Skip to content
Latchkey

Release workflow (databus23/helm-diff)

The Release workflow from databus23/helm-diff, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: databus23/helm-diff.github/workflows/release.yamlLicense Apache-2.0View source

What it does

This is the Release workflow from the databus23/helm-diff repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
# Release workflow
#
# Prerequisites (configure in Settings > Secrets and variables > Actions):
#   - GPG_PRIVATE_KEY: base64-encoded GPG private key for signing release artifacts
#   - GPG_FINGERPRINT: Fingerprint of the GPG key
#   - GPG_PASSPHRASE: Passphrase for the GPG private key
#
# Key management notes:
#   - Use a key with no expiration or set a calendar reminder before expiry
#   - To rotate: generate a new keypair, update all three secrets, and verify
#     with a test release (see the provenance-smoke-test job)

name: Release

on:
  push:
    tags:
      - '*'
    branches:
      - 'main'
      - 'master'
  pull_request:
    branches:
      - 'main'
      - 'master'
  workflow_dispatch:

permissions:
  contents: write

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      -
        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot --skip=sign" >> $GITHUB_ENV
      -
        name: Checkout
        uses: actions/checkout@v7
        with:
          fetch-depth: 0
      -
        name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: 'go.mod'
      -
        name: Import GPG key
        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
        run: |
          gpgconf --launch gpg-agent
          printf '%s' "${{ secrets.GPG_PRIVATE_KEY }}" | base64 --decode | gpg --batch --import
      -
        name: Set GPG environment for signing
        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
        run: |
          echo "GPG_FINGERPRINT=${{ secrets.GPG_FINGERPRINT }}" >> "$GITHUB_ENV"
          echo "GPG_PASSPHRASE=${{ secrets.GPG_PASSPHRASE }}" >> "$GITHUB_ENV"
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser
          version: '~> v1'
          args: release --clean ${{ env.flags }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Verify archives bundle plugin files (snapshot only)
        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: |
          set -e
          missing=0
          for f in dist/helm-diff-*.tgz; do
            echo "== $f =="
            tar tzf "$f"
            for member in diff/plugin.yaml diff/install-binary.sh diff/install-binary.ps1; do
              if ! tar tzf "$f" | grep -q "^${member}$"; then
                echo "ERROR: ${member} missing from ${f}"
                missing=1
              fi
            done
            # the binary has a .exe suffix on windows archives
            if ! tar tzf "$f" | grep -qE '^diff/bin/diff(\.exe)?$'; then
              echo "ERROR: diff/bin/diff missing from ${f}"
              missing=1
            fi
          done
          if [ "$missing" -ne 0 ]; then
            echo "Smoke test failed: required plugin files missing from one or more archives"
            exit 1
          fi
          echo "Smoke test passed: all archives bundle plugin.yaml, install scripts, and binary"
      -
        name: Set up Helm
        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        uses: azure/setup-helm@v5
        with:
          version: v3.18.6
      -
        name: End-to-end archive install test (snapshot only)
        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: |
          set -e
          # Reproduce issue #504: extract a release archive and install from it.
          mkdir -p /tmp/archive-test
          tar xzf dist/helm-diff-linux-amd64.tgz -C /tmp/archive-test
          echo "Extracted archive layout:"
          find /tmp/archive-test/diff -maxdepth 2 -type f | sort

          out="$(helm plugin install /tmp/archive-test/diff 2>&1)"
          echo "$out"
          # The install hook must find the bundled binary already staged in
          # HELM_PLUGIN_DIR and skip the network download.
          echo "$out" | grep -q "skipping download" || {
            echo "ERROR: install hook did not skip the download."
            echo "Archive install must not hit the network (binary is already bundled)."
            exit 1
          }
          helm diff version
          echo "End-to-end archive install test passed: installed from archive without downloading"
      -
        name: Export and upload public key
        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
        run: |
          gpg --export --armor "${{ secrets.GPG_FINGERPRINT }}" > pubkey.asc
          gh release upload ${{ github.ref_name }} pubkey.asc
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  provenance-smoke-test:
    runs-on: ubuntu-latest
    if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@v7
      -
        name: Test provenance signing with disposable key
        run: |
          export GNUPGHOME="$(mktemp -d)"
          tmpdir="$(mktemp -d)"
          trap 'rm -rf "$GNUPGHOME" "$tmpdir"' EXIT
          chmod 700 "$GNUPGHOME"

