Skip to content
Latchkey

Tests workflow (caddyserver/caddy)

The Tests workflow from caddyserver/caddy, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: caddyserver/caddy.github/workflows/ci.ymlLicense Apache-2.0View source

What it does

This is the Tests workflow from the caddyserver/caddy repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
# Used as inspiration: https://github.com/mvdan/github-actions-golang

name: Tests

on:
  push:
    branches:
      - master
      - 2.*
  pull_request:
    branches:
      - master
      - 2.*

env:
  GOFLAGS: '-tags=nobadger,nomysql,nopgx'
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local

permissions:
  contents: read

jobs:
  test:
    strategy:
      # Default is true, cancels jobs for other platforms in the matrix if one fails
      fail-fast: false
      matrix:
        os:
          - linux
          - mac
          - windows
        go:
          - '1.26'

        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
        - go: '1.26'
          GO_SEMVER: '~1.26.0'

        # Set some variables per OS, usable via ${{ matrix.VAR }}
        # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
        # CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
        # SUCCESS: the typical value for $? per OS (Windows/pwsh returns 'True')
        - os: linux
          OS_LABEL: ubuntu-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0

        - os: mac
          OS_LABEL: macos-14
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0

        - os: windows
          OS_LABEL: windows-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy.exe
          SUCCESS: 'True'

    runs-on: ${{ matrix.OS_LABEL }}
    permissions:
      contents: read
      pull-requests: read
      actions: write # to allow uploading artifacts and cache
    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
      with:
        egress-policy: audit

    - name: Checkout code
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Install Go
      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true

    # These tools would be useful if we later decide to reinvestigate
    # publishing test/coverage reports to some tool for easier consumption
    # - name: Install test and coverage analysis tools
    #   run: |
    #     go get github.com/axw/gocov/gocov
    #     go get github.com/AlekSi/gocov-xml
    #     go get -u github.com/jstemmer/go-junit-report
    #     echo "$(go env GOPATH)/bin" >> $GITHUB_PATH

    - name: Print Go version and environment
      id: vars
      shell: bash
      run: |
        printf "Using go at: $(which go)\n"
        printf "Go version: $(go version)\n"
        printf "\n\nGo environment:\n\n"
        go env
        printf "\n\nSystem environment:\n\n"
        env
        printf "Git version: $(git version)\n\n"
        # Calculate the short SHA1 hash of the git commit
        echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

    - name: Get dependencies
      run: |
        go get -v -t -d ./...
        # mkdir test-results

    - name: Build Caddy
      working-directory: ./cmd/caddy
      env:
        CGO_ENABLED: 0
      run: |
        go build -trimpath -ldflags="-w -s" -v

    - name: Smoke test Caddy
      working-directory: ./cmd/caddy
      run: |
        ./caddy start
        ./caddy stop

    - name: Publish Build Artifact
      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
        path: ${{ matrix.CADDY_BIN_PATH }}
        compression-level: 0

    # Commented bits below were useful to allow the job to continue
    # even if the tests fail, so we can publish the report separately
    # For info about set-output, see https://stackoverflow.com/questions/57850553/github-actions-check-steps-status
    - name: Run tests
      # id: step_test
      # continue-on-error: true
      run: |
        # (go test -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
        go test -coverprofile="cover-profile.out" -short -race ./...
        # echo "status=$?" >> $GITHUB_OUTPUT

    # Relevant step if we reinvestigate publishing test/coverage reports
    # - name: Prepare coverage reports
    #   run: |
    #     mkdir coverage
    #     gocov convert cover-profile.out > coverage/coverage.json
    #     # Because Windows doesn't work with input redirection like *nix, but output redirection works.
    #     (cat ./coverage/coverage.json | gocov-xml) > coverage/coverage.xml

    # To return the correct result even though we set 'continue-on-error: true'
    # - name: Coerce correct build result
    #   if: matrix.os != 'windows' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
    #   run: |
    #     echo "step_test ${{ steps.step_test.outputs.status }}\n"
    #     exit 1

  s390x-test:
    name: test (s390x on IBM Z)
    permissions:
      contents: read
      pull-requests: read
    runs-on: ubuntu-latest
    if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
    continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
        with:
          egress-policy: audit
          allowed-endpoints: ci-s390x.caddyserver.com:22

