GitHub Actions Security workflow (swc-project/swc)
The GitHub Actions Security workflow from swc-project/swc, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the GitHub Actions Security workflow from the swc-project/swc repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: GitHub Actions Security
on:
pull_request:
paths:
- ".github/actions/**"
- ".github/workflows/**"
- "renovate.json"
- "deny.toml"
push:
branches:
- main
paths:
- ".github/actions/**"
- ".github/workflows/**"
- "renovate.json"
- "deny.toml"
workflow_dispatch:
permissions: {}
jobs:
actionlint:
name: actionlint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
persist-credentials: false
- name: Install actionlint
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
version="1.7.12"
archive="actionlint_${version}_linux_amd64.tar.gz"
install_dir="${RUNNER_TEMP}/actionlint"
mkdir -p "$install_dir"
gh release download "v${version}" \
--repo rhysd/actionlint \
--pattern "$archive" \
--pattern "actionlint_${version}_checksums.txt" \
--dir "$install_dir"
cd "$install_dir"
grep " ${archive}$" "actionlint_${version}_checksums.txt" | sha256sum --check
tar -xzf "$archive" actionlint
echo "$install_dir" >> "$GITHUB_PATH"
- name: Check workflows
run: actionlint -color -shellcheck=
pinact:
name: pinact
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
persist-credentials: false
- uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
with:
skip_push: "true"
verify: "true"
zizmor:
name: zizmor
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
persist-credentials: false
- uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
version: v1.25.2
inputs: ".github/workflows .github/actions"
min-confidence: high
min-severity: medium
advanced-security: "false"
annotations: "true"
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: GitHub Actions Security on: pull_request: paths: - ".github/actions/**" - ".github/workflows/**" - "renovate.json" - "deny.toml" push: branches: - main paths: - ".github/actions/**" - ".github/workflows/**" - "renovate.json" - "deny.toml" workflow_dispatch: permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: actionlint: timeout-minutes: 30 name: actionlint runs-on: latchkey-small permissions: contents: read steps: - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Install actionlint env: GH_TOKEN: ${{ github.token }} run: | set -euo pipefail version="1.7.12" archive="actionlint_${version}_linux_amd64.tar.gz" install_dir="${RUNNER_TEMP}/actionlint" mkdir -p "$install_dir" gh release download "v${version}" \ --repo rhysd/actionlint \ --pattern "$archive" \ --pattern "actionlint_${version}_checksums.txt" \ --dir "$install_dir" cd "$install_dir" grep " ${archive}$" "actionlint_${version}_checksums.txt" | sha256sum --check tar -xzf "$archive" actionlint echo "$install_dir" >> "$GITHUB_PATH" - name: Check workflows run: actionlint -color -shellcheck= pinact: timeout-minutes: 30 name: pinact runs-on: latchkey-small permissions: contents: read steps: - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0 with: skip_push: "true" verify: "true" zizmor: timeout-minutes: 30 name: zizmor runs-on: latchkey-small permissions: contents: read steps: - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: version: v1.25.2 inputs: ".github/workflows .github/actions" min-confidence: high min-severity: medium advanced-security: "false" annotations: "true"
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 3 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.