Lockfile lint workflow (axios/axios)
The Lockfile lint workflow from axios/axios, explained and optimized by Latchkey.
CI health: D - needs work
Point runs-on at Latchkey and get caching, run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Lockfile lint workflow from the axios/axios repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Lockfile lint
on:
pull_request:
paths:
- 'package.json'
- 'package-lock.json'
- '.github/workflows/lockfile-lint.yml'
push:
branches: [v1.x]
paths:
- 'package.json'
- 'package-lock.json'
permissions:
contents: read
jobs:
lockfile-lint:
name: Validate package-lock.json
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 26.x
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false
- name: Run lockfile-lint
# Validates that every resolved URL uses HTTPS on registry.npmjs.org
# and that every entry carries an integrity hash. Catches swap to a
# mirror, a git/file: URL, or integrity stripping on a dep-update PR.
# Pinned by name only (no lockfile-lint in devDependencies) so that a
# compromised dev tree cannot suppress this check.
run: >
npx --yes lockfile-lint@4.14.0
--type npm
--path package-lock.json
--validate-https
--allowed-hosts npm
--validate-integrity
--validate-package-names
--empty-hostname false
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Lockfile lint on: pull_request: paths: - 'package.json' - 'package-lock.json' - '.github/workflows/lockfile-lint.yml' push: branches: [v1.x] paths: - 'package.json' - 'package-lock.json' permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: lockfile-lint: timeout-minutes: 30 name: Validate package-lock.json runs-on: latchkey-small steps: - name: Checkout repo uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version: 26.x registry-url: 'https://registry.npmjs.org' package-manager-cache: false - name: Run lockfile-lint # Validates that every resolved URL uses HTTPS on registry.npmjs.org # and that every entry carries an integrity hash. Catches swap to a # mirror, a git/file: URL, or integrity stripping on a dep-update PR. # Pinned by name only (no lockfile-lint in devDependencies) so that a # compromised dev tree cannot suppress this check. run: > npx --yes lockfile-lint@4.14.0 --type npm --path package-lock.json --validate-https --allowed-hosts npm --validate-integrity --validate-package-names --empty-hostname false
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.