Skip to content
Latchkey

Build and upload binaries workflow (FiloSottile/age)

The Build and upload binaries workflow from FiloSottile/age, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: FiloSottile/age.github/workflows/build.ymlLicense BSD-3-ClauseView source

What it does

This is the Build and upload binaries workflow from the FiloSottile/age repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Build and upload binaries
on:
  release:
    types: [published]
  push:
  pull_request:
permissions:
  contents: read
jobs:
  build:
    name: Build binaries
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - {GOOS: linux, GOARCH: amd64}
          - {GOOS: linux, GOARCH: arm, GOARM: 6}
          - {GOOS: linux, GOARCH: arm64}
          - {GOOS: darwin, GOARCH: arm64}
          - {GOOS: darwin, GOARCH: amd64}
          - {GOOS: windows, GOARCH: amd64}
          - {GOOS: freebsd, GOARCH: amd64}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Install Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: false
      - name: Build binary
        run: |
          VERSION="$(git describe --tags)"
          DIR="$(mktemp -d)"
          mkdir "$DIR/age"
          go build -o "$DIR/age" -trimpath ./cmd/...
          cp LICENSE "$DIR/age/LICENSE"
          cat .github/workflows/LICENSE.suffix.txt >> "$DIR/age/LICENSE"
          if [ "$GOOS" == "windows" ]; then
            sudo apt-get update && sudo apt-get install -y osslsigncode
            if [ -n "${{ secrets.SIGN_PASS }}" ]; then
              for exe in "$DIR"/age/*.exe; do
                /usr/bin/osslsigncode sign -t "http://timestamp.comodoca.com" \
                  -certs .github/workflows/certs/uitacllc.crt \
                  -key .github/workflows/certs/uitacllc.key \
                  -pass "${{ secrets.SIGN_PASS }}" \
                  -n age -in "$exe" -out "$exe.signed"
                mv "$exe.signed" "$exe"
              done
            fi
            ( cd "$DIR"; zip age.zip -r age )
            mv "$DIR/age.zip" "age-$VERSION-$GOOS-$GOARCH.zip"
          else
            tar -cvzf "age-$VERSION-$GOOS-$GOARCH.tar.gz" -C "$DIR" age
          fi
        env:
          CGO_ENABLED: 0
          GOOS: ${{ matrix.GOOS }}
          GOARCH: ${{ matrix.GOARCH }}
          GOARM: ${{ matrix.GOARM }}
      - name: Upload workflow artifacts
        uses: actions/upload-artifact@v4
        with:
          name: age-artifacts-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
          path: age-*
  source:
    name: Package source code
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Install Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: false
      - name: Create source tarball
        run: |
          VERSION="$(git describe --tags)"
          DIR="$(mktemp -d)"
          mkdir "$DIR/age"
          git archive --format=tar.gz HEAD | tar -xz -C "$DIR/age"
          ( cd "$DIR/age"; go mod vendor )
          for cmd in "$DIR"/age/{cmd,extra}/*; do
            echo "package main" >> "$cmd/version.go"
            echo "" >> "$cmd/version.go"
            echo "func init() { Version = \"$VERSION\" }" >> "$cmd/version.go"
          done
          tar -cvzf "age-$VERSION-source.tar.gz" -C "$DIR" age
      - name: Upload workflow artifacts
        uses: actions/upload-artifact@v4
        with:
          name: age-artifacts-source
          path: age-*-source.tar.gz
  upload:
    name: Upload and attest release artifacts
    if: github.event_name == 'release'
    needs: [build, source]
    permissions:
      contents: write
      attestations: write
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - name: Download workflow artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: age-artifacts-*
          merge-multiple: true
      - name: Generate artifacts attestation
        uses: actions/attest-build-provenance@v3
        with:
          subject-path: age-*
      - name: Upload release artifacts
        run: gh release upload "$GITHUB_REF_NAME" age-*
        env:
          GH_REPO: ${{ github.repository }}
