AI Dependency Change Review workflow (grafana/alloy)
The AI Dependency Change Review workflow from grafana/alloy, explained and optimized by Latchkey.
A
CI health: A - excellent
Point runs-on at Latchkey and get job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the AI Dependency Change Review workflow from the grafana/alloy repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
workflow (.yml)
name: AI Dependency Change Review
on:
pull_request:
types: [opened, reopened, synchronize, ready_for_review]
paths:
- '**/go.mod'
permissions:
contents: read
pull-requests: write
id-token: write
concurrency:
group: ai-deps-review-${{ github.event.pull_request.head.sha }}
cancel-in-progress: false
jobs:
analyze-dependencies:
if: github.event.pull_request.draft == false
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
- id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0
with:
repo_secrets: |
OPENAI_API_KEY=openai:api-key
export_env: false
- name: Analyze go.mod changes with OpenAI and comment
env:
OPENAI_API_KEY: ${{ fromJSON(steps.get-secrets.outputs.secrets).OPENAI_API_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
go run -C tools ./cmd aireview \
--prompt-file="../.github/ai-review-prompts/dependency-review.md" \
--marker="<!-- ai-deps-review -->" \
--slug="${{ github.repository }}" \
--pr-number="${{ github.event.pull_request.number }}"
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: AI Dependency Change Review on: pull_request: types: [opened, reopened, synchronize, ready_for_review] paths: - '**/go.mod' permissions: contents: read pull-requests: write id-token: write concurrency: group: ai-deps-review-${{ github.event.pull_request.head.sha }} cancel-in-progress: false jobs: analyze-dependencies: timeout-minutes: 30 if: github.event.pull_request.draft == false runs-on: latchkey-small steps: - name: Checkout code uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod - id: get-secrets uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0 with: repo_secrets: | OPENAI_API_KEY=openai:api-key export_env: false - name: Analyze go.mod changes with OpenAI and comment env: OPENAI_API_KEY: ${{ fromJSON(steps.get-secrets.outputs.secrets).OPENAI_API_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | go run -C tools ./cmd aireview \ --prompt-file="../.github/ai-review-prompts/dependency-review.md" \ --marker="<!-- ai-deps-review -->" \ --slug="${{ github.repository }}" \ --pr-number="${{ github.event.pull_request.number }}"
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.