Code Analysis`upload-artifact` has no `retention-days`, so artifacts keep up to 90 days (storage cost). Set e.g. `retention-days: 7`.
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
retention-days: 7Microsoft C++ Code AnalysismacOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.
jobs:
build:
runs-on: ubuntu-latest # ~10x cheaper than macos-latestMicrosoft C++ Code AnalysisThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestnjsscan sarifNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15njsscan sarifThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest.github/workflows/nowsecure-mobile-sbom.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/nowsecure-mobile-sbom.ymlThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest.github/workflows/nowsecure.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/ops.static-analysis.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/ossar.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/ossar.ymlmacOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.
jobs:
build:
runs-on: ubuntu-latest # ~10x cheaper than macos-latestPSScriptAnalyzerNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15PSScriptAnalyzerThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest.github/workflows/publish.yamlSet `cache: 'npm'` on your `actions/setup-node` step, or add an `actions/cache@v4` step keyed on your lockfile.
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm'.github/workflows/publish.yamlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/pylint.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/pysa.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/python-app.ymlSet `cache: 'pip'` on your `actions/setup-python` step, or add an `actions/cache@v4` step keyed on your requirements/lock file.
- uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: 'pip'.github/workflows/python-app.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/python-package-conda.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/python-publish.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15RNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15RmacOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.
jobs:
build:
runs-on: ubuntu-latest # ~10x cheaper than macos-latest.github/workflows/rubocop.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Ruby on Rails CINo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/rust-clippy.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15RustAdd `Swatinem/rust-cache@v2` (the de-facto cargo cache), or an `actions/cache@v4` step keyed on `Cargo.lock`.
- uses: Swatinem/rust-cache@v2RustNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15SemgrepNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15SemgrepThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestSOOS DAST ScanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15StackHawkNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15StackHawkThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestMark stale issues and pull requestsAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueMark stale issues and pull requestsNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Mark stale issues and pull requestsThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest.github/workflows/static.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15.github/workflows/super-linter.ymlSet `cache: 'npm'` on your `actions/setup-node` step, or add an `actions/cache@v4` step keyed on your lockfile.
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm'.github/workflows/super-linter.ymlNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Sysdig - Build, scan, push and upload sarif reportNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15buildNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15buildThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestNodeJS with WebpackNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15# Docker build without layer cache — applies to: build, Anchore Grype vulnerability scan, Sysdig - Build, scan, push and upload sarif report, Docker Image CI
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=max
# No concurrency control — applies to: Docker, Mark stale issues and pull requests
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Missing dependency cache (npm) — applies to: ESLint, NodeJS with Webpack, .github/workflows/publish.yaml, .github/workflows/super-linter.yml
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm'
# No job timeout — applies to: .github/workflows/action.yml, Anchore Grype vulnerability scan, .github/workflows/android.yml, .github/workflows/apisec-scan.yml, .github/workflows/autofix-ci.yml, .github/workflows/azure-pipelines.yml, C/C++ CI, CxFlow, Cloudrail, .github/workflows/cmake.yml, Codacy Security Scan, .github/workflows/codeql.yml, CRDA Scan, Dart, Datree Workflow, .github/workflows/dependency-review.yaml, Docker Image CI, Docker, .NET, ESLint, .github/workflows/ethicalcheck.yml, Ruby Gem, Go, .github/workflows/gradle.yml, .github/workflows/jekyll-gh-pages.yml, Makefile CI, MobSF, MSBuild, Microsoft C++ Code Analysis, njsscan sarif, .github/workflows/nowsecure-mobile-sbom.yml, .github/workflows/nowsecure.yml, .github/workflows/ops.static-analysis.yml, .github/workflows/ossar.yml, PSScriptAnalyzer, .github/workflows/publish.yaml, .github/workflows/pylint.yml, .github/workflows/pysa.yml, .github/workflows/python-app.yml, .github/workflows/python-package-conda.yml, .github/workflows/python-publish.yml, R, .github/workflows/rubocop.yml, Ruby on Rails CI, .github/workflows/rust-clippy.yml, Rust, Semgrep, SOOS DAST Scan, StackHawk, Mark stale issues and pull requests, .github/workflows/static.yml, .github/workflows/super-linter.yml, Sysdig - Build, scan, push and upload sarif report, build, NodeJS with Webpack
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15
# Scheduled workflow runs in forks — applies to: Anchore Grype vulnerability scan, Cloudrail, Codacy Security Scan, ESLint, MobSF, Microsoft C++ Code Analysis, njsscan sarif, .github/workflows/nowsecure-mobile-sbom.yml, PSScriptAnalyzer, Semgrep, StackHawk, Mark stale issues and pull requests, build
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest
# Missing dependency cache (go) — applies to: .github/workflows/autofix-ci.yml
# actions/setup-go@v4+ caches modules and build output by default;
# upgrading to v4 or newer is the fix.
- uses: actions/setup-go@v5
with:
go-version: '1.22'
# System packages reinstalled every run — applies to: .github/workflows/autofix-ci.yml
- uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: <your packages>
version: 1.0
# No path filters on triggers — applies to: Docker
on:
pull_request:
paths:
- 'src/**'
- 'package.json'
# Missing dependency cache (gradle) — applies to: .github/workflows/gradle.yml
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
cache: 'gradle'
# cancel-in-progress on a deploy workflow — applies to: .github/workflows/jekyll-gh-pages.yml
concurrency:
group: ${{ github.workflow }}
# queued deploys run in order; none are dropped
# Premium runners (macOS / Windows) — applies to: MSBuild, Microsoft C++ Code Analysis, .github/workflows/ossar.yml, R
jobs:
build:
runs-on: ubuntu-latest # ~10x cheaper than macos-latest
# Artifacts at default retention — applies to: Microsoft C++ Code Analysis
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
retention-days: 7
# Missing dependency cache (pip) — applies to: .github/workflows/python-app.yml
- uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: 'pip'
# Missing dependency cache (cargo) — applies to: Rust
- uses: Swatinem/rust-cache@v2Each snippet is representative — merge into the named workflow files rather than pasting wholesale.
This scorecard is a one-time snapshot. Install the free GitHub App to track this repo continuously: new regressions caught as they land, trends over time, on your public and private repos. Team adds the offending commit on the PR + Slack alerts.
Install & monitor this repo →Not ready to install? Get this report by email. No spam, unsubscribe anytime.