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Run Tests
        run: |
          set +e
          mkdir -p ~/.ssh && echo -e "${SSH_KEY//_/\\n}" > ~/.ssh/id_ecdsa && chmod og-rwx ~/.ssh/id_ecdsa

          # short sha is enough?
          short_sha=$(git rev-parse --short HEAD)

          # To shorten the following lines
          ssh_opts="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
          ssh_host="$CI_USER@ci-s390x.caddyserver.com"

          # The environment is fresh, so there's no point in keeping accepting and adding the key.
          rsync -arz -e "ssh $ssh_opts" --progress --delete --exclude '.git' . "$ssh_host":/var/tmp/"$short_sha"
          ssh $ssh_opts -t "$ssh_host" bash <<EOF
          cd /var/tmp/$short_sha
          go version
          go env
          printf "\n\n"
          retries=3
          exit_code=0
          while ((retries > 0)); do
            CGO_ENABLED=0 go test -p 1 ./...
            exit_code=$?
            if ((exit_code == 0)); then
              break
            fi
            echo "\n\nTest failed: \$exit_code, retrying..."
            ((retries--))
          done
          echo "Remote exit code: \$exit_code"
          exit \$exit_code
          EOF
          test_result=$?

          # There's no need leaving the files around
          ssh $ssh_opts "$ssh_host" "rm -rf /var/tmp/'$short_sha'"

          echo "Test exit code: $test_result"
          exit $test_result
        env:
          SSH_KEY: ${{ secrets.S390X_SSH_KEY }}
          CI_USER: ${{ secrets.CI_USER }}

  goreleaser-check:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      
      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          version: latest
          args: check
      - name: Install Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version: "~1.26"
          check-latest: true
      - name: Install xcaddy
        run: |
          go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
          xcaddy version
      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          version: latest
          args: build --single-target --snapshot
        env:
          TAG: ${{ github.head_ref || github.ref_name }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

# Used as inspiration: https://github.com/mvdan/github-actions-golang
 
name: Tests
 
on:
  push:
    branches:
      - master
      - 2.*
  pull_request:
    branches:
      - master
      - 2.*
 
env:
  GOFLAGS: '-tags=nobadger,nomysql,nopgx'
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local
 
permissions:
  contents: read
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  test:
    timeout-minutes: 30
    strategy:
      # Default is true, cancels jobs for other platforms in the matrix if one fails
      fail-fast: false
      matrix:
        os:
          - linux
          - mac
          - windows
        go:
          - '1.26'
 
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
        - go: '1.26'
          GO_SEMVER: '~1.26.0'
 
        # Set some variables per OS, usable via ${{ matrix.VAR }}
        # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
        # CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
        # SUCCESS: the typical value for $? per OS (Windows/pwsh returns 'True')
        - os: linux
          OS_LABEL: ubuntu-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0
 
        - os: mac
          OS_LABEL: macos-14
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0
 
        - os: windows
          OS_LABEL: windows-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy.exe
          SUCCESS: 'True'
 
    runs-on: ${{ matrix.OS_LABEL }}
    permissions:
      contents: read
      pull-requests: read
      actions: write # to allow uploading artifacts and cache
    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
      with:
        egress-policy: audit
 
    - name: Checkout code
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
    - name: Install Go
      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
 
    # These tools would be useful if we later decide to reinvestigate
    # publishing test/coverage reports to some tool for easier consumption
    # - name: Install test and coverage analysis tools
    #   run: |
    #     go get github.com/axw/gocov/gocov
    #     go get github.com/AlekSi/gocov-xml
    #     go get -u github.com/jstemmer/go-junit-report
    #     echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
 
    - name: Print Go version and environment
      id: vars
      shell: bash
      run: |
        printf "Using go at: $(which go)\n"
        printf "Go version: $(go version)\n"
        printf "\n\nGo environment:\n\n"
        go env
        printf "\n\nSystem environment:\n\n"
        env
        printf "Git version: $(git version)\n\n"
        # Calculate the short SHA1 hash of the git commit
        echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
    - name: Get dependencies
      run: |
        go get -v -t -d ./...
        # mkdir test-results
 
