Skip to content
Latchkey

CLI workflow (getsops/sops)

The CLI workflow from getsops/sops, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: getsops/sops.github/workflows/cli.ymlLicense MPL-2.0View source

What it does

This is the CLI workflow from the getsops/sops repository, a real project running GitHub Actions. It is shown here with attribution under its MPL-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: CLI

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

permissions:
  contents: read

jobs:
  build:
    name: Build and test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.go-version }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        os: [linux, darwin, windows]
        arch: [amd64, arm64]
        go-version: ['1.25', '1.26']
        exclude:
          - os: windows
            arch: arm64
    env:
      VAULT_VERSION: "1.14.0"
      VAULT_TOKEN: "root"
      VAULT_ADDR: "http://127.0.0.1:8200"
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

      - name: Set up Go ${{ matrix.go-version }}
        uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
        with:
          go-version: ${{ matrix.go-version }}
          cache: false
        id: go

      - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-

      - name: Vendor Go Modules
        run: make vendor

      - name: Ensure clean working tree
        run: git diff --exit-code

      - name: Build ${{ matrix.os }}
        if: matrix.os != 'windows'
        run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops

      - name: Build ${{ matrix.os }}
        if: matrix.os == 'windows'
        run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops

      - name: Import test GPG keys
        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done

      - name: Test
        run: make test

      - name: Upload artifact for ${{ matrix.os }}
        if: matrix.os != 'windows'
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
          path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}

      - name: Upload artifact for ${{ matrix.os }}
        if: matrix.os == 'windows'
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
          path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
  test:
    name: Functional tests
    runs-on: ubuntu-latest
    needs: [build]
    strategy:
      matrix:
        go-version: ['1.26']
    env:
      VAULT_VERSION: "1.14.0"
      VAULT_TOKEN: "root"
      VAULT_ADDR: "http://127.0.0.1:8200"
    steps:
      - name: Check out code
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

      # Rustup will detect toolchain version and profile from rust-toolchain.toml
      # It will download and install the toolchain and components automatically
      # and make them available for subsequent commands
      - name: Install Rust toolchain
        run: rustup show

      - name: Show Rust version
        run: cargo --version

      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }}

      - name: Move SOPS binary
        run: mv sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }} ./functional-tests/sops

      - name: Make SOPS binary executable
        run: chmod +x ./functional-tests/sops

      - name: Download Vault
        run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/

      - name: Start Vault server
        run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" &

      - name: Enable Vault KV
        run: vault secrets enable -version=1 kv

      - name: Import test GPG keys
        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done

      - name: Run tests
        run: cargo test
        working-directory: ./functional-tests

  # The 'check' job should depend on all other jobs so it's possible to configure branch protection only for 'check'
  # instead of having to explicitly list all individual jobs that need to pass.
  check:
    if: always()

    needs:
      - build
      - test

    runs-on: ubuntu-latest

    steps:
      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
        with:
          allowed-failures: docs, linters
          allowed-skips: non-voting-flaky-job
          jobs: ${{ toJSON(needs) }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: CLI
 
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
 
permissions:
  contents: read
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  build:
    timeout-minutes: 30
    name: Build and test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.go-version }}
    runs-on: latchkey-small
    strategy:
      matrix:
        os: [linux, darwin, windows]
        arch: [amd64, arm64]
        go-version: ['1.25', '1.26']
        exclude:
          - os: windows
            arch: arm64
    env:
      VAULT_VERSION: "1.14.0"
      VAULT_TOKEN: "root"
      VAULT_ADDR: "http://127.0.0.1:8200"
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
 
      - name: Set up Go ${{ matrix.go-version }}
        uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
        with:
          go-version: ${{ matrix.go-version }}
          cache: false
        id: go
 
      - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
 
      - name: Vendor Go Modules
        run: make vendor
 
      - name: Ensure clean working tree
        run: git diff --exit-code
 
      - name: Build ${{ matrix.os }}
        if: matrix.os != 'windows'
        run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops
 
      - name: Build ${{ matrix.os }}
        if: matrix.os == 'windows'
        run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops
 
      - name: Import test GPG keys
        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
 
      - name: Test
        run: make test
 
      - name: Upload artifact for ${{ matrix.os }}
        if: matrix.os != 'windows'
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
          path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
 
      - name: Upload artifact for ${{ matrix.os }}
        if: matrix.os == 'windows'
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
          path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
  test:
    timeout-minutes: 30
    name: Functional tests
    runs-on: latchkey-small
    needs: [build]
    strategy:
      matrix:
        go-version: ['1.26']
    env:
      VAULT_VERSION: "1.14.0"
      VAULT_TOKEN: "root"
      VAULT_ADDR: "http://127.0.0.1:8200"
    steps:
      - name: Check out code
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
 
      # Rustup will detect toolchain version and profile from rust-toolchain.toml
      # It will download and install the toolchain and components automatically
      # and make them available for subsequent commands
      - name: Install Rust toolchain
        run: rustup show
 
      - name: Show Rust version
        run: cargo --version
 
      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }}
 
      - name: Move SOPS binary
        run: mv sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }} ./functional-tests/sops
 
      - name: Make SOPS binary executable
        run: chmod +x ./functional-tests/sops
 
      - name: Download Vault
        run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/
 
      - name: Start Vault server
        run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" &
 
      - name: Enable Vault KV
        run: vault secrets enable -version=1 kv
 
      - name: Import test GPG keys
        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
 
      - name: Run tests
        run: cargo test
        working-directory: ./functional-tests
 
  # The 'check' job should depend on all other jobs so it's possible to configure branch protection only for 'check'
  # instead of having to explicitly list all individual jobs that need to pass.
  check:
    timeout-minutes: 30
    if: always()
 
    needs:
      - build
      - test
 
    runs-on: latchkey-small
 
    steps:
      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
        with:
          allowed-failures: docs, linters
          allowed-skips: non-voting-flaky-job
          jobs: ${{ toJSON(needs) }}
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 3 jobs (14 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow