Skip to main content

Takumi Guard GitHub Actions Rate Limit Increased to ~60,000 req/min

· 3 min read
Takashi Yoneuchi
Takashi Yoneuchi
CTO @ GMO Flatt Security Inc.

The rate limit for authenticated GitHub Actions/Bot tokens (Tier C) in Takumi Guard has been raised approximately 6x, from ~10,000 req/min to ~60,000 req/min per token. This applies to both npm and PyPI registries.

Background

The software supply chain continues to face serious threats. Recent incidents such as the LiteLLM compromise (external link) and the axios compromise (summary by GMO Flatt Security) highlight that even widely-used packages are not immune to attacks. As demand for Takumi Guard grows in response to this landscape, we are committed to supporting organizations at scale.

Organizations with large-scale environments — many concurrent GitHub Actions jobs sharing a single token — could hit the previous 10,000 req/min rate limit during peak activity, resulting in 429 Too Many Requests errors. To ensure Takumi Guard can protect even the largest CI pipelines without friction, we have raised the limit.

What Changed

The rate limit window for GitHub Actions/Bot tokens was reduced from 60 seconds to 10 seconds while keeping the same per-window count (10,000 requests). This effectively raises the allowed throughput to ~60,000 req/min per token.

Access MethodBeforeAfter
Bot token10,000 req/min per token10,000 req/10s per token
Email-verified token10,000 req/min per token10,000 req/min per token
Anonymous2,000 req/min per IP2,000 req/min per IP

No action is required on your side. The change is applied automatically.

Getting Started with Organization Usage

To use Takumi Guard with a Bot token tied to your GitHub organization, follow these steps:

  1. Visit https://cloud.shisho.dev/hello/takumi and sign in
  2. Register your organization. A payment screen will be displayed, but payment is not required to use this feature
  3. Navigate to the Guard page from the left sidebar
  4. Enter the GitHub organization name you want to protect — a Bot ID will be issued for your organization

Guard setup — registering a GitHub organization and obtaining a Bot ID

  1. Add the setup step to your GitHub Actions workflow. Specifically, make the following three changes:
    • Add id-token: write to permissions (required for OIDC)
    • Add other required permissions such as contents: read
    • Add the flatt-security/setup-takumi-guard-npm@v1 action with your Bot ID

Guard setup — adding the setup step to a GitHub Actions workflow

Once configured, all package requests from your GitHub Actions workflows will be authenticated with the Bot token and benefit from the higher rate limit.

Details

See the Limitations & Caveats page for the full rate limit table.