Skip to content

Audit and optimize GitHub Actions workflows for caching and efficiency #19

New issue
New issue
Closed
#23
Closed
Audit and optimize GitHub Actions workflows for caching and efficiency#19
#23
@joshrotenberg

Description

@joshrotenberg
joshrotenberg
opened on Aug 27, 2025

Summary

Review and optimize all GitHub Actions workflows to ensure they are using caching effectively, running efficiently, and following security best practices.

Current Workflows

Areas to Audit

1. Security Auditing 🔒

  • Add cargo-audit for dependency vulnerability scanning
  • Implement cargo-deny for license and security checks
  • Add SARIF output for GitHub Security tab integration
  • Pin action versions to commit SHAs for security
  • Add dependency review action for PRs
  • Implement SLSA provenance for releases
  • Add CodeQL analysis for Rust

2. Dependency Caching

  • Verify Rust toolchain caching is working
  • Check cargo registry caching
  • Audit cargo target directory caching
  • Review cache key strategies for maximum hit rate
  • Add cache warmup for new dependencies

3. Build Optimization

  • Identify redundant builds across jobs
  • Check if we're rebuilding dependencies unnecessarily
  • Review compilation flags and profiles
  • Consider using sccache for distributed caching
  • Implement incremental compilation strategies

4. Job Parallelization

  • Analyze job dependencies and critical path
  • Identify opportunities to run jobs in parallel
  • Review matrix strategy efficiency
  • Consider splitting large jobs
  • Add concurrency groups to prevent duplicate runs

5. Resource Usage

  • Check runner types (ubuntu-latest vs specific versions)
  • Review timeout settings
  • Analyze job duration trends
  • Identify bottlenecks and slow steps
  • Consider self-hosted runners for heavy workloads

Immediate Security Additions Needed

cargo-audit workflow

name: Security Audit
on:
  push:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
  pull_request:
  schedule:
    - cron: '0 0 * * *'  # Daily
jobs:
  security_audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: rustsec/audit-check@v2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

cargo-deny configuration

name: Dependency Check
on: [push, pull_request]
jobs:
  cargo-deny:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: EmbarkStudios/cargo-deny-action@v2

Dependency review

name: Dependency Review
on: [pull_request]
jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/dependency-review-action@v4

Specific Improvements to Consider

Caching Strategies

- uses: Swatinem/rust-cache@v2
  with:
    cache-on-failure: true
    shared-key: "v1-rust"
    cache-targets: true
    cache-all-crates: true

Security Pinning

# Instead of @v4, use commit SHA
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

Cargo Config for CI

[build]
incremental = true

[profile.ci]
inherits = "dev"
debug = 0
incremental = false

Success Metrics

  • Zero high/critical vulnerabilities
  • All dependencies audited and approved
  • Reduce average CI time by 30%
  • Achieve >80% cache hit rate
  • SLSA Level 3 compliance for releases

Tools to Implement

  • cargo-audit: Vulnerability database checks
  • cargo-deny: License and security policy enforcement
  • cargo-machete: Unused dependency detection
  • cargo-udeps: Unused dependency analysis
  • cargo-outdated: Outdated dependency detection
  • trivy: Container and dependency scanning

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions