vesperp4/mono GitHub Actions scorecardPublic GitHub Actions data, last 30 days. Updated .
Data sourced from public GitHub. GitSpider is not affiliated with or endorsed by this repository's owners. Request removal.
Biggest wins first, each with the exact config fix.
Portal API Security ScanThe Docker build has no layer cache, so every run re-executes every layer from scratch. Add `cache-from: type=gha` / `cache-to: type=gha,mode=max` to the build step.
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=maxCodeQLAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: truePR TitleAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueDependency ReviewAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueSecret ScanAdd a `concurrency:` block keyed on branch to cancel superseded runs when devs push twice quickly.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueCINo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15CIRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'PR TitleNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15PR TitleRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'OpenSSF ScorecardNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15OpenSSF Scorecard`upload-artifact` has no `retention-days`, so artifacts keep up to 90 days (storage cost). Set e.g. `retention-days: 7`.
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
retention-days: 7OpenSSF ScorecardThe schedule fires at minute :00 — GitHub's peak window, where scheduled runs get delayed or skipped. Shift to any other minute for the same cadence with less contention.
on:
schedule:
- cron: '21 6 * * 1' # was '0 6 * * 1' — any non-:00 minute avoids the herdOpenSSF ScorecardThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestDependency ReviewNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Secret ScanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Secret Scancheckout fetches the entire git history every run (`fetch-depth: 0`) and nothing in the workflow appears to read it. Remove the line — the default shallow clone is much faster on big repos. Keep it if a step genuinely needs history.
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough hereRelease PleaseNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Mainsite Web TestNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Mainsite Web TestRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'CodeQLNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15CodeQLRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'CodeQLThe schedule fires at minute :00 — GitHub's peak window, where scheduled runs get delayed or skipped. Shift to any other minute for the same cadence with less contention.
on:
schedule:
- cron: '29 6 * * 2' # was '0 6 * * 2' — any non-:00 minute avoids the herdCodeQLThe schedule has no repository guard, so forks that enable Actions inherit the cron and burn their own minutes. Gate the job with `if: github.repository == 'owner/repo'`.
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latestPortal Web TestNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Portal Web TestRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'Portal API TestNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15Portal API TestRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'Portal API Security ScanNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15TV Engine TestNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15TV Engine TestRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'TV Web TestNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15TV Web TestRuns on every push/PR with no `paths:` filter, so docs-only changes still trigger full CI. Add a `paths:` filter if that's common.
on:
pull_request:
paths:
- 'src/**'
- 'package.json'tv-web DeployNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15npm AuditNo job sets `timeout-minutes`, so a hung step can run to GitHub's 6-hour default. Add `timeout-minutes` to each job.
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15# Docker build without layer cache — applies to: Portal API Security Scan
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=max
# No concurrency control — applies to: CodeQL, PR Title, Dependency Review, Secret Scan
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# No job timeout — applies to: CI, PR Title, OpenSSF Scorecard, Dependency Review, Secret Scan, Release Please, Mainsite Web Test, CodeQL, Portal Web Test, Portal API Test, Portal API Security Scan, TV Engine Test, TV Web Test, tv-web Deploy, npm Audit
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15
# No path filters on triggers — applies to: CI, PR Title, Mainsite Web Test, CodeQL, Portal Web Test, Portal API Test, TV Engine Test, TV Web Test
on:
pull_request:
paths:
- 'src/**'
- 'package.json'
# Artifacts at default retention — applies to: OpenSSF Scorecard
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
retention-days: 7
# Scheduled at the top of the hour — applies to: OpenSSF Scorecard
on:
schedule:
- cron: '21 6 * * 1' # was '0 6 * * 1' — any non-:00 minute avoids the herd
# Scheduled workflow runs in forks — applies to: OpenSSF Scorecard, CodeQL
jobs:
nightly:
if: github.repository == 'owner/repo'
runs-on: ubuntu-latest
# Full-history clone (fetch-depth: 0) — applies to: Secret Scan
- uses: actions/checkout@v4
# fetch-depth: 0 removed — default shallow clone is enough here
# Scheduled at the top of the hour — applies to: CodeQL
on:
schedule:
- cron: '29 6 * * 2' # was '0 6 * * 2' — any non-:00 minute avoids the herdEach snippet is representative — merge into the named workflow files rather than pasting wholesale.
This scorecard is a one-time snapshot. Install the free GitHub App to track this repo continuously: new regressions caught as they land, trends over time, on your public and private repos. Team adds the offending commit on the PR + Slack alerts.
Install & monitor this repo →Not ready to install? Get this report by email. No spam, unsubscribe anytime.