finos/OpenMAMA GitHub Actions scorecard

Public GitHub Actions data, last 30 days. Updated .

Data sourced from public GitHub. GitSpider is not affiliated with or endorsed by this repository's owners. Request removal.

728 min/mo
recoverable (~50% of CI time) · across 13 patterns · ≈$4/mo
Estimated from wall-clock time · public repos pay $0, $ = private-repo equivalent
See all 13 fixes, each with the exact YAML ↓
46.7%
failure rate, 30d
109h 9m
avg time to recover from a failure
5 workflows · 30 runs (1/day) · 1,456 CI-min (wall-clock) · ≈$9 at private-repo rates (30d)

Where the minutes go (30d)

Build and Deploy~1,440 min · 6 runs
CVE Scanning for Gradle~5 min · 6 runs
Static code analysis~5 min · 6 runs
or track on every push →

Waste detected

Biggest wins first, each with the exact config fix.

Workflow runs on both push and pull_request · Build and Deploy

~720 min/mo · ≈$4/mo

Pushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.

on:
  push:
    branches: [main]
  pull_request:

Full guide: how to fix this →

Workflow runs on both push and pull_request · CVE Scanning for Gradle

~3 min/mo

Pushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.

on:
  push:
    branches: [main]
  pull_request:

Full guide: how to fix this →

Workflow runs on both push and pull_request · CVE Scanning for Docker

~2 min/mo

Pushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.

on:
  push:
    branches: [main]
  pull_request:

Full guide: how to fix this →

Workflow runs on both push and pull_request · CVE Scanning for .NET

~2 min/mo

Pushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.

on:
  push:
    branches: [main]
  pull_request:

Full guide: how to fix this →

Workflow runs on both push and pull_request · Static code analysis

~2 min/mo

Pushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.

on:
  push:
    branches: [main]
  pull_request:

Full guide: how to fix this →

Docker build without layer cache · CVE Scanning for Docker

~1 min/mo

The Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.

- uses: docker/build-push-action@v6
  with:
    cache-from: type=gha
    cache-to: type=gha,mode=max

Full guide: how to fix this →

Also found: 7 more config fixes with negligible recoverable minutes — timeouts, retention, path filters

No job timeout · CVE Scanning for Docker

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · CVE Scanning for .NET

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

No job timeout · CVE Scanning for Gradle

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Artifacts at default retention · Build and Deploy

~0 min/mo

`upload-artifact` has no `retention-days`, so artifacts keep up to 90 days (storage cost). Set e.g. `retention-days: 7`.

- uses: actions/upload-artifact@v4
  with:
    name: build
    path: dist/
    retention-days: 7

Full guide: how to fix this →

Premium runners (macOS / Windows) · Build and Deploy

~0 min/mo

macOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.

jobs:
  build:
    runs-on: ubuntu-latest  # ~10x cheaper than macos-latest

Full guide: how to fix this →

Cache without restore-keys · Build and Deploy

~0 min/mo

The cache restores only on an exact key match, so any lockfile change means a full cold download. Add a `restore-keys:` prefix line for partial restores.

    key: deps-${{ runner.os }}-${{ hashFiles('**/<lockfile>') }}
    restore-keys: |
      deps-${{ runner.os }}-

Full guide: how to fix this →

No job timeout · Static code analysis

~0 min/mo

No job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

Full guide: how to fix this →

Copy every fix as one block (6 snippets, annotated per workflow)
# Workflow runs on both push and pull_request — applies to: Build and Deploy, CVE Scanning for Gradle, CVE Scanning for Docker, CVE Scanning for .NET, Static code analysis
on:
  push:
    branches: [main]
  pull_request:

# Docker build without layer cache — applies to: CVE Scanning for Docker
- uses: docker/build-push-action@v6
  with:
    cache-from: type=gha
    cache-to: type=gha,mode=max

# No job timeout — applies to: CVE Scanning for Docker, CVE Scanning for .NET, CVE Scanning for Gradle, Static code analysis
jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15

# Artifacts at default retention — applies to: Build and Deploy
- uses: actions/upload-artifact@v4
  with:
    name: build
    path: dist/
    retention-days: 7

# Premium runners (macOS / Windows) — applies to: Build and Deploy
jobs:
  build:
    runs-on: ubuntu-latest  # ~10x cheaper than macos-latest

# Cache without restore-keys — applies to: Build and Deploy
    key: deps-${{ runner.os }}-${{ hashFiles('**/<lockfile>') }}
    restore-keys: |
      deps-${{ runner.os }}-

Each snippet is representative — merge into the named workflow files rather than pasting wholesale.

Want this on every push?

This scorecard is a one-time snapshot. Install the free GitHub App to track this repo continuously: new regressions caught as they land, trends over time, on your public and private repos. Team adds the offending commit on the PR + Slack alerts.

Install & monitor this repo →

Not ready to install? Get this report by email. No spam, unsubscribe anytime.

Share this scorecard: https://gitspider.com/scan/finos/OpenMAMA
Add the badge to your README

Live CI-health badge → GitSpider badge

[![GitSpider](https://gitspider.com/badge/finos/OpenMAMA.svg)](https://gitspider.com/scan/finos/OpenMAMA)