Skip to content
Latchkey

Blossom-CI workflow (NVIDIA/NVFlare)

The Blossom-CI workflow from NVIDIA/NVFlare, explained and optimized by Latchkey.

B

CI health: B - good

Run this on Latchkey for self-healing, caching, and up to 58% lower cost.

Grade your own workflow free or run it on Latchkey →
Source: NVIDIA/NVFlare.github/workflows/blossom-ci.ymlLicense Apache-2.0View source

What it does

This is the Blossom-CI workflow from the NVIDIA/NVFlare repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
# Copyright (c) 2022-2026, NVIDIA CORPORATION.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: Blossom-CI
on:
  issue_comment:
    types: [created]
  workflow_dispatch:
      inputs:
          platform:
            description: 'runs-on argument'
            required: false
          args:
            description: 'argument'
            required: false

permissions:
  actions: write
  checks: write
  contents: write
  issues: write
  pull-requests: write
  repository-projects: write
  statuses: write

jobs:
  Authorization:
    name: Authorization
    runs-on: blossom
    outputs:
      args: ${{ env.args }}

    # This job only runs for pull request comments
    if: |
      github.event.comment.body == '/build' &&
      (
        github.actor == 'chesterxgchen' ||
        github.actor == 'pxLi' ||
        github.actor == 'IsaacYangSLA' ||
        github.actor == 'YanxuanLiu' ||
        github.actor == 'yhwen' ||
        github.actor == 'YuanTingHsieh' ||
        github.actor == 'holgerroth' ||
        github.actor == 'yhwen' ||
        github.actor == 'nvkevlu' ||
        github.actor == 'nvidianz' ||
        github.actor == 'yanchengnv' ||
        github.actor == 'ZiyueXu77' ||
        github.actor == 'Can-Zhao' ||
        github.actor == 'guopengf' ||
        github.actor == 'SYangster' ||
        github.actor == 'yinqingh' ||
        github.actor == 'pcnudde'
      )
    steps:
      - name: Check if comment is issued by authorized person
        run: blossom-ci
        env:
          OPERATION: 'AUTH'
          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }}

  Vulnerability-scan:
    name: Vulnerability scan
    needs: [Authorization]
    runs-on: vulnerability-scan
    steps:
      - name: Checkout code
        uses: NVIDIA/spark-rapids-common/checkout@main
        with:
          repository: ${{ fromJson(needs.Authorization.outputs.args).repo }}
          ref: ${{ fromJson(needs.Authorization.outputs.args).ref }}
          lfs: 'true'

      # add blackduck properties https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631308372/Methods+for+Configuring+Analysis#Using-a-configuration-file
      - name: Setup blackduck properties
        run: |
             echo detect.excluded.detector.types=PIP >> application.properties

      - name: Run blossom action
        uses: NVIDIA/blossom-action@main
        env:
          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }}
        with:
          args1: ${{ fromJson(needs.Authorization.outputs.args).args1 }}
          args2: ${{ fromJson(needs.Authorization.outputs.args).args2 }}
          args3: ${{ fromJson(needs.Authorization.outputs.args).args3 }}

  Job-trigger:
    name: Start ci job
    needs: [Vulnerability-scan]
    runs-on: blossom
    steps:
      - name: Start ci job
        run: blossom-ci
        env:
          OPERATION: 'START-CI-JOB'
          CI_SERVER: ${{ secrets.CI_SERVER }}
          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  Post-processing:
    name: Post processing
    runs-on: blossom
    if : github.event_name == 'workflow_dispatch'
    steps:
      - name: Start post processing
        run: blossom-ci
        env:
          OPERATION: 'POST-PROCESSING'
          CI_SERVER: ${{ secrets.CI_SERVER }}
          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

# Copyright (c) 2022-2026, NVIDIA CORPORATION.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
 
name: Blossom-CI
on:
  issue_comment:
    types: [created]
  workflow_dispatch:
      inputs:
          platform:
            description: 'runs-on argument'
            required: false
          args:
            description: 'argument'
            required: false
 
permissions:
  actions: write
  checks: write
  contents: write
  issues: write
  pull-requests: write
  repository-projects: write
  statuses: write
 
jobs:
  Authorization:
    timeout-minutes: 30
    name: Authorization
    runs-on: blossom
    outputs:
      args: ${{ env.args }}
 
    # This job only runs for pull request comments
    if: |
      github.event.comment.body == '/build' &&
      (
        github.actor == 'chesterxgchen' ||
        github.actor == 'pxLi' ||
        github.actor == 'IsaacYangSLA' ||
        github.actor == 'YanxuanLiu' ||
        github.actor == 'yhwen' ||
        github.actor == 'YuanTingHsieh' ||
        github.actor == 'holgerroth' ||
        github.actor == 'yhwen' ||
        github.actor == 'nvkevlu' ||
        github.actor == 'nvidianz' ||
        github.actor == 'yanchengnv' ||
        github.actor == 'ZiyueXu77' ||
        github.actor == 'Can-Zhao' ||
        github.actor == 'guopengf' ||
        github.actor == 'SYangster' ||
        github.actor == 'yinqingh' ||
        github.actor == 'pcnudde'
      )
    steps:
      - name: Check if comment is issued by authorized person
        run: blossom-ci
        env:
          OPERATION: 'AUTH'
          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }}
 
  Vulnerability-scan:
    timeout-minutes: 30
    name: Vulnerability scan
    needs: [Authorization]
    runs-on: vulnerability-scan
    steps:
      - name: Checkout code
        uses: NVIDIA/spark-rapids-common/checkout@main
        with:
          repository: ${{ fromJson(needs.Authorization.outputs.args).repo }}
          ref: ${{ fromJson(needs.Authorization.outputs.args).ref }}
          lfs: 'true'
 
      # add blackduck properties https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631308372/Methods+for+Configuring+Analysis#Using-a-configuration-file
      - name: Setup blackduck properties
        run: |
             echo detect.excluded.detector.types=PIP >> application.properties
 
      - name: Run blossom action
        uses: NVIDIA/blossom-action@main
        env:
          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }}
        with:
          args1: ${{ fromJson(needs.Authorization.outputs.args).args1 }}
          args2: ${{ fromJson(needs.Authorization.outputs.args).args2 }}
          args3: ${{ fromJson(needs.Authorization.outputs.args).args3 }}
 
  Job-trigger:
    timeout-minutes: 30
    name: Start ci job
    needs: [Vulnerability-scan]
    runs-on: blossom
    steps:
      - name: Start ci job
        run: blossom-ci
        env:
          OPERATION: 'START-CI-JOB'
          CI_SERVER: ${{ secrets.CI_SERVER }}
          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
  Post-processing:
    timeout-minutes: 30
    name: Post processing
    runs-on: blossom
    if : github.event_name == 'workflow_dispatch'
    steps:
      - name: Start post processing
        run: blossom-ci
        env:
          OPERATION: 'POST-PROCESSING'
          CI_SERVER: ${{ secrets.CI_SERVER }}
          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

What changed

2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 4 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.