finos/OpenMAMA GitHub Actions scorecardPublic GitHub Actions data, last 30 days. Updated .
Data sourced from public GitHub. GitSpider is not affiliated with or endorsed by this repository's owners. Request removal.
Biggest wins first, each with the exact config fix.
Build and DeployPushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.
on:
push:
branches: [main]
pull_request:CVE Scanning for GradlePushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.
on:
push:
branches: [main]
pull_request:CVE Scanning for DockerPushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.
on:
push:
branches: [main]
pull_request:CVE Scanning for .NETPushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.
on:
push:
branches: [main]
pull_request:Static code analysisPushing to a branch and opening a PR triggers two runs. Pick one (usually `pull_request`) and exclude branch pushes for non-default branches.
on:
push:
branches: [main]
pull_request:CVE Scanning for DockerThe Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=maxCVE Scanning for DockerNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15CVE Scanning for .NETNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15CVE Scanning for GradleNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Build and Deploy`upload-artifact` has no `retention-days`, so artifacts keep up to 90 days (storage cost). Set e.g. `retention-days: 7`.
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
retention-days: 7Build and DeploymacOS bills ~10× and Windows ~2× a Linux minute. The cost estimate above assumes Linux, so your real spend is higher. Move any job that doesn't need them to `ubuntu-latest`.
jobs:
build:
runs-on: ubuntu-latest # ~10x cheaper than macos-latestBuild and DeployThe cache restores only on an exact key match, so any lockfile change means a full cold download. Add a `restore-keys:` prefix line for partial restores.
key: deps-${{ runner.os }}-${{ hashFiles('**/<lockfile>') }}
restore-keys: |
deps-${{ runner.os }}-Static code analysisNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15# Workflow runs on both push and pull_request — applies to: Build and Deploy, CVE Scanning for Gradle, CVE Scanning for Docker, CVE Scanning for .NET, Static code analysis
on:
push:
branches: [main]
pull_request:
# Docker build without layer cache — applies to: CVE Scanning for Docker
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=max
# No job timeout — applies to: CVE Scanning for Docker, CVE Scanning for .NET, CVE Scanning for Gradle, Static code analysis
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15
# Artifacts at default retention — applies to: Build and Deploy
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
retention-days: 7
# Premium runners (macOS / Windows) — applies to: Build and Deploy
jobs:
build:
runs-on: ubuntu-latest # ~10x cheaper than macos-latest
# Cache without restore-keys — applies to: Build and Deploy
key: deps-${{ runner.os }}-${{ hashFiles('**/<lockfile>') }}
restore-keys: |
deps-${{ runner.os }}-Each snippet is representative — merge into the named workflow files rather than pasting wholesale.
This scorecard is a one-time snapshot. Install the free GitHub App to track this repo continuously: new regressions caught as they land, trends over time, on your public and private repos. Team adds the offending commit on the PR + Slack alerts.
Install & monitor this repo →Not ready to install? Get this report by email. No spam, unsubscribe anytime.