Debug Leak Flag Guard workflow (ArcadeAI/arcade-mcp)
The Debug Leak Flag Guard workflow from ArcadeAI/arcade-mcp, explained and optimized by Latchkey.
CI health: D - needs work
Point runs-on at Latchkey and get caching, run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Debug Leak Flag Guard workflow from the ArcadeAI/arcade-mcp repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Debug Leak Flag Guard
# Ensures the debug-exposure flags in arcade_mcp_server/_debug_exposure.py cannot be
# activated by anything shipped in committed files. The flags only activate
# when the env var is set to one specific acknowledgement string, so we just
# need to guarantee that string never appears outside its allowlist. See
# scripts/check_debug_leak_flags_off.py for details.
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
jobs:
guard:
name: Debug leak flag guard
runs-on: ubuntu-latest
steps:
- name: Check out
uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.11"
- name: Verify debug-leak flags stay off
run: python scripts/check_debug_leak_flags_off.py
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Debug Leak Flag Guard # Ensures the debug-exposure flags in arcade_mcp_server/_debug_exposure.py cannot be # activated by anything shipped in committed files. The flags only activate # when the env var is set to one specific acknowledgement string, so we just # need to guarantee that string never appears outside its allowlist. See # scripts/check_debug_leak_flags_off.py for details. on: push: branches: - main pull_request: types: [opened, synchronize, reopened, ready_for_review] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: guard: timeout-minutes: 30 name: Debug leak flag guard runs-on: latchkey-small steps: - name: Check out uses: actions/checkout@v7 - name: Set up Python uses: actions/setup-python@v6 with: cache: 'pip' python-version: "3.11" - name: Verify debug-leak flags stay off run: python scripts/check_debug_leak_flags_off.py
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.