Tests workflow (snyk/agent-scan)
The Tests workflow from snyk/agent-scan, explained and optimized by Latchkey.
CI health: F - at risk
Point runs-on at Latchkey and get caching, run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Tests workflow from the snyk/agent-scan repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Tests
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
jobs:
pre-commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Print hostname
run: hostname
- uses: actions/setup-python@v3
- uses: pre-commit/action@v3.0.1
test:
runs-on: ${{ matrix.os }}
env:
AGENT_SCAN_ENVIRONMENT: ci
AGENT_SCAN_CI_HOSTNAME: ${{ secrets.AGENT_SCAN_CI_HOSTNAME }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
strategy:
max-parallel: 1
matrix:
os: [ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-latest, macos-15-intel]
steps:
- uses: actions/checkout@v4
- name: Print scan environment variables
run: |
echo "AGENT_SCAN_ENVIRONMENT=${{ env.AGENT_SCAN_ENVIRONMENT }}"
echo "AGENT_SCAN_CI_HOSTNAME=${{ env.AGENT_SCAN_CI_HOSTNAME }}"
- name: Install the latest version of uv
uses: astral-sh/setup-uv@v6
- name: Create venv
run: uv venv
- name: Run tests
run: make ci
# build and store whl as artifact
- name: Build and store whl
if: matrix.os == 'ubuntu-latest'
run: |
make build
mkdir -p ${{ github.workspace }}/artifacts
cp dist/*.whl ${{ github.workspace }}/artifacts/
- name: Build and store binary
if: matrix.os == 'ubuntu-latest'
run: |
make binary
mkdir -p ${{ github.workspace }}/artifacts
cp dist/agent-scan ${{ github.workspace }}/artifacts/
- name: Upload whl artifact for this build
if: matrix.os == 'ubuntu-latest'
uses: actions/upload-artifact@v4
with:
name: agent-scan-latest.whl
path: ${{ github.workspace }}/artifacts/*.whl
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Tests on: push: branches: [main] pull_request: branches: [main] workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: pre-commit: timeout-minutes: 30 runs-on: latchkey-small steps: - uses: actions/checkout@v3 - name: Print hostname run: hostname - uses: actions/setup-python@v3 with: cache: 'pip' - uses: pre-commit/action@v3.0.1 test: timeout-minutes: 30 runs-on: ${{ matrix.os }} env: AGENT_SCAN_ENVIRONMENT: ci AGENT_SCAN_CI_HOSTNAME: ${{ secrets.AGENT_SCAN_CI_HOSTNAME }} SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} strategy: max-parallel: 1 matrix: os: [ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-latest, macos-15-intel] steps: - uses: actions/checkout@v4 - name: Print scan environment variables run: | echo "AGENT_SCAN_ENVIRONMENT=${{ env.AGENT_SCAN_ENVIRONMENT }}" echo "AGENT_SCAN_CI_HOSTNAME=${{ env.AGENT_SCAN_CI_HOSTNAME }}" - name: Install the latest version of uv uses: astral-sh/setup-uv@v6 - name: Create venv run: uv venv - name: Run tests run: make ci # build and store whl as artifact - name: Build and store whl if: matrix.os == 'ubuntu-latest' run: | make build mkdir -p ${{ github.workspace }}/artifacts cp dist/*.whl ${{ github.workspace }}/artifacts/ - name: Build and store binary if: matrix.os == 'ubuntu-latest' run: | make binary mkdir -p ${{ github.workspace }}/artifacts cp dist/agent-scan ${{ github.workspace }}/artifacts/ - name: Upload whl artifact for this build if: matrix.os == 'ubuntu-latest' uses: actions/upload-artifact@v4 with: name: agent-scan-latest.whl path: ${{ github.workspace }}/artifacts/*.whl
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 2 jobs (6 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.