Bump Deps workflow (google/go-containerregistry)
The Bump Deps workflow from google/go-containerregistry, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Bump Deps workflow from the google/go-containerregistry repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Bump Deps
on:
schedule:
- cron: '0 6 * * 2' # weekly at 6AM Tuesday
workflow_dispatch:
permissions:
contents: write
pull-requests: write
env:
GOTOOLCHAIN: local
jobs:
bump-deps:
name: Bump Deps
# Don't bother bumping deps on forks.
if: ${{ github.repository == 'google/go-containerregistry' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: '.go-version'
- run: ./hack/bump-deps.sh
- name: Create Pull Request
uses: peter-evans/create-pull-request@v8
with:
title: "Bump dependencies using hack/bump-deps.sh"
commit-message: "Bump dependencies using hack/bump-deps.sh"
labels: dependencies
assignees: imjasonh
delete-branch: true
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Bump Deps on: schedule: - cron: '0 6 * * 2' # weekly at 6AM Tuesday workflow_dispatch: permissions: contents: write pull-requests: write env: GOTOOLCHAIN: local jobs: bump-deps: timeout-minutes: 30 name: Bump Deps # Don't bother bumping deps on forks. if: ${{ github.repository == 'google/go-containerregistry' }} runs-on: latchkey-small steps: - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: go-version-file: '.go-version' - run: ./hack/bump-deps.sh - name: Create Pull Request uses: peter-evans/create-pull-request@v8 with: title: "Bump dependencies using hack/bump-deps.sh" commit-message: "Bump dependencies using hack/bump-deps.sh" labels: dependencies assignees: imjasonh delete-branch: true
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.