Skip to content
Latchkey

Lint and Build workflow (controlplaneio/simulator)

The Lint and Build workflow from controlplaneio/simulator, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: controlplaneio/simulator.github/workflows/build.yamlLicense Apache-2.0View source

What it does

This is the Lint and Build workflow from the controlplaneio/simulator repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Lint and Build
on:
  push:
    ## do not lint and build when tagged, we just need to build when tagged
    tags-ignore:
      - '*'
    branches:
      - '*'
  pull_request:
    branches: ['main', 'master']

jobs:
  lint-and-build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones disabled for a linting job

      - name: Run golangci-lint
        uses: reviewdog/action-golangci-lint@v2
        with:
          golangci_lint_flags: "--config=./.golangci.yml --timeout=6m0s"
          go_version_file: go.mod

      - name: Setup Go
        uses: actions/setup-go@v4
        with:
          go-version-file: go.mod

      - name: Check if go.mod and go.sum are up to date
        run: |
          go mod tidy
          git diff --exit-code go.mod go.sum

      - name: Install dependencies
        run: go get ./...

      - name: Test
        run: go test -v ./... --race

      - name: Build
        run: go build -v ./...

  build-scan-docker-images:
    runs-on: ubuntu-latest
    needs: lint-and-build
    steps:
      - name: Checkout source code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and tag dev image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile.dev
          tags: |
            controlplane/simulator:dev
          load: true
          push: false

      - name: Run Trivy vulnerability scanner on the dev image
        uses: aquasecurity/trivy-action@0.16.0
        with:
          image-ref: 'controlplane/simulator:dev'
          format: 'table'
          exit-code: '1'
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          trivyignores: './.trivy-config/.trivyignore'

      - name: Build and tag simulator image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          tags: controlplane/simulator:${{ github.sha }}
          load: true
          push: false

      - name: Run Trivy vulnerability scanner on simulator image
        uses: aquasecurity/trivy-action@0.16.0
        with:
          image-ref: controlplane/simulator:${{ github.sha }}
          format: 'table'
          exit-code: '1'
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          trivyignores: './.trivy-config/.trivyignore'

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Lint and Build
on:
  push:
    ## do not lint and build when tagged, we just need to build when tagged
    tags-ignore:
      - '*'
    branches:
      - '*'
  pull_request:
    branches: ['main', 'master']
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  lint-and-build:
    timeout-minutes: 30
    runs-on: latchkey-small
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones disabled for a linting job
 
      - name: Run golangci-lint
        uses: reviewdog/action-golangci-lint@v2
        with:
          golangci_lint_flags: "--config=./.golangci.yml --timeout=6m0s"
          go_version_file: go.mod
 
      - name: Setup Go
        uses: actions/setup-go@v4
        with:
          go-version-file: go.mod
 
      - name: Check if go.mod and go.sum are up to date
        run: |
          go mod tidy
          git diff --exit-code go.mod go.sum
 
      - name: Install dependencies
        run: go get ./...
 
      - name: Test
        run: go test -v ./... --race
 
      - name: Build
        run: go build -v ./...
 
  build-scan-docker-images:
    timeout-minutes: 30
    runs-on: latchkey-small
    needs: lint-and-build
    steps:
      - name: Checkout source code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
 
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
 
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
 
      - name: Build and tag dev image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile.dev
          tags: |
            controlplane/simulator:dev
          load: true
          push: false
 
      - name: Run Trivy vulnerability scanner on the dev image
        uses: aquasecurity/trivy-action@0.16.0
        with:
          image-ref: 'controlplane/simulator:dev'
          format: 'table'
          exit-code: '1'
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          trivyignores: './.trivy-config/.trivyignore'
 
      - name: Build and tag simulator image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          tags: controlplane/simulator:${{ github.sha }}
          load: true
          push: false
 
      - name: Run Trivy vulnerability scanner on simulator image
        uses: aquasecurity/trivy-action@0.16.0
        with:
          image-ref: controlplane/simulator:${{ github.sha }}
          format: 'table'
          exit-code: '1'
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          trivyignores: './.trivy-config/.trivyignore'
 

What changed

5 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow