Build and upload binaries workflow (FiloSottile/age)
The Build and upload binaries workflow from FiloSottile/age, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Build and upload binaries workflow from the FiloSottile/age repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Build and upload binaries
on:
release:
types: [published]
push:
pull_request:
permissions:
contents: read
jobs:
build:
name: Build binaries
runs-on: ubuntu-latest
strategy:
matrix:
include:
- {GOOS: linux, GOARCH: amd64}
- {GOOS: linux, GOARCH: arm, GOARM: 6}
- {GOOS: linux, GOARCH: arm64}
- {GOOS: darwin, GOARCH: arm64}
- {GOOS: darwin, GOARCH: amd64}
- {GOOS: windows, GOARCH: amd64}
- {GOOS: freebsd, GOARCH: amd64}
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
fetch-depth: 0
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v6
with:
go-version-file: go.mod
cache: false
- name: Build binary
run: |
VERSION="$(git describe --tags)"
DIR="$(mktemp -d)"
mkdir "$DIR/age"
go build -o "$DIR/age" -trimpath ./cmd/...
cp LICENSE "$DIR/age/LICENSE"
cat .github/workflows/LICENSE.suffix.txt >> "$DIR/age/LICENSE"
if [ "$GOOS" == "windows" ]; then
sudo apt-get update && sudo apt-get install -y osslsigncode
if [ -n "${{ secrets.SIGN_PASS }}" ]; then
for exe in "$DIR"/age/*.exe; do
/usr/bin/osslsigncode sign -t "http://timestamp.comodoca.com" \
-certs .github/workflows/certs/uitacllc.crt \
-key .github/workflows/certs/uitacllc.key \
-pass "${{ secrets.SIGN_PASS }}" \
-n age -in "$exe" -out "$exe.signed"
mv "$exe.signed" "$exe"
done
fi
( cd "$DIR"; zip age.zip -r age )
mv "$DIR/age.zip" "age-$VERSION-$GOOS-$GOARCH.zip"
else
tar -cvzf "age-$VERSION-$GOOS-$GOARCH.tar.gz" -C "$DIR" age
fi
env:
CGO_ENABLED: 0
GOOS: ${{ matrix.GOOS }}
GOARCH: ${{ matrix.GOARCH }}
GOARM: ${{ matrix.GOARM }}
- name: Upload workflow artifacts
uses: actions/upload-artifact@v4
with:
name: age-artifacts-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
path: age-*
source:
name: Package source code
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
fetch-depth: 0
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v6
with:
go-version-file: go.mod
cache: false
- name: Create source tarball
run: |
VERSION="$(git describe --tags)"
DIR="$(mktemp -d)"
mkdir "$DIR/age"
git archive --format=tar.gz HEAD | tar -xz -C "$DIR/age"
( cd "$DIR/age"; go mod vendor )
for cmd in "$DIR"/age/{cmd,extra}/*; do
echo "package main" >> "$cmd/version.go"
echo "" >> "$cmd/version.go"
echo "func init() { Version = \"$VERSION\" }" >> "$cmd/version.go"
done
tar -cvzf "age-$VERSION-source.tar.gz" -C "$DIR" age
- name: Upload workflow artifacts
uses: actions/upload-artifact@v4
with:
name: age-artifacts-source
path: age-*-source.tar.gz
upload:
name: Upload and attest release artifacts
if: github.event_name == 'release'
needs: [build, source]
permissions:
contents: write
attestations: write
id-token: write
runs-on: ubuntu-latest
steps:
- name: Download workflow artifacts
uses: actions/download-artifact@v4
with:
pattern: age-artifacts-*
merge-multiple: true
- name: Generate artifacts attestation
uses: actions/attest-build-provenance@v3
with:
subject-path: age-*
- name: Upload release artifacts
run: gh release upload "$GITHUB_REF_NAME" age-*
env:
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Build and upload binaries on: release: types: [published] push: pull_request: permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: build: timeout-minutes: 30 name: Build binaries runs-on: latchkey-small strategy: matrix: include: - {GOOS: linux, GOARCH: amd64} - {GOOS: linux, GOARCH: arm, GOARM: 6} - {GOOS: linux, GOARCH: arm64} - {GOOS: darwin, GOARCH: arm64} - {GOOS: darwin, GOARCH: amd64} - {GOOS: windows, GOARCH: amd64} - {GOOS: freebsd, GOARCH: amd64} steps: - name: Checkout repository uses: actions/checkout@v5 with: fetch-depth: 0 persist-credentials: false - name: Install Go uses: actions/setup-go@v6 with: go-version-file: go.mod cache: false - name: Build binary run: | VERSION="$(git describe --tags)" DIR="$(mktemp -d)" mkdir "$DIR/age" go build -o "$DIR/age" -trimpath ./cmd/... cp LICENSE "$DIR/age/LICENSE" cat .github/workflows/LICENSE.suffix.txt >> "$DIR/age/LICENSE" if [ "$GOOS" == "windows" ]; then sudo apt-get update && sudo apt-get install -y osslsigncode if [ -n "${{ secrets.SIGN_PASS }}" ]; then for exe in "$DIR"/age/*.exe; do /usr/bin/osslsigncode sign -t "http://timestamp.comodoca.com" \ -certs .github/workflows/certs/uitacllc.crt \ -key .github/workflows/certs/uitacllc.key \ -pass "${{ secrets.SIGN_PASS }}" \ -n age -in "$exe" -out "$exe.signed" mv "$exe.signed" "$exe" done fi ( cd "$DIR"; zip age.zip -r age ) mv "$DIR/age.zip" "age-$VERSION-$GOOS-$GOARCH.zip" else tar -cvzf "age-$VERSION-$GOOS-$GOARCH.tar.gz" -C "$DIR" age fi env: CGO_ENABLED: 0 GOOS: ${{ matrix.GOOS }} GOARCH: ${{ matrix.GOARCH }} GOARM: ${{ matrix.GOARM }} - name: Upload workflow artifacts uses: actions/upload-artifact@v4 with: name: age-artifacts-${{ matrix.GOOS }}-${{ matrix.GOARCH }} path: age-* source: timeout-minutes: 30 name: Package source code runs-on: latchkey-small steps: - name: Checkout repository uses: actions/checkout@v5 with: fetch-depth: 0 persist-credentials: false - name: Install Go uses: actions/setup-go@v6 with: go-version-file: go.mod cache: false - name: Create source tarball run: | VERSION="$(git describe --tags)" DIR="$(mktemp -d)" mkdir "$DIR/age" git archive --format=tar.gz HEAD | tar -xz -C "$DIR/age" ( cd "$DIR/age"; go mod vendor ) for cmd in "$DIR"/age/{cmd,extra}/*; do echo "package main" >> "$cmd/version.go" echo "" >> "$cmd/version.go" echo "func init() { Version = \"$VERSION\" }" >> "$cmd/version.go" done tar -cvzf "age-$VERSION-source.tar.gz" -C "$DIR" age - name: Upload workflow artifacts uses: actions/upload-artifact@v4 with: name: age-artifacts-source path: age-*-source.tar.gz upload: timeout-minutes: 30 name: Upload and attest release artifacts if: github.event_name == 'release' needs: [build, source] permissions: contents: write attestations: write id-token: write runs-on: latchkey-small steps: - name: Download workflow artifacts uses: actions/download-artifact@v4 with: pattern: age-artifacts-* merge-multiple: true - name: Generate artifacts attestation uses: actions/attest-build-provenance@v3 with: subject-path: age-* - name: Upload release artifacts run: gh release upload "$GITHUB_REF_NAME" age-* env: GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ github.token }}
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 3 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.