CLI workflow (getsops/sops)
The CLI workflow from getsops/sops, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the CLI workflow from the getsops/sops repository, a real project running GitHub Actions. It is shown here with attribution under its MPL-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: CLI
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: read
jobs:
build:
name: Build and test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.go-version }}
runs-on: ubuntu-latest
strategy:
matrix:
os: [linux, darwin, windows]
arch: [amd64, arm64]
go-version: ['1.25', '1.26']
exclude:
- os: windows
arch: arm64
env:
VAULT_VERSION: "1.14.0"
VAULT_TOKEN: "root"
VAULT_ADDR: "http://127.0.0.1:8200"
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up Go ${{ matrix.go-version }}
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: ${{ matrix.go-version }}
cache: false
id: go
- uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Vendor Go Modules
run: make vendor
- name: Ensure clean working tree
run: git diff --exit-code
- name: Build ${{ matrix.os }}
if: matrix.os != 'windows'
run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops
- name: Build ${{ matrix.os }}
if: matrix.os == 'windows'
run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops
- name: Import test GPG keys
run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
- name: Test
run: make test
- name: Upload artifact for ${{ matrix.os }}
if: matrix.os != 'windows'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
- name: Upload artifact for ${{ matrix.os }}
if: matrix.os == 'windows'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
test:
name: Functional tests
runs-on: ubuntu-latest
needs: [build]
strategy:
matrix:
go-version: ['1.26']
env:
VAULT_VERSION: "1.14.0"
VAULT_TOKEN: "root"
VAULT_ADDR: "http://127.0.0.1:8200"
steps:
- name: Check out code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
# Rustup will detect toolchain version and profile from rust-toolchain.toml
# It will download and install the toolchain and components automatically
# and make them available for subsequent commands
- name: Install Rust toolchain
run: rustup show
- name: Show Rust version
run: cargo --version
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }}
- name: Move SOPS binary
run: mv sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }} ./functional-tests/sops
- name: Make SOPS binary executable
run: chmod +x ./functional-tests/sops
- name: Download Vault
run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/
- name: Start Vault server
run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" &
- name: Enable Vault KV
run: vault secrets enable -version=1 kv
- name: Import test GPG keys
run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
- name: Run tests
run: cargo test
working-directory: ./functional-tests
# The 'check' job should depend on all other jobs so it's possible to configure branch protection only for 'check'
# instead of having to explicitly list all individual jobs that need to pass.
check:
if: always()
needs:
- build
- test
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
allowed-failures: docs, linters
allowed-skips: non-voting-flaky-job
jobs: ${{ toJSON(needs) }}
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: CLI on: push: branches: - main pull_request: branches: - main permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: build: timeout-minutes: 30 name: Build and test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.go-version }} runs-on: latchkey-small strategy: matrix: os: [linux, darwin, windows] arch: [amd64, arm64] go-version: ['1.25', '1.26'] exclude: - os: windows arch: arm64 env: VAULT_VERSION: "1.14.0" VAULT_TOKEN: "root" VAULT_ADDR: "http://127.0.0.1:8200" steps: - name: Check out code into the Go module directory uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Set up Go ${{ matrix.go-version }} uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: ${{ matrix.go-version }} cache: false id: go - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Vendor Go Modules run: make vendor - name: Ensure clean working tree run: git diff --exit-code - name: Build ${{ matrix.os }} if: matrix.os != 'windows' run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops - name: Build ${{ matrix.os }} if: matrix.os == 'windows' run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops - name: Import test GPG keys run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done - name: Test run: make test - name: Upload artifact for ${{ matrix.os }} if: matrix.os != 'windows' uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} - name: Upload artifact for ${{ matrix.os }} if: matrix.os == 'windows' uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} test: timeout-minutes: 30 name: Functional tests runs-on: latchkey-small needs: [build] strategy: matrix: go-version: ['1.26'] env: VAULT_VERSION: "1.14.0" VAULT_TOKEN: "root" VAULT_ADDR: "http://127.0.0.1:8200" steps: - name: Check out code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # Rustup will detect toolchain version and profile from rust-toolchain.toml # It will download and install the toolchain and components automatically # and make them available for subsequent commands - name: Install Rust toolchain run: rustup show - name: Show Rust version run: cargo --version - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }} - name: Move SOPS binary run: mv sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }} ./functional-tests/sops - name: Make SOPS binary executable run: chmod +x ./functional-tests/sops - name: Download Vault run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/ - name: Start Vault server run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" & - name: Enable Vault KV run: vault secrets enable -version=1 kv - name: Import test GPG keys run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done - name: Run tests run: cargo test working-directory: ./functional-tests # The 'check' job should depend on all other jobs so it's possible to configure branch protection only for 'check' # instead of having to explicitly list all individual jobs that need to pass. check: timeout-minutes: 30 if: always() needs: - build - test runs-on: latchkey-small steps: - name: Decide whether the needed jobs succeeded or failed uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: allowed-failures: docs, linters allowed-skips: non-voting-flaky-job jobs: ${{ toJSON(needs) }}
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
- Network fetches
This workflow runs 3 jobs (14 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.