          GH_TOKEN: ${{ github.token }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Build and upload binaries
on:
  release:
    types: [published]
  push:
  pull_request:
permissions:
  contents: read
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  build:
    timeout-minutes: 30
    name: Build binaries
    runs-on: latchkey-small
    strategy:
      matrix:
        include:
          - {GOOS: linux, GOARCH: amd64}
          - {GOOS: linux, GOARCH: arm, GOARM: 6}
          - {GOOS: linux, GOARCH: arm64}
          - {GOOS: darwin, GOARCH: arm64}
          - {GOOS: darwin, GOARCH: amd64}
          - {GOOS: windows, GOARCH: amd64}
          - {GOOS: freebsd, GOARCH: amd64}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Install Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: false
      - name: Build binary
        run: |
          VERSION="$(git describe --tags)"
          DIR="$(mktemp -d)"
          mkdir "$DIR/age"
          go build -o "$DIR/age" -trimpath ./cmd/...
          cp LICENSE "$DIR/age/LICENSE"
          cat .github/workflows/LICENSE.suffix.txt >> "$DIR/age/LICENSE"
          if [ "$GOOS" == "windows" ]; then
            sudo apt-get update && sudo apt-get install -y osslsigncode
            if [ -n "${{ secrets.SIGN_PASS }}" ]; then
              for exe in "$DIR"/age/*.exe; do
                /usr/bin/osslsigncode sign -t "http://timestamp.comodoca.com" \
                  -certs .github/workflows/certs/uitacllc.crt \
                  -key .github/workflows/certs/uitacllc.key \
                  -pass "${{ secrets.SIGN_PASS }}" \
                  -n age -in "$exe" -out "$exe.signed"
                mv "$exe.signed" "$exe"
              done
            fi
            ( cd "$DIR"; zip age.zip -r age )
            mv "$DIR/age.zip" "age-$VERSION-$GOOS-$GOARCH.zip"
          else
            tar -cvzf "age-$VERSION-$GOOS-$GOARCH.tar.gz" -C "$DIR" age
          fi
        env:
          CGO_ENABLED: 0
          GOOS: ${{ matrix.GOOS }}
          GOARCH: ${{ matrix.GOARCH }}
          GOARM: ${{ matrix.GOARM }}
      - name: Upload workflow artifacts
        uses: actions/upload-artifact@v4
        with:
          name: age-artifacts-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
          path: age-*
  source:
    timeout-minutes: 30
    name: Package source code
    runs-on: latchkey-small
    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Install Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: false
      - name: Create source tarball
        run: |
          VERSION="$(git describe --tags)"
          DIR="$(mktemp -d)"
          mkdir "$DIR/age"
          git archive --format=tar.gz HEAD | tar -xz -C "$DIR/age"
          ( cd "$DIR/age"; go mod vendor )
          for cmd in "$DIR"/age/{cmd,extra}/*; do
            echo "package main" >> "$cmd/version.go"
            echo "" >> "$cmd/version.go"
            echo "func init() { Version = \"$VERSION\" }" >> "$cmd/version.go"
          done
          tar -cvzf "age-$VERSION-source.tar.gz" -C "$DIR" age
      - name: Upload workflow artifacts
        uses: actions/upload-artifact@v4
        with:
          name: age-artifacts-source
          path: age-*-source.tar.gz
  upload:
    timeout-minutes: 30
    name: Upload and attest release artifacts
    if: github.event_name == 'release'
    needs: [build, source]
    permissions:
      contents: write
      attestations: write
      id-token: write
    runs-on: latchkey-small
    steps:
      - name: Download workflow artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: age-artifacts-*
          merge-multiple: true
      - name: Generate artifacts attestation
        uses: actions/attest-build-provenance@v3
        with:
          subject-path: age-*
      - name: Upload release artifacts
        run: gh release upload "$GITHUB_REF_NAME" age-*
        env:
          GH_REPO: ${{ github.repository }}
          GH_TOKEN: ${{ github.token }}
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 3 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow