Scan Python Dependencies workflow (fuzzylabs/sre-agent)
The Scan Python Dependencies workflow from fuzzylabs/sre-agent, explained and optimized by Latchkey.
CI health: D - needs work
Point runs-on at Latchkey and get caching, run de-duplication, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Scan Python Dependencies workflow from the fuzzylabs/sre-agent repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Scan Python Dependencies
on:
workflow_dispatch:
pull_request:
types:
[opened, reopened, synchronize]
branches:
- main
- develop
paths:
- '**/uv.lock'
push:
branches:
- main
- develop
paths:
- '**/uv.lock'
jobs:
pip_audit:
name: pip-audit
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
- name: "Set up Python"
uses: actions/setup-python@v6
with:
python-version-file: "pyproject.toml"
- name: Install uv
uses: astral-sh/setup-uv@v7
- name: Install the project
run: uv sync --locked --all-extras --dev
- uses: pypa/gh-action-pip-audit@v1.1.0
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Scan Python Dependencies on: workflow_dispatch: pull_request: types: [opened, reopened, synchronize] branches: - main - develop paths: - '**/uv.lock' push: branches: - main - develop paths: - '**/uv.lock' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: pip_audit: name: pip-audit runs-on: latchkey-small timeout-minutes: 10 steps: - uses: actions/checkout@v6 - name: "Set up Python" uses: actions/setup-python@v6 with: cache: 'pip' python-version-file: "pyproject.toml" - name: Install uv uses: astral-sh/setup-uv@v7 - name: Install the project run: uv sync --locked --all-extras --dev - uses: pypa/gh-action-pip-audit@v1.1.0
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Cache dependency installs on the setup step so they are served from cache.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.