Blossom-CI workflow (NVIDIA/NVFlare)
The Blossom-CI workflow from NVIDIA/NVFlare, explained and optimized by Latchkey.
CI health: B - good
Run this on Latchkey for self-healing, caching, and up to 58% lower cost.
Grade your own workflow free or run it on Latchkey →What it does
This is the Blossom-CI workflow from the NVIDIA/NVFlare repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
# Copyright (c) 2022-2026, NVIDIA CORPORATION.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Blossom-CI
on:
issue_comment:
types: [created]
workflow_dispatch:
inputs:
platform:
description: 'runs-on argument'
required: false
args:
description: 'argument'
required: false
permissions:
actions: write
checks: write
contents: write
issues: write
pull-requests: write
repository-projects: write
statuses: write
jobs:
Authorization:
name: Authorization
runs-on: blossom
outputs:
args: ${{ env.args }}
# This job only runs for pull request comments
if: |
github.event.comment.body == '/build' &&
(
github.actor == 'chesterxgchen' ||
github.actor == 'pxLi' ||
github.actor == 'IsaacYangSLA' ||
github.actor == 'YanxuanLiu' ||
github.actor == 'yhwen' ||
github.actor == 'YuanTingHsieh' ||
github.actor == 'holgerroth' ||
github.actor == 'yhwen' ||
github.actor == 'nvkevlu' ||
github.actor == 'nvidianz' ||
github.actor == 'yanchengnv' ||
github.actor == 'ZiyueXu77' ||
github.actor == 'Can-Zhao' ||
github.actor == 'guopengf' ||
github.actor == 'SYangster' ||
github.actor == 'yinqingh' ||
github.actor == 'pcnudde'
)
steps:
- name: Check if comment is issued by authorized person
run: blossom-ci
env:
OPERATION: 'AUTH'
REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }}
Vulnerability-scan:
name: Vulnerability scan
needs: [Authorization]
runs-on: vulnerability-scan
steps:
- name: Checkout code
uses: NVIDIA/spark-rapids-common/checkout@main
with:
repository: ${{ fromJson(needs.Authorization.outputs.args).repo }}
ref: ${{ fromJson(needs.Authorization.outputs.args).ref }}
lfs: 'true'
# add blackduck properties https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631308372/Methods+for+Configuring+Analysis#Using-a-configuration-file
- name: Setup blackduck properties
run: |
echo detect.excluded.detector.types=PIP >> application.properties
- name: Run blossom action
uses: NVIDIA/blossom-action@main
env:
REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }}
with:
args1: ${{ fromJson(needs.Authorization.outputs.args).args1 }}
args2: ${{ fromJson(needs.Authorization.outputs.args).args2 }}
args3: ${{ fromJson(needs.Authorization.outputs.args).args3 }}
Job-trigger:
name: Start ci job
needs: [Vulnerability-scan]
runs-on: blossom
steps:
- name: Start ci job
run: blossom-ci
env:
OPERATION: 'START-CI-JOB'
CI_SERVER: ${{ secrets.CI_SERVER }}
REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Post-processing:
name: Post processing
runs-on: blossom
if : github.event_name == 'workflow_dispatch'
steps:
- name: Start post processing
run: blossom-ci
env:
OPERATION: 'POST-PROCESSING'
CI_SERVER: ${{ secrets.CI_SERVER }}
REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
# Copyright (c) 2022-2026, NVIDIA CORPORATION. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: Blossom-CI on: issue_comment: types: [created] workflow_dispatch: inputs: platform: description: 'runs-on argument' required: false args: description: 'argument' required: false permissions: actions: write checks: write contents: write issues: write pull-requests: write repository-projects: write statuses: write jobs: Authorization: timeout-minutes: 30 name: Authorization runs-on: blossom outputs: args: ${{ env.args }} # This job only runs for pull request comments if: | github.event.comment.body == '/build' && ( github.actor == 'chesterxgchen' || github.actor == 'pxLi' || github.actor == 'IsaacYangSLA' || github.actor == 'YanxuanLiu' || github.actor == 'yhwen' || github.actor == 'YuanTingHsieh' || github.actor == 'holgerroth' || github.actor == 'yhwen' || github.actor == 'nvkevlu' || github.actor == 'nvidianz' || github.actor == 'yanchengnv' || github.actor == 'ZiyueXu77' || github.actor == 'Can-Zhao' || github.actor == 'guopengf' || github.actor == 'SYangster' || github.actor == 'yinqingh' || github.actor == 'pcnudde' ) steps: - name: Check if comment is issued by authorized person run: blossom-ci env: OPERATION: 'AUTH' REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }} Vulnerability-scan: timeout-minutes: 30 name: Vulnerability scan needs: [Authorization] runs-on: vulnerability-scan steps: - name: Checkout code uses: NVIDIA/spark-rapids-common/checkout@main with: repository: ${{ fromJson(needs.Authorization.outputs.args).repo }} ref: ${{ fromJson(needs.Authorization.outputs.args).ref }} lfs: 'true' # add blackduck properties https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631308372/Methods+for+Configuring+Analysis#Using-a-configuration-file - name: Setup blackduck properties run: | echo detect.excluded.detector.types=PIP >> application.properties - name: Run blossom action uses: NVIDIA/blossom-action@main env: REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }} with: args1: ${{ fromJson(needs.Authorization.outputs.args).args1 }} args2: ${{ fromJson(needs.Authorization.outputs.args).args2 }} args3: ${{ fromJson(needs.Authorization.outputs.args).args3 }} Job-trigger: timeout-minutes: 30 name: Start ci job needs: [Vulnerability-scan] runs-on: blossom steps: - name: Start ci job run: blossom-ci env: OPERATION: 'START-CI-JOB' CI_SERVER: ${{ secrets.CI_SERVER }} REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} Post-processing: timeout-minutes: 30 name: Post processing runs-on: blossom if : github.event_name == 'workflow_dispatch' steps: - name: Start post processing run: blossom-ci env: OPERATION: 'POST-PROCESSING' CI_SERVER: ${{ secrets.CI_SERVER }} REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
What changed
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 4 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.