Security Scan workflow (ErlichLiu/DeepClaude)
The Security Scan workflow from ErlichLiu/DeepClaude, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Security Scan workflow from the ErlichLiu/DeepClaude repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Security Scan
on:
schedule:
- cron: '0 0 * * 0' # 每周运行一次
workflow_dispatch:
jobs:
check-repository:
runs-on: ubuntu-latest
outputs:
is_original: ${{ steps.check.outputs.is_original }}
steps:
- id: check
run: |
if [ "${{ github.repository }}" = "ErlichLiu/DeepClaude" ]; then
echo "is_original=true" >> $GITHUB_OUTPUT
else
echo "is_original=false" >> $GITHUB_OUTPUT
fi
scan:
needs: check-repository
if: needs.check-repository.outputs.is_original == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set lowercase variables
run: |
OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
REPO_NAME_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')
echo "OWNER_LOWER=$OWNER_LOWER" >> $GITHUB_ENV
echo "REPO_NAME_LOWER=$REPO_NAME_LOWER" >> $GITHUB_ENV
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ env.OWNER_LOWER }}/${{ env.REPO_NAME_LOWER }}:latest
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL'The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Security Scan on: schedule: - cron: '0 0 * * 0' # 每周运行一次 workflow_dispatch: jobs: check-repository: timeout-minutes: 30 runs-on: latchkey-small outputs: is_original: ${{ steps.check.outputs.is_original }} steps: - id: check run: | if [ "${{ github.repository }}" = "ErlichLiu/DeepClaude" ]; then echo "is_original=true" >> $GITHUB_OUTPUT else echo "is_original=false" >> $GITHUB_OUTPUT fi scan: timeout-minutes: 30 needs: check-repository if: needs.check-repository.outputs.is_original == 'true' runs-on: latchkey-small steps: - uses: actions/checkout@v4 - name: Set lowercase variables run: | OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]') REPO_NAME_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]') echo "OWNER_LOWER=$OWNER_LOWER" >> $GITHUB_ENV echo "REPO_NAME_LOWER=$REPO_NAME_LOWER" >> $GITHUB_ENV - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ghcr.io/${{ env.OWNER_LOWER }}/${{ env.REPO_NAME_LOWER }}:latest format: 'table' exit-code: '1' ignore-unfixed: true severity: 'CRITICAL'
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.