CodeQL workflow (jmespath/jmespath.py)
The CodeQL workflow from jmespath/jmespath.py, explained and optimized by Latchkey.
C
CI health: C - fair
Run this on Latchkey for self-healing, caching, and up to 58% lower cost.
Grade your own workflow free or run it on Latchkey →What it does
This is the CodeQL workflow from the jmespath/jmespath.py repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
workflow (.yml)
name: "CodeQL"
on:
push:
branches: ["develop"]
pull_request:
branches: ["develop"]
schedule:
- cron: "0 0 * * 5"
permissions:
contents: "read"
jobs:
analyze:
name: "Analyze"
runs-on: "ubuntu-latest"
permissions:
actions: read
contents: read
security-events: write
steps:
- name: "Checkout repository"
uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3"
- name: "Run CodeQL init"
uses: "github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb"
with:
config-file: "./.github/codeql.yml"
languages: "python"
- name: "Run CodeQL autobuild"
uses: "github/codeql-action/autobuild@4e94bd11f71e507f7f87df81788dff88d1dacbfb"
- name: "Run CodeQL analyze"
uses: "github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb"
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: "CodeQL" on: push: branches: ["develop"] pull_request: branches: ["develop"] schedule: - cron: "0 0 * * 5" permissions: contents: "read" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: analyze: timeout-minutes: 30 name: "Analyze" runs-on: "ubuntu-latest" permissions: actions: read contents: read security-events: write steps: - name: "Checkout repository" uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" - name: "Run CodeQL init" uses: "github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb" with: config-file: "./.github/codeql.yml" languages: "python" - name: "Run CodeQL autobuild" uses: "github/codeql-action/autobuild@4e94bd11f71e507f7f87df81788dff88d1dacbfb" - name: "Run CodeQL analyze" uses: "github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb"
What changed
- Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.