          gpg --batch --pinentry-mode loopback --passphrase '' \
            --quick-generate-key "helm-diff-test" ed25519 sign 0
          GPG_FINGERPRINT=$(gpg --batch --with-colons --list-secret-keys "helm-diff-test" \
            | grep '^fpr:' | head -1 | cut -d: -f10)
          export GPG_FINGERPRINT
          export GPG_PASSPHRASE=""

          echo "dummy binary" > "$tmpdir/bin"
          tar czf "$tmpdir/helm-diff-linux-amd64.tgz" -C "$tmpdir" bin

          ./scripts/sign-provenance.sh "$tmpdir/helm-diff-linux-amd64.tgz" "$tmpdir/helm-diff-linux-amd64.tgz.prov"

          if [ ! -f "$tmpdir/helm-diff-linux-amd64.tgz.prov" ]; then
            echo "ERROR: provenance file was not created"
            exit 1
          fi

          echo "=== gpg --verify ==="
          gpg --verify "$tmpdir/helm-diff-linux-amd64.tgz.prov"

          echo ""
          echo "=== Signed .prov content ==="
          cat "$tmpdir/helm-diff-linux-amd64.tgz.prov"

          echo ""
          echo "=== Parsed provenance block ==="
          gpg --batch --output - "$tmpdir/helm-diff-linux-amd64.tgz.prov" 2>/dev/null

          echo ""
          echo "Provenance smoke test passed"

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

# Release workflow
#
# Prerequisites (configure in Settings > Secrets and variables > Actions):
#   - GPG_PRIVATE_KEY: base64-encoded GPG private key for signing release artifacts
#   - GPG_FINGERPRINT: Fingerprint of the GPG key
#   - GPG_PASSPHRASE: Passphrase for the GPG private key
#
# Key management notes:
#   - Use a key with no expiration or set a calendar reminder before expiry
#   - To rotate: generate a new keypair, update all three secrets, and verify
#     with a test release (see the provenance-smoke-test job)
 
name: Release
 
on:
  push:
    tags:
      - '*'
    branches:
      - 'main'
      - 'master'
  pull_request:
    branches:
      - 'main'
      - 'master'
  workflow_dispatch:
 
permissions:
  contents: write
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  goreleaser:
    timeout-minutes: 30
    runs-on: latchkey-small
    steps:
      -
        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot --skip=sign" >> $GITHUB_ENV
      -
        name: Checkout
        uses: actions/checkout@v7
        with:
          fetch-depth: 0
      -
        name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: 'go.mod'
      -
        name: Import GPG key
        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
        run: |
          gpgconf --launch gpg-agent
          printf '%s' "${{ secrets.GPG_PRIVATE_KEY }}" | base64 --decode | gpg --batch --import
      -
        name: Set GPG environment for signing
        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
        run: |
          echo "GPG_FINGERPRINT=${{ secrets.GPG_FINGERPRINT }}" >> "$GITHUB_ENV"
          echo "GPG_PASSPHRASE=${{ secrets.GPG_PASSPHRASE }}" >> "$GITHUB_ENV"
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser
          version: '~> v1'
          args: release --clean ${{ env.flags }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Verify archives bundle plugin files (snapshot only)
        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: |
          set -e
          missing=0
          for f in dist/helm-diff-*.tgz; do
            echo "== $f =="
            tar tzf "$f"
            for member in diff/plugin.yaml diff/install-binary.sh diff/install-binary.ps1; do
              if ! tar tzf "$f" | grep -q "^${member}$"; then
                echo "ERROR: ${member} missing from ${f}"
                missing=1
              fi
            done
            # the binary has a .exe suffix on windows archives
            if ! tar tzf "$f" | grep -qE '^diff/bin/diff(\.exe)?$'; then
              echo "ERROR: diff/bin/diff missing from ${f}"
              missing=1
            fi
          done
          if [ "$missing" -ne 0 ]; then
            echo "Smoke test failed: required plugin files missing from one or more archives"
            exit 1
          fi
          echo "Smoke test passed: all archives bundle plugin.yaml, install scripts, and binary"
      -
        name: Set up Helm
        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        uses: azure/setup-helm@v5
        with:
          version: v3.18.6
      -
        name: End-to-end archive install test (snapshot only)
        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: |
          set -e
          # Reproduce issue #504: extract a release archive and install from it.
          mkdir -p /tmp/archive-test
          tar xzf dist/helm-diff-linux-amd64.tgz -C /tmp/archive-test
          echo "Extracted archive layout:"
          find /tmp/archive-test/diff -maxdepth 2 -type f | sort
 
          out="$(helm plugin install /tmp/archive-test/diff 2>&1)"
          echo "$out"
          # The install hook must find the bundled binary already staged in
          # HELM_PLUGIN_DIR and skip the network download.
          echo "$out" | grep -q "skipping download" || {
            echo "ERROR: install hook did not skip the download."
            echo "Archive install must not hit the network (binary is already bundled)."
            exit 1
          }
          helm diff version
          echo "End-to-end archive install test passed: installed from archive without downloading"
      -
        name: Export and upload public key
        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
        run: |
          gpg --export --armor "${{ secrets.GPG_FINGERPRINT }}" > pubkey.asc
          gh release upload ${{ github.ref_name }} pubkey.asc
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
  provenance-smoke-test:
    timeout-minutes: 30
    runs-on: latchkey-small
    if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@v7
      -
        name: Test provenance signing with disposable key
        run: |
          export GNUPGHOME="$(mktemp -d)"
          tmpdir="$(mktemp -d)"
          trap 'rm -rf "$GNUPGHOME" "$tmpdir"' EXIT
          chmod 700 "$GNUPGHOME"
 
          gpg --batch --pinentry-mode loopback --passphrase '' \
            --quick-generate-key "helm-diff-test" ed25519 sign 0
          GPG_FINGERPRINT=$(gpg --batch --with-colons --list-secret-keys "helm-diff-test" \
            | grep '^fpr:' | head -1 | cut -d: -f10)
          export GPG_FINGERPRINT
          export GPG_PASSPHRASE=""
 
          echo "dummy binary" > "$tmpdir/bin"
          tar czf "$tmpdir/helm-diff-linux-amd64.tgz" -C "$tmpdir" bin
 
          ./scripts/sign-provenance.sh "$tmpdir/helm-diff-linux-amd64.tgz" "$tmpdir/helm-diff-linux-amd64.tgz.prov"
 
          if [ ! -f "$tmpdir/helm-diff-linux-amd64.tgz.prov" ]; then
            echo "ERROR: provenance file was not created"
            exit 1
          fi
 
          echo "=== gpg --verify ==="
          gpg --verify "$tmpdir/helm-diff-linux-amd64.tgz.prov"
 
          echo ""
          echo "=== Signed .prov content ==="
          cat "$tmpdir/helm-diff-linux-amd64.tgz.prov"
 
          echo ""
          echo "=== Parsed provenance block ==="
          gpg --batch --output - "$tmpdir/helm-diff-linux-amd64.tgz.prov" 2>/dev/null
 
          echo ""
          echo "Provenance smoke test passed"
 

What changed

2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow