Skip to content
Latchkey

Lockfile lint workflow (axios/axios)

The Lockfile lint workflow from axios/axios, explained and optimized by Latchkey.

D

CI health: D - needs work

Point runs-on at Latchkey and get caching, run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: axios/axios.github/workflows/lockfile-lint.ymlLicense MITView source

What it does

This is the Lockfile lint workflow from the axios/axios repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Lockfile lint

on:
  pull_request:
    paths:
      - 'package.json'
      - 'package-lock.json'
      - '.github/workflows/lockfile-lint.yml'
  push:
    branches: [v1.x]
    paths:
      - 'package.json'
      - 'package-lock.json'

permissions:
  contents: read

jobs:
  lockfile-lint:
    name: Validate package-lock.json
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

      - name: Setup node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 26.x
          registry-url: 'https://registry.npmjs.org'
          package-manager-cache: false

      - name: Run lockfile-lint
        # Validates that every resolved URL uses HTTPS on registry.npmjs.org
        # and that every entry carries an integrity hash. Catches swap to a
        # mirror, a git/file: URL, or integrity stripping on a dep-update PR.
        # Pinned by name only (no lockfile-lint in devDependencies) so that a
        # compromised dev tree cannot suppress this check.
        run: >
          npx --yes lockfile-lint@4.14.0
          --type npm
          --path package-lock.json
          --validate-https
          --allowed-hosts npm
          --validate-integrity
          --validate-package-names
          --empty-hostname false

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: Lockfile lint
 
on:
  pull_request:
    paths:
      - 'package.json'
      - 'package-lock.json'
      - '.github/workflows/lockfile-lint.yml'
  push:
    branches: [v1.x]
    paths:
      - 'package.json'
      - 'package-lock.json'
 
permissions:
  contents: read
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  lockfile-lint:
    timeout-minutes: 30
    name: Validate package-lock.json
    runs-on: latchkey-small
    steps:
      - name: Checkout repo
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
 
      - name: Setup node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          cache: 'npm'
          node-version: 26.x
          registry-url: 'https://registry.npmjs.org'
          package-manager-cache: false
 
      - name: Run lockfile-lint
        # Validates that every resolved URL uses HTTPS on registry.npmjs.org
        # and that every entry carries an integrity hash. Catches swap to a
        # mirror, a git/file: URL, or integrity stripping on a dep-update PR.
        # Pinned by name only (no lockfile-lint in devDependencies) so that a
        # compromised dev tree cannot suppress this check.
        run: >
          npx --yes lockfile-lint@4.14.0
          --type npm
          --path package-lock.json
          --validate-https
          --allowed-hosts npm
          --validate-integrity
          --validate-package-names
          --empty-hostname false
 

What changed

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow