Skip to content
Latchkey

πŸ”§ CVE Enhancement workflow (projectdiscovery/nuclei-templates)

The πŸ”§ CVE Enhancement workflow from projectdiscovery/nuclei-templates, explained and optimized by Latchkey.

D

CI health: D - needs work

Point runs-on at Latchkey and get caching, run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: projectdiscovery/nuclei-templates.github/workflows/cve-enhancement.ymlLicense MITView source

What it does

This is the πŸ”§ CVE Enhancement workflow from the projectdiscovery/nuclei-templates repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: πŸ”§ CVE Enhancement

on:
  push:
    branches:
      - main
    paths:
      - '**/cves/**/*.yaml'
  workflow_dispatch:

jobs:
  enhance:
    runs-on: ubuntu-latest
    if: github.repository == 'projectdiscovery/nuclei-templates'
    permissions:
      contents: write

    steps:
      - uses: actions/checkout@v7
        with:
          fetch-depth: 0

      - name: Setup Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.11'

      - name: Install dependencies
        run: pip install requests

      - name: Get changed CVE files
        id: files
        run: |
          # Get files changed in the last commit
          FILES=$(git diff --name-only HEAD~1 HEAD | grep 'cves/.*\.yaml$' || echo "")
          if [ -n "$FILES" ]; then
            echo "changed=true" >> $GITHUB_OUTPUT
            echo "$FILES" > /tmp/cve_files.txt
            echo "Changed CVE files:"
            cat /tmp/cve_files.txt
          else
            echo "changed=false" >> $GITHUB_OUTPUT
          fi

      - name: Enhance CVE templates
        if: steps.files.outputs.changed == 'true'
        run: |
          while read file; do
            [ -f "$file" ] && python .github/scripts/enhance-cve-fields.py "$file"
          done < /tmp/cve_files.txt

      - name: Commit changes
        if: steps.files.outputs.changed == 'true'
        run: |
          if ! git diff --quiet; then
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add -A
            git commit -m "chore: add impact and remediation fields πŸ€–"
            git pull origin $GITHUB_REF --rebase
            git push origin $GITHUB_REF
          fi

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: πŸ”§ CVE Enhancement
 
on:
  push:
    branches:
      - main
    paths:
      - '**/cves/**/*.yaml'
  workflow_dispatch:
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  enhance:
    timeout-minutes: 30
    runs-on: latchkey-small
    if: github.repository == 'projectdiscovery/nuclei-templates'
    permissions:
      contents: write
 
    steps:
      - uses: actions/checkout@v7
        with:
          fetch-depth: 0
 
      - name: Setup Python
        uses: actions/setup-python@v6
        with:
          cache: 'pip'
          python-version: '3.11'
 
      - name: Install dependencies
        run: pip install requests
 
      - name: Get changed CVE files
        id: files
        run: |
          # Get files changed in the last commit
          FILES=$(git diff --name-only HEAD~1 HEAD | grep 'cves/.*\.yaml$' || echo "")
          if [ -n "$FILES" ]; then
            echo "changed=true" >> $GITHUB_OUTPUT
            echo "$FILES" > /tmp/cve_files.txt
            echo "Changed CVE files:"
            cat /tmp/cve_files.txt
          else
            echo "changed=false" >> $GITHUB_OUTPUT
          fi
 
      - name: Enhance CVE templates
        if: steps.files.outputs.changed == 'true'
        run: |
          while read file; do
            [ -f "$file" ] && python .github/scripts/enhance-cve-fields.py "$file"
          done < /tmp/cve_files.txt
 
      - name: Commit changes
        if: steps.files.outputs.changed == 'true'
        run: |
          if ! git diff --quiet; then
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add -A
            git commit -m "chore: add impact and remediation fields πŸ€–"
            git pull origin $GITHUB_REF --rebase
            git push origin $GITHUB_REF
          fi
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow