Skip to content
Latchkey

GitHub Actions Security workflow (swc-project/swc)

The GitHub Actions Security workflow from swc-project/swc, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: swc-project/swc.github/workflows/actions-security.ymlLicense Apache-2.0View source

What it does

This is the GitHub Actions Security workflow from the swc-project/swc repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: GitHub Actions Security

on:
  pull_request:
    paths:
      - ".github/actions/**"
      - ".github/workflows/**"
      - "renovate.json"
      - "deny.toml"
  push:
    branches:
      - main
    paths:
      - ".github/actions/**"
      - ".github/workflows/**"
      - "renovate.json"
      - "deny.toml"
  workflow_dispatch:

permissions: {}

jobs:
  actionlint:
    name: actionlint
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false

      - name: Install actionlint
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          set -euo pipefail
          version="1.7.12"
          archive="actionlint_${version}_linux_amd64.tar.gz"
          install_dir="${RUNNER_TEMP}/actionlint"
          mkdir -p "$install_dir"

          gh release download "v${version}" \
            --repo rhysd/actionlint \
            --pattern "$archive" \
            --pattern "actionlint_${version}_checksums.txt" \
            --dir "$install_dir"

          cd "$install_dir"
          grep "  ${archive}$" "actionlint_${version}_checksums.txt" | sha256sum --check
          tar -xzf "$archive" actionlint
          echo "$install_dir" >> "$GITHUB_PATH"

      - name: Check workflows
        run: actionlint -color -shellcheck=

  pinact:
    name: pinact
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false

      - uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
        with:
          skip_push: "true"
          verify: "true"

  zizmor:
    name: zizmor
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false

      - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
        with:
          version: v1.25.2
          inputs: ".github/workflows .github/actions"
          min-confidence: high
          min-severity: medium
          advanced-security: "false"
          annotations: "true"

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: GitHub Actions Security
 
on:
  pull_request:
    paths:
      - ".github/actions/**"
      - ".github/workflows/**"
      - "renovate.json"
      - "deny.toml"
  push:
    branches:
      - main
    paths:
      - ".github/actions/**"
      - ".github/workflows/**"
      - "renovate.json"
      - "deny.toml"
  workflow_dispatch:
 
permissions: {}
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  actionlint:
    timeout-minutes: 30
    name: actionlint
    runs-on: latchkey-small
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
 
      - name: Install actionlint
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          set -euo pipefail
          version="1.7.12"
          archive="actionlint_${version}_linux_amd64.tar.gz"
          install_dir="${RUNNER_TEMP}/actionlint"
          mkdir -p "$install_dir"
 
          gh release download "v${version}" \
            --repo rhysd/actionlint \
            --pattern "$archive" \
            --pattern "actionlint_${version}_checksums.txt" \
            --dir "$install_dir"
 
          cd "$install_dir"
          grep "  ${archive}$" "actionlint_${version}_checksums.txt" | sha256sum --check
          tar -xzf "$archive" actionlint
          echo "$install_dir" >> "$GITHUB_PATH"
 
      - name: Check workflows
        run: actionlint -color -shellcheck=
 
  pinact:
    timeout-minutes: 30
    name: pinact
    runs-on: latchkey-small
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
 
      - uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
        with:
          skip_push: "true"
          verify: "true"
 
  zizmor:
    timeout-minutes: 30
    name: zizmor
    runs-on: latchkey-small
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
 
      - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
        with:
          version: v1.25.2
          inputs: ".github/workflows .github/actions"
          min-confidence: high
          min-severity: medium
          advanced-security: "false"
          annotations: "true"
 

What changed

This workflow runs 3 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow