Security audit workflow (clap-rs/clap)
The Security audit workflow from clap-rs/clap, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Security audit workflow from the clap-rs/clap repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Security audit
permissions:
contents: read
on:
pull_request:
paths:
- '**/Cargo.toml'
- '**/Cargo.lock'
push:
branches:
- master
env:
RUST_BACKTRACE: 1
CARGO_TERM_COLOR: always
CLICOLOR: 1
concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true
jobs:
security_audit:
permissions:
issues: write # to create issues (actions-rs/audit-check)
checks: write # to create check (actions-rs/audit-check)
runs-on: ubuntu-latest
# Prevent sudden announcement of a new advisory from failing ci:
continue-on-error: true
steps:
- name: Checkout repository
uses: actions/checkout@v7
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
cargo_deny:
permissions:
issues: write # to create issues (actions-rs/audit-check)
checks: write # to create check (actions-rs/audit-check)
runs-on: ubuntu-latest
strategy:
matrix:
checks:
- bans licenses sources
steps:
- uses: actions/checkout@v7
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check ${{ matrix.checks }}
rust-version: stable
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Security audit permissions: contents: read on: pull_request: paths: - '**/Cargo.toml' - '**/Cargo.lock' push: branches: - master env: RUST_BACKTRACE: 1 CARGO_TERM_COLOR: always CLICOLOR: 1 concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: true jobs: security_audit: timeout-minutes: 30 permissions: issues: write # to create issues (actions-rs/audit-check) checks: write # to create check (actions-rs/audit-check) runs-on: latchkey-small # Prevent sudden announcement of a new advisory from failing ci: continue-on-error: true steps: - name: Checkout repository uses: actions/checkout@v7 - uses: actions-rs/audit-check@v1 with: token: ${{ secrets.GITHUB_TOKEN }} cargo_deny: timeout-minutes: 30 permissions: issues: write # to create issues (actions-rs/audit-check) checks: write # to create check (actions-rs/audit-check) runs-on: latchkey-small strategy: matrix: checks: - bans licenses sources steps: - uses: actions/checkout@v7 - uses: EmbarkStudios/cargo-deny-action@v2 with: command: check ${{ matrix.checks }} rust-version: stable
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.