Skip to content
Latchkey

Docker workflow (argoproj/argo-rollouts)

The Docker workflow from argoproj/argo-rollouts, explained and optimized by Latchkey.

B

CI health: B - good

Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: argoproj/argo-rollouts.github/workflows/docker-publish.ymlLicense Apache-2.0View source

What it does

This is the Docker workflow from the argoproj/argo-rollouts repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Docker

on:
  push:
    branches:
      - master
      - release-*
    paths-ignore:
      - '**/*.md'
      - 'docs/**'    

  # Run tests for any PRs.
  pull_request:
    paths-ignore:
      - '**/*.md'
      - 'docs/**'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions: {}

env:
  # Registry namespace - defaults to 'argoproj', override via GitHub vars
  REGISTRY_NAMESPACE: ${{ vars.REGISTRY_NAMESPACE || 'argoproj' }}

jobs:
  set-vars:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    outputs:
      controller-meta-tags: ${{ steps.controller-meta.outputs.tags }}
      plugin-meta-tags: ${{ steps.plugin-meta.outputs.tags }}
      platforms: ${{ steps.platform-matrix.outputs.platform-matrix }}

    steps:
      - name: Docker meta (controller)
        id: controller-meta
        uses: docker/metadata-action@v5
        with:
          images: |
            quay.io/${{ env.REGISTRY_NAMESPACE }}/argo-rollouts
          tags: |
            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}

      - name: Docker meta (plugin)
        id: plugin-meta
        uses: docker/metadata-action@v5
        with:
          images: |
            quay.io/${{ env.REGISTRY_NAMESPACE }}/kubectl-argo-rollouts
          tags: |
            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}

      # avoid building linux/arm64 for PRs since it takes so long
      - name: Set Platform Matrix
        id: platform-matrix
        run: |
          PLATFORM_MATRIX=linux/amd64
          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
          then
            PLATFORM_MATRIX=$PLATFORM_MATRIX,linux/arm64
          fi
          echo "platform-matrix=$PLATFORM_MATRIX" >> $GITHUB_OUTPUT

  build-and-push-controller-image:
    needs: [set-vars]
    permissions:
      contents: read
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
    uses: ./.github/workflows/image-reuse.yaml
    with:
      quay_image_name: ${{ needs.set-vars.outputs.controller-meta-tags }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      go-version: '1.26'
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: ${{ github.event_name != 'pull_request' }}
    secrets:
      quay_username: ${{ secrets.QUAY_USERNAME }}
      quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}

  build-and-push-plugin-image:
    needs: [set-vars]
    permissions:
      contents: read
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
    uses: ./.github/workflows/image-reuse.yaml
    with:
      quay_image_name: ${{ needs.set-vars.outputs.plugin-meta-tags }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      go-version: '1.26'
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: ${{ github.event_name != 'pull_request' }}
      target: kubectl-argo-rollouts
    secrets:
      quay_username: ${{ secrets.QUAY_USERNAME }}
      quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Docker
 
on:
  push:
    branches:
      - master
      - release-*
    paths-ignore:
      - '**/*.md'
      - 'docs/**'    
 
  # Run tests for any PRs.
  pull_request:
    paths-ignore:
      - '**/*.md'
      - 'docs/**'
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
permissions: {}
 
env:
  # Registry namespace - defaults to 'argoproj', override via GitHub vars
  REGISTRY_NAMESPACE: ${{ vars.REGISTRY_NAMESPACE || 'argoproj' }}
 
jobs:
  set-vars:
    timeout-minutes: 30
    permissions:
      contents: read
    runs-on: latchkey-small
    outputs:
      controller-meta-tags: ${{ steps.controller-meta.outputs.tags }}
      plugin-meta-tags: ${{ steps.plugin-meta.outputs.tags }}
      platforms: ${{ steps.platform-matrix.outputs.platform-matrix }}
 
    steps:
      - name: Docker meta (controller)
        id: controller-meta
        uses: docker/metadata-action@v5
        with:
          images: |
            quay.io/${{ env.REGISTRY_NAMESPACE }}/argo-rollouts
          tags: |
            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
 
      - name: Docker meta (plugin)
        id: plugin-meta
        uses: docker/metadata-action@v5
        with:
          images: |
            quay.io/${{ env.REGISTRY_NAMESPACE }}/kubectl-argo-rollouts
          tags: |
            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
 
      # avoid building linux/arm64 for PRs since it takes so long
      - name: Set Platform Matrix
        id: platform-matrix
        run: |
          PLATFORM_MATRIX=linux/amd64
          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
          then
            PLATFORM_MATRIX=$PLATFORM_MATRIX,linux/arm64
          fi
          echo "platform-matrix=$PLATFORM_MATRIX" >> $GITHUB_OUTPUT
 
  build-and-push-controller-image:
    timeout-minutes: 30
    needs: [set-vars]
    permissions:
      contents: read
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
    uses: ./.github/workflows/image-reuse.yaml
    with:
      quay_image_name: ${{ needs.set-vars.outputs.controller-meta-tags }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      go-version: '1.26'
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: ${{ github.event_name != 'pull_request' }}
    secrets:
      quay_username: ${{ secrets.QUAY_USERNAME }}
      quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}
 
  build-and-push-plugin-image:
    timeout-minutes: 30
    needs: [set-vars]
    permissions:
      contents: read
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
    uses: ./.github/workflows/image-reuse.yaml
    with:
      quay_image_name: ${{ needs.set-vars.outputs.plugin-meta-tags }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      go-version: '1.26'
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: ${{ github.event_name != 'pull_request' }}
      target: kubectl-argo-rollouts
    secrets:
      quay_username: ${{ secrets.QUAY_USERNAME }}
      quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 3 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow