Skip to content
Latchkey

Tests workflow (snyk/agent-scan)

The Tests workflow from snyk/agent-scan, explained and optimized by Latchkey.

F

CI health: F - at risk

Point runs-on at Latchkey and get caching, run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: snyk/agent-scan.github/workflows/tests.ymlLicense Apache-2.0View source

What it does

This is the Tests workflow from the snyk/agent-scan repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Tests

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:

jobs:
  pre-commit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Print hostname
        run: hostname
      - uses: actions/setup-python@v3
      - uses: pre-commit/action@v3.0.1
  test:
    runs-on: ${{ matrix.os }}
    env:
      AGENT_SCAN_ENVIRONMENT: ci
      AGENT_SCAN_CI_HOSTNAME: ${{ secrets.AGENT_SCAN_CI_HOSTNAME }}
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    strategy:
      max-parallel: 1
      matrix:
        os: [ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-latest, macos-15-intel]
    steps:
      - uses: actions/checkout@v4
      - name: Print scan environment variables
        run: |
          echo "AGENT_SCAN_ENVIRONMENT=${{ env.AGENT_SCAN_ENVIRONMENT }}"
          echo "AGENT_SCAN_CI_HOSTNAME=${{ env.AGENT_SCAN_CI_HOSTNAME }}"
      - name: Install the latest version of uv
        uses: astral-sh/setup-uv@v6
      - name: Create venv
        run: uv venv
      - name: Run tests
        run: make ci
      # build and store whl as artifact
      - name: Build and store whl
        if: matrix.os == 'ubuntu-latest'
        run: |
          make build
          mkdir -p ${{ github.workspace }}/artifacts
          cp dist/*.whl ${{ github.workspace }}/artifacts/
      - name: Build and store binary
        if: matrix.os == 'ubuntu-latest'
        run: |
          make binary
          mkdir -p ${{ github.workspace }}/artifacts
          cp dist/agent-scan ${{ github.workspace }}/artifacts/
      - name: Upload whl artifact for this build
        if: matrix.os == 'ubuntu-latest'
        uses: actions/upload-artifact@v4
        with:
          name: agent-scan-latest.whl
          path: ${{ github.workspace }}/artifacts/*.whl

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: Tests
 
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  pre-commit:
    timeout-minutes: 30
    runs-on: latchkey-small
    steps:
      - uses: actions/checkout@v3
      - name: Print hostname
        run: hostname
      - uses: actions/setup-python@v3
        with:
          cache: 'pip'
      - uses: pre-commit/action@v3.0.1
  test:
    timeout-minutes: 30
    runs-on: ${{ matrix.os }}
    env:
      AGENT_SCAN_ENVIRONMENT: ci
      AGENT_SCAN_CI_HOSTNAME: ${{ secrets.AGENT_SCAN_CI_HOSTNAME }}
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    strategy:
      max-parallel: 1
      matrix:
        os: [ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-latest, macos-15-intel]
    steps:
      - uses: actions/checkout@v4
      - name: Print scan environment variables
        run: |
          echo "AGENT_SCAN_ENVIRONMENT=${{ env.AGENT_SCAN_ENVIRONMENT }}"
          echo "AGENT_SCAN_CI_HOSTNAME=${{ env.AGENT_SCAN_CI_HOSTNAME }}"
      - name: Install the latest version of uv
        uses: astral-sh/setup-uv@v6
      - name: Create venv
        run: uv venv
      - name: Run tests
        run: make ci
      # build and store whl as artifact
      - name: Build and store whl
        if: matrix.os == 'ubuntu-latest'
        run: |
          make build
          mkdir -p ${{ github.workspace }}/artifacts
          cp dist/*.whl ${{ github.workspace }}/artifacts/
      - name: Build and store binary
        if: matrix.os == 'ubuntu-latest'
        run: |
          make binary
          mkdir -p ${{ github.workspace }}/artifacts
          cp dist/agent-scan ${{ github.workspace }}/artifacts/
      - name: Upload whl artifact for this build
        if: matrix.os == 'ubuntu-latest'
        uses: actions/upload-artifact@v4
        with:
          name: agent-scan-latest.whl
          path: ${{ github.workspace }}/artifacts/*.whl
 

What changed

2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 2 jobs (6 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow