Install and test AVA workflow (avajs/ava)
The Install and test AVA workflow from avajs/ava, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Install and test AVA workflow from the avajs/ava repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Install and test AVA
on:
push:
branches:
- main
pull_request:
paths-ignore:
- "*.md"
- "docs/**"
- "media/**"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
nodejs:
name: Node.js
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
node-version: [^22.20, ^24.12, ^26]
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@v6
- name: Enable symlinks
if: matrix.os == 'windows-latest'
run: |
git config core.symlinks true
git reset --hard
- uses: actions/setup-node@v6
with:
node-version: ${{ matrix.node-version }}
cache: npm
- run: npm install --no-audit
- run: ./scripts/ci.sh
shell: bash
- uses: codecov/codecov-action@v5
with:
disable_search: true
files: coverage/lcov.info
name: ${{ matrix.os }}/${{ matrix.node-version }}
token: ${{ secrets.CODECOV_TOKEN }}
typescript:
name: TypeScript compatibility
runs-on: ubuntu-latest
strategy:
matrix:
ts-version: [~5.9, ~6.0]
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version-file: package.json
cache: npm
- run: npm install --no-audit
- run: npm i typescript@${TS_VERSION}
env:
TS_VERSION: ${{ matrix.ts-version }}
- run: ./node_modules/typescript/bin/tsc --version
- run: ./node_modules/typescript/bin/tsc --noEmit
lockfile_churn:
name: Test package-lock for unexpected modifications
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version-file: package.json
cache: npm
- run: npm install --no-audit
- name: Test package-lock for unexpected modifications
run: |
npm -v
checksum=$(sha512sum package-lock.json)
npm install --package-lock-only --no-audit
if ! echo ${checksum} | sha512sum --quiet -c -; then
echo "package-lock.json was modified unexpectedly. Please rebuild it using npm@$(npm -v) and commit the changes."
exit 1
fi
without_lockfile:
name: Install dependencies without using a lockfile
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version-file: package.json
- run: npm install --no-package-lock --no-audit
- run: ./scripts/ci.sh
shell: bash
xo:
name: Lint source files
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version-file: package.json
cache: npm
- run: npm install --no-audit
- run: npx xo
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Install and test AVA on: push: branches: - main pull_request: paths-ignore: - "*.md" - "docs/**" - "media/**" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: nodejs: timeout-minutes: 30 name: Node.js runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: node-version: [^22.20, ^24.12, ^26] os: [ubuntu-latest, windows-latest, macos-latest] steps: - uses: actions/checkout@v6 - name: Enable symlinks if: matrix.os == 'windows-latest' run: | git config core.symlinks true git reset --hard - uses: actions/setup-node@v6 with: node-version: ${{ matrix.node-version }} cache: npm - run: npm install --no-audit - run: ./scripts/ci.sh shell: bash - uses: codecov/codecov-action@v5 with: disable_search: true files: coverage/lcov.info name: ${{ matrix.os }}/${{ matrix.node-version }} token: ${{ secrets.CODECOV_TOKEN }} typescript: timeout-minutes: 30 name: TypeScript compatibility runs-on: latchkey-small strategy: matrix: ts-version: [~5.9, ~6.0] steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 with: node-version-file: package.json cache: npm - run: npm install --no-audit - run: npm i typescript@${TS_VERSION} env: TS_VERSION: ${{ matrix.ts-version }} - run: ./node_modules/typescript/bin/tsc --version - run: ./node_modules/typescript/bin/tsc --noEmit lockfile_churn: timeout-minutes: 30 name: Test package-lock for unexpected modifications runs-on: latchkey-small steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 with: node-version-file: package.json cache: npm - run: npm install --no-audit - name: Test package-lock for unexpected modifications run: | npm -v checksum=$(sha512sum package-lock.json) npm install --package-lock-only --no-audit if ! echo ${checksum} | sha512sum --quiet -c -; then echo "package-lock.json was modified unexpectedly. Please rebuild it using npm@$(npm -v) and commit the changes." exit 1 fi without_lockfile: timeout-minutes: 30 name: Install dependencies without using a lockfile runs-on: latchkey-small steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 with: cache: 'npm' node-version-file: package.json - run: npm install --no-package-lock --no-audit - run: ./scripts/ci.sh shell: bash xo: timeout-minutes: 30 name: Lint source files runs-on: latchkey-small steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 with: node-version-file: package.json cache: npm - run: npm install --no-audit - run: npx xo
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 5 jobs (14 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.