aquia-inc/base-docker-images GitHub Actions scorecardPublic GitHub Actions data, last 30 days. Updated .
Data sourced from public GitHub. GitSpider is not affiliated with or endorsed by this repository's owners. Request removal.
Biggest wins first, each with the exact config fix.
Verify and Publish Base Docker imagesAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}
# no cancel-in-progress on deploys: queued deploys would be droppedDaily Vulnerability Scan and RebuildAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueSecurity LintAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueDaily Vulnerability Scan and RebuildNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Daily Vulnerability Scan and RebuildThe schedule fires at minute :00 — GitHub's peak window, where scheduled runs get delayed or skipped. Shift to any other minute for the same cadence with less contention.
on:
schedule:
- cron: '41 10 * * *' # was '0 10 * * *' — any non-:00 minute avoids the herdDaily Vulnerability Scan and RebuildSystem packages install from the network on every run with no cache. Cache them (cache-apt-pkgs-action) or check whether the runner image already has the tool.
- uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: <your packages>
version: 1.0Verify and Publish Base Docker imagesNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Verify and Publish Base Docker imagesRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'Security LintNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Security LintRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'Security Lintcheckout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough here# No concurrency control — applies to: Verify and Publish Base Docker images
concurrency:
group: ${{ github.workflow }}
# no cancel-in-progress on deploys: queued deploys would be dropped
# No concurrency control — applies to: Daily Vulnerability Scan and Rebuild, Security Lint
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# No job timeout — applies to: Daily Vulnerability Scan and Rebuild, Verify and Publish Base Docker images, Security Lint
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15
# Scheduled at the top of the hour — applies to: Daily Vulnerability Scan and Rebuild
on:
schedule:
- cron: '41 10 * * *' # was '0 10 * * *' — any non-:00 minute avoids the herd
# System packages reinstalled every run — applies to: Daily Vulnerability Scan and Rebuild
- uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: <your packages>
version: 1.0
# No path filters on triggers — applies to: Verify and Publish Base Docker images, Security Lint
on:
pull_request:
paths:
- 'src/**'
- 'package.json'
# Full-history clone (fetch-depth: 0) — applies to: Security Lint
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereEach snippet is representative — merge into the named workflow files rather than pasting wholesale.
This scorecard is a one-time snapshot. Install the free GitHub App to track this repo continuously: new regressions caught as they land, trends over time, on your public and private repos. Team adds the offending commit on the PR + Slack alerts.
Install & monitor this repo →Not ready to install? Get this report by email. No spam, unsubscribe anytime.