certs workflow (bojand/ghz)
The certs workflow from bojand/ghz, explained and optimized by Latchkey.
A
CI health: A - excellent
Point runs-on at Latchkey and get job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the certs workflow from the bojand/ghz repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
workflow (.yml)
name: certs
on:
schedule:
- cron: '10 0 1 * *'
workflow_dispatch:
inputs:
comment:
description: 'comment on the workflow dispatch'
required: false
default: 'manual workflow dispatch'
type: string
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Refresh certificates
run: openssl req -x509 -out testdata/localhost.crt -keyout testdata/localhost.key -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -extensions EXT -config <( printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
- name: Commit to repository
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMIT_MSG: Refresh certificates
run: |
git config user.email "dbojan@gmail.com"
git config user.name "Bojan"
# Update origin with token
git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git
# Checkout the branch so we can push back to it
git checkout master
git add .
# Only commit and push if we have changes
git diff --quiet && git diff --staged --quiet || (git commit -m "${COMMIT_MSG}"; git push origin master)
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: certs on: schedule: - cron: '10 0 1 * *' workflow_dispatch: inputs: comment: description: 'comment on the workflow dispatch' required: false default: 'manual workflow dispatch' type: string jobs: build: timeout-minutes: 30 runs-on: latchkey-small steps: - uses: actions/checkout@v4 - name: Refresh certificates run: openssl req -x509 -out testdata/localhost.crt -keyout testdata/localhost.key -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -extensions EXT -config <( printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") - name: Commit to repository env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} COMMIT_MSG: Refresh certificates run: | git config user.email "dbojan@gmail.com" git config user.name "Bojan" # Update origin with token git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git # Checkout the branch so we can push back to it git checkout master git add . # Only commit and push if we have changes git diff --quiet && git diff --staged --quiet || (git commit -m "${COMMIT_MSG}"; git push origin master)
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.