    - name: Build Caddy
      working-directory: ./cmd/caddy
      env:
        CGO_ENABLED: 0
      run: |
        go build -trimpath -ldflags="-w -s" -v
 
    - name: Smoke test Caddy
      working-directory: ./cmd/caddy
      run: |
        ./caddy start
        ./caddy stop
 
    - name: Publish Build Artifact
      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
        path: ${{ matrix.CADDY_BIN_PATH }}
        compression-level: 0
 
    # Commented bits below were useful to allow the job to continue
    # even if the tests fail, so we can publish the report separately
    # For info about set-output, see https://stackoverflow.com/questions/57850553/github-actions-check-steps-status
    - name: Run tests
      # id: step_test
      # continue-on-error: true
      run: |
        # (go test -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
        go test -coverprofile="cover-profile.out" -short -race ./...
        # echo "status=$?" >> $GITHUB_OUTPUT
 
    # Relevant step if we reinvestigate publishing test/coverage reports
    # - name: Prepare coverage reports
    #   run: |
    #     mkdir coverage
    #     gocov convert cover-profile.out > coverage/coverage.json
    #     # Because Windows doesn't work with input redirection like *nix, but output redirection works.
    #     (cat ./coverage/coverage.json | gocov-xml) > coverage/coverage.xml
 
    # To return the correct result even though we set 'continue-on-error: true'
    # - name: Coerce correct build result
    #   if: matrix.os != 'windows' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
    #   run: |
    #     echo "step_test ${{ steps.step_test.outputs.status }}\n"
    #     exit 1
 
  s390x-test:
    timeout-minutes: 30
    name: test (s390x on IBM Z)
    permissions:
      contents: read
      pull-requests: read
    runs-on: latchkey-small
    if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
    continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
        with:
          egress-policy: audit
          allowed-endpoints: ci-s390x.caddyserver.com:22
 
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Run Tests
        run: |
          set +e
          mkdir -p ~/.ssh && echo -e "${SSH_KEY//_/\\n}" > ~/.ssh/id_ecdsa && chmod og-rwx ~/.ssh/id_ecdsa
 
          # short sha is enough?
          short_sha=$(git rev-parse --short HEAD)
 
          # To shorten the following lines
          ssh_opts="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
          ssh_host="$CI_USER@ci-s390x.caddyserver.com"
 
          # The environment is fresh, so there's no point in keeping accepting and adding the key.
          rsync -arz -e "ssh $ssh_opts" --progress --delete --exclude '.git' . "$ssh_host":/var/tmp/"$short_sha"
          ssh $ssh_opts -t "$ssh_host" bash <<EOF
          cd /var/tmp/$short_sha
          go version
          go env
          printf "\n\n"
          retries=3
          exit_code=0
          while ((retries > 0)); do
            CGO_ENABLED=0 go test -p 1 ./...
            exit_code=$?
            if ((exit_code == 0)); then
              break
            fi
            echo "\n\nTest failed: \$exit_code, retrying..."
            ((retries--))
          done
          echo "Remote exit code: \$exit_code"
          exit \$exit_code
          EOF
          test_result=$?
 
          # There's no need leaving the files around
          ssh $ssh_opts "$ssh_host" "rm -rf /var/tmp/'$short_sha'"
 
          echo "Test exit code: $test_result"
          exit $test_result
        env:
          SSH_KEY: ${{ secrets.S390X_SSH_KEY }}
          CI_USER: ${{ secrets.CI_USER }}
 
  goreleaser-check:
    timeout-minutes: 30
    runs-on: latchkey-small
    permissions:
      contents: read
      pull-requests: read
    if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
        with:
          egress-policy: audit
 
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      
      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          version: latest
          args: check
      - name: Install Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version: "~1.26"
          check-latest: true
      - name: Install xcaddy
        run: |
          go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
          xcaddy version
      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          version: latest
          args: build --single-target --snapshot
        env:
          TAG: ${{ github.head_ref || github.ref_name }}
 

What changed

This workflow runs 3 jobs (5 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow