Static Validation workflow (ddev/ddev)
The Static Validation workflow from ddev/ddev, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Static Validation workflow from the ddev/ddev repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Static Validation
on:
push:
tags:
- v*
branches: [ main ]
pull_request:
paths:
- ".github/workflows/**"
- "!.github/workflows/docs**"
- "cmd/**"
- "pkg/**"
- "go.*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash
permissions:
contents: read
jobs:
lint:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: Lint Go Files
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v7
- name: Setup Go
uses: actions/setup-go@v6
with:
go-version: '>=1.23'
check-latest: true
- name: Lint Go Files
uses: golangci/golangci-lint-action@v9
check_modules:
name: Check Go Modules
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v7
- name: Setup Go
uses: actions/setup-go@v6
with:
go-version: '>=1.23'
check-latest: true
# Fails if something is wrong with the dependencies
- name: Verify Go Modules
run: |
go mod verify
# Fails if modules aren't in a clean state
- name: Tidy Go Modules
run: |
go mod tidy
git diff --exit-code
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Static Validation on: push: tags: - v* branches: [ main ] pull_request: paths: - ".github/workflows/**" - "!.github/workflows/docs**" - "cmd/**" - "pkg/**" - "go.*" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true defaults: run: shell: bash permissions: contents: read jobs: lint: timeout-minutes: 30 permissions: contents: read # for actions/checkout to fetch code pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: Lint Go Files runs-on: latchkey-small steps: - name: Checkout Repository uses: actions/checkout@v7 - name: Setup Go uses: actions/setup-go@v6 with: go-version: '>=1.23' check-latest: true - name: Lint Go Files uses: golangci/golangci-lint-action@v9 check_modules: timeout-minutes: 30 name: Check Go Modules runs-on: latchkey-small steps: - name: Checkout Repository uses: actions/checkout@v7 - name: Setup Go uses: actions/setup-go@v6 with: go-version: '>=1.23' check-latest: true # Fails if something is wrong with the dependencies - name: Verify Go Modules run: | go mod verify # Fails if modules aren't in a clean state - name: Tidy Go Modules run: | go mod tidy git diff --exit-code
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.