E2E AWS Splunk Windows workflow (splunk/attack_range)
The E2E AWS Splunk Windows workflow from splunk/attack_range, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get caching, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the E2E AWS Splunk Windows workflow from the splunk/attack_range repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: E2E AWS Splunk Windows
on:
workflow_dispatch:
pull_request:
types: [opened, synchronize, reopened]
concurrency:
group: e2e-aws-splunk-windows
cancel-in-progress: false
jobs:
e2e_splunk_windows:
runs-on: ubuntu-latest
# Reserve time after the test step for destroy cleanup (see step timeouts below).
timeout-minutes: 60
steps:
- name: Checkout repo
uses: actions/checkout@v6
- name: Install system packages
run: |
sudo apt-get update -qq
sudo apt-get install -y --no-install-recommends wireguard-tools unzip curl
- name: Install Terraform
run: |
TERRAFORM_VERSION=1.14.4
curl -s "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip
unzip -o /tmp/terraform.zip -d /tmp
sudo mv /tmp/terraform /usr/local/bin/
rm /tmp/terraform.zip
terraform version
- uses: actions/setup-python@v6
with:
python-version: '3.11'
architecture: 'x64'
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v5
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-2
- name: Install Python dependencies
run: |
pip install -r requirements.txt
pip install pytest "moto[s3]"
- name: Run E2E test (build, verify, destroy)
timeout-minutes: 45
env:
ATTACK_RANGE_E2E: "1"
ATTACK_RANGE_CI: "1"
OBJC_DISABLE_INITIALIZE_FORK_SAFETY: "YES"
run: |
pytest tests/e2e/test_splunk_windows_aws.py -v -s --log-cli-level=INFO
- name: Destroy attack range (cleanup)
if: always()
timeout-minutes: 10
env:
ATTACK_RANGE_CI: "1"
run: |
shopt -s nullglob
configs=(config/*.yml)
if [ ${#configs[@]} -eq 0 ]; then
echo "No config files to destroy."
exit 0
fi
for cfg in "${configs[@]}"; do
echo "Destroying attack range from ${cfg}"
python attack_range.py destroy --config "${cfg}" || \
echo "Destroy failed for ${cfg}; fallback job will retry."
done
- name: Upload config for destroy fallback
if: always()
uses: actions/upload-artifact@v4
with:
name: e2e-attack-range-config
path: config/
if-no-files-found: ignore
- name: Disconnect WireGuard (cleanup)
if: always()
run: |
CONF="terraform/ansible/client_configs/client1.conf"
if [ -f "$CONF" ]; then
sudo wg-quick down "$CONF" 2>/dev/null || true
fi
destroy_e2e_splunk_windows:
needs: e2e_splunk_windows
if: always()
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout repo
uses: actions/checkout@v6
- name: Install system packages
run: |
sudo apt-get update -qq
sudo apt-get install -y --no-install-recommends unzip curl
- name: Install Terraform
run: |
TERRAFORM_VERSION=1.14.4
curl -s "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip
unzip -o /tmp/terraform.zip -d /tmp
sudo mv /tmp/terraform /usr/local/bin/
rm /tmp/terraform.zip
terraform version
- uses: actions/setup-python@v6
with:
python-version: '3.11'
architecture: 'x64'
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v5
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-2
- name: Install Python dependencies
run: pip install -r requirements.txt
- name: Download E2E config artifact
uses: actions/download-artifact@v4
continue-on-error: true
with:
name: e2e-attack-range-config
path: config
- name: Destroy attack range (timeout fallback)
env:
ATTACK_RANGE_CI: "1"
run: |
shopt -s nullglob
configs=(config/*.yml)
if [ ${#configs[@]} -eq 0 ]; then
echo "No config files to destroy (test likely cleaned up successfully)."
exit 0
fi
failed=0
for cfg in "${configs[@]}"; do
echo "Destroying attack range from ${cfg}"
if ! python attack_range.py destroy --config "${cfg}"; then
echo "Destroy failed for ${cfg} (manual cleanup may be required)"
failed=1
fi
done
exit "${failed}"
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: E2E AWS Splunk Windows on: workflow_dispatch: pull_request: types: [opened, synchronize, reopened] concurrency: group: e2e-aws-splunk-windows cancel-in-progress: false jobs: e2e_splunk_windows: runs-on: latchkey-small # Reserve time after the test step for destroy cleanup (see step timeouts below). timeout-minutes: 60 steps: - name: Checkout repo uses: actions/checkout@v6 - name: Install system packages run: | sudo apt-get update -qq sudo apt-get install -y --no-install-recommends wireguard-tools unzip curl - name: Install Terraform run: | TERRAFORM_VERSION=1.14.4 curl -s "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip unzip -o /tmp/terraform.zip -d /tmp sudo mv /tmp/terraform /usr/local/bin/ rm /tmp/terraform.zip terraform version - uses: actions/setup-python@v6 with: cache: 'pip' python-version: '3.11' architecture: 'x64' - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v5 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: eu-west-2 - name: Install Python dependencies run: | pip install -r requirements.txt pip install pytest "moto[s3]" - name: Run E2E test (build, verify, destroy) timeout-minutes: 45 env: ATTACK_RANGE_E2E: "1" ATTACK_RANGE_CI: "1" OBJC_DISABLE_INITIALIZE_FORK_SAFETY: "YES" run: | pytest tests/e2e/test_splunk_windows_aws.py -v -s --log-cli-level=INFO - name: Destroy attack range (cleanup) if: always() timeout-minutes: 10 env: ATTACK_RANGE_CI: "1" run: | shopt -s nullglob configs=(config/*.yml) if [ ${#configs[@]} -eq 0 ]; then echo "No config files to destroy." exit 0 fi for cfg in "${configs[@]}"; do echo "Destroying attack range from ${cfg}" python attack_range.py destroy --config "${cfg}" || \ echo "Destroy failed for ${cfg}; fallback job will retry." done - name: Upload config for destroy fallback if: always() uses: actions/upload-artifact@v4 with: name: e2e-attack-range-config path: config/ if-no-files-found: ignore - name: Disconnect WireGuard (cleanup) if: always() run: | CONF="terraform/ansible/client_configs/client1.conf" if [ -f "$CONF" ]; then sudo wg-quick down "$CONF" 2>/dev/null || true fi destroy_e2e_splunk_windows: needs: e2e_splunk_windows if: always() runs-on: latchkey-small timeout-minutes: 30 steps: - name: Checkout repo uses: actions/checkout@v6 - name: Install system packages run: | sudo apt-get update -qq sudo apt-get install -y --no-install-recommends unzip curl - name: Install Terraform run: | TERRAFORM_VERSION=1.14.4 curl -s "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip unzip -o /tmp/terraform.zip -d /tmp sudo mv /tmp/terraform /usr/local/bin/ rm /tmp/terraform.zip terraform version - uses: actions/setup-python@v6 with: cache: 'pip' python-version: '3.11' architecture: 'x64' - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v5 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: eu-west-2 - name: Install Python dependencies run: pip install -r requirements.txt - name: Download E2E config artifact uses: actions/download-artifact@v4 continue-on-error: true with: name: e2e-attack-range-config path: config - name: Destroy attack range (timeout fallback) env: ATTACK_RANGE_CI: "1" run: | shopt -s nullglob configs=(config/*.yml) if [ ${#configs[@]} -eq 0 ]; then echo "No config files to destroy (test likely cleaned up successfully)." exit 0 fi failed=0 for cfg in "${configs[@]}"; do echo "Destroying attack range from ${cfg}" if ! python attack_range.py destroy --config "${cfg}"; then echo "Destroy failed for ${cfg} (manual cleanup may be required)" failed=1 fi done exit "${failed}"
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
- End-to-end and browser tests
- Network fetches
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.