Skip to content
Latchkey

Workflow Security workflow (graphistry/pygraphistry)

The Workflow Security workflow from graphistry/pygraphistry, explained and optimized by Latchkey.

A

CI health: A - excellent

Point runs-on at Latchkey and get run de-duplication, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: graphistry/pygraphistry.github/workflows/workflow-security.ymlLicense BSD-3-ClauseView source

What it does

This is the Workflow Security workflow from the graphistry/pygraphistry repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Workflow Security

on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
    paths:
      - ".github/workflows/**"
      - ".github/actionlint.yaml"
      - ".github/zizmor.yml"
  push:
    branches:
      - master
    paths:
      - ".github/workflows/**"
      - ".github/actionlint.yaml"
      - ".github/zizmor.yml"
  workflow_dispatch:

permissions:
  contents: read

env:
  UV_EXCLUDE_NEWER: "6 days"

jobs:
  actionlint:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Download actionlint (latest stable older than cooldown)
        env:
          GH_TOKEN: ${{ github.token }}
          COOLDOWN_DAYS: "6"
        run: |
          set -euo pipefail
          cutoff=$(date -u -d "${COOLDOWN_DAYS} days ago" +%s)
          tag=$(gh api repos/rhysd/actionlint/releases \
            --jq "[.[] | select(.draft|not) | select(.prerelease|not) | select((.published_at | fromdateiso8601) <= ${cutoff})][0].tag_name")
          if [ -z "${tag}" ] || [ "${tag}" = "null" ]; then
            echo "::error::No eligible actionlint release older than ${COOLDOWN_DAYS} days"
            exit 1
          fi
          ver="${tag#v}"
          asset="actionlint_${ver}_linux_amd64.tar.gz"
          gh release download "${tag}" --repo rhysd/actionlint --pattern "${asset}" --clobber
          tar -xzf "${asset}" actionlint
          chmod +x ./actionlint
      - name: Run actionlint
        run: |
          ./actionlint -shellcheck=

  zizmor:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install zizmor
        run: |
          python3 -m pip install --disable-pip-version-check --no-cache-dir --no-deps "uv==0.11.3"
          python3 -m venv .venv-zizmor
          source .venv-zizmor/bin/activate
          uv pip install --upgrade zizmor
      - name: Run zizmor (medium severity gate)
        # Lowered from `high` to `medium` to enable enforcement of the
        # `unpinned-uses` provider safelist (see #1130 / #1215). zizmor's
        # `unpinned-uses` rule emits at medium severity for policy violations.
        run: |
          .venv-zizmor/bin/zizmor --format=github --no-progress --config .github/zizmor.yml --min-severity medium .github/workflows/*.yml

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Workflow Security
 
on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
    paths:
      - ".github/workflows/**"
      - ".github/actionlint.yaml"
      - ".github/zizmor.yml"
  push:
    branches:
      - master
    paths:
      - ".github/workflows/**"
      - ".github/actionlint.yaml"
      - ".github/zizmor.yml"
  workflow_dispatch:
 
permissions:
  contents: read
 
env:
  UV_EXCLUDE_NEWER: "6 days"
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  actionlint:
    runs-on: latchkey-small
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Download actionlint (latest stable older than cooldown)
        env:
          GH_TOKEN: ${{ github.token }}
          COOLDOWN_DAYS: "6"
        run: |
          set -euo pipefail
          cutoff=$(date -u -d "${COOLDOWN_DAYS} days ago" +%s)
          tag=$(gh api repos/rhysd/actionlint/releases \
            --jq "[.[] | select(.draft|not) | select(.prerelease|not) | select((.published_at | fromdateiso8601) <= ${cutoff})][0].tag_name")
          if [ -z "${tag}" ] || [ "${tag}" = "null" ]; then
            echo "::error::No eligible actionlint release older than ${COOLDOWN_DAYS} days"
            exit 1
          fi
          ver="${tag#v}"
          asset="actionlint_${ver}_linux_amd64.tar.gz"
          gh release download "${tag}" --repo rhysd/actionlint --pattern "${asset}" --clobber
          tar -xzf "${asset}" actionlint
          chmod +x ./actionlint
      - name: Run actionlint
        run: |
          ./actionlint -shellcheck=
 
  zizmor:
    runs-on: latchkey-small
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install zizmor
        run: |
          python3 -m pip install --disable-pip-version-check --no-cache-dir --no-deps "uv==0.11.3"
          python3 -m venv .venv-zizmor
          source .venv-zizmor/bin/activate
          uv pip install --upgrade zizmor
      - name: Run zizmor (medium severity gate)
        # Lowered from `high` to `medium` to enable enforcement of the
        # `unpinned-uses` provider safelist (see #1130 / #1215). zizmor's
        # `unpinned-uses` rule emits at medium severity for policy violations.
        run: |
          .venv-zizmor/bin/zizmor --format=github --no-progress --config .github/zizmor.yml --min-severity medium .github/workflows/*.yml
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow