Static code analysis workflow (CodeQL) workflow (anuraghazra/github-readme-stats)
The Static code analysis workflow (CodeQL) workflow from anuraghazra/github-readme-stats, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Static code analysis workflow (CodeQL) workflow from the anuraghazra/github-readme-stats repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: "Static code analysis workflow (CodeQL)"
on:
push:
branches:
- master
pull_request:
branches:
- master
permissions:
actions: read
checks: read
contents: read
deployments: read
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: write
statuses: read
jobs:
CodeQL-Build:
if: github.repository == 'anuraghazra/github-readme-stats'
# CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@46a6823b81f2d7c67ddf123851eea88365bc8a67 # v2.13.5
with:
languages: javascript
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@46a6823b81f2d7c67ddf123851eea88365bc8a67 # v2.13.5
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: "Static code analysis workflow (CodeQL)" on: push: branches: - master pull_request: branches: - master permissions: actions: read checks: read contents: read deployments: read issues: read discussions: read packages: read pages: read pull-requests: read repository-projects: read security-events: write statuses: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: CodeQL-Build: timeout-minutes: 30 if: github.repository == 'anuraghazra/github-readme-stats' # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest runs-on: latchkey-small steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@46a6823b81f2d7c67ddf123851eea88365bc8a67 # v2.13.5 with: languages: javascript - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@46a6823b81f2d7c67ddf123851eea88365bc8a67 # v2.13.5
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.