Check security alerts workflow (DevExpress/testcafe)
The Check security alerts workflow from DevExpress/testcafe, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Check security alerts workflow from the DevExpress/testcafe repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Check security alerts
on:
schedule:
- cron: "30 1 * * *"
workflow_dispatch:
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: latest
- uses: actions/github-script@v7
with:
github-token: ${{ secrets.ACTIVE_TOKEN }}
script: |
const {default: SecurityChecker} = await import('${{ github.workspace }}/.github/scripts/security-checker.mjs')
const securityChecker = new SecurityChecker(github, context, '${{secrets.SECURITY_ISSUE_REPO}}');
await securityChecker.check();
keepalive-job:
name: Keepalive Workflow
if: ${{ always() }}
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- uses: gautamkrishnar/keepalive-workflow@v2
with:
gh_token: ${{ secrets.ACTIVE_TOKEN }}
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Check security alerts on: schedule: - cron: "30 1 * * *" workflow_dispatch: jobs: check: timeout-minutes: 30 runs-on: latchkey-small steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: cache: 'npm' node-version: latest - uses: actions/github-script@v7 with: github-token: ${{ secrets.ACTIVE_TOKEN }} script: | const {default: SecurityChecker} = await import('${{ github.workspace }}/.github/scripts/security-checker.mjs') const securityChecker = new SecurityChecker(github, context, '${{secrets.SECURITY_ISSUE_REPO}}'); await securityChecker.check(); keepalive-job: timeout-minutes: 30 name: Keepalive Workflow if: ${{ always() }} runs-on: latchkey-small permissions: contents: write steps: - uses: actions/checkout@v4 - uses: gautamkrishnar/keepalive-workflow@v2 with: gh_token: ${{ secrets.ACTIVE_TOKEN }}
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.