Skip to content
Latchkey

build workflow (helm/chartmuseum)

The build workflow from helm/chartmuseum, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: helm/chartmuseum.github/workflows/build.ymlLicense Apache-2.0View source

What it does

This is the build workflow from the helm/chartmuseum repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: build

on:
  push:
    branches:
      - main
    tags:
      - v*

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Reclaim disk space
        run: |
          sudo rm -rf /usr/local/lib/android
          sudo rm -rf /usr/share/dotnet
      - name: Checkout
        uses: actions/checkout@v2
      - name: setup go environment
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
      - name: download dependencies
        run: make bootstrap
      - name: run unit tests
        run: make test
      - name: build binaries
        run: make build-cross
      - name: run acceptance tests
        run: sudo pip install virtualenv && make acceptance
      - name: Prepare
        id: prepare
        run: |
          DOCKER_IMAGE=ghcr.io/helm/chartmuseum
          DOCKER_PLATFORMS=linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386
          VERSION=canary

          if [[ $GITHUB_REF == refs/tags/* ]]; then
            VERSION=${GITHUB_REF#refs/tags/}
          fi

          TAGS="--tag ${DOCKER_IMAGE}:${VERSION}"

          echo ::set-output name=docker_image::${DOCKER_IMAGE}
          echo ::set-output name=version::${VERSION}
          echo ::set-output name=buildx_args::--platform ${DOCKER_PLATFORMS} \
            --build-arg revision=$(git rev-parse --short HEAD) \
            ${TAGS} .
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
        with:
          platforms: all
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v2
        with:
          version: v0.9.1
      - name: Available platforms
        run: echo ${{ steps.buildx.outputs.platforms }}
      - name: Docker Login
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker Buildx (build and push)
        run: |
          docker buildx build --no-cache --pull --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
      - name: Docker Check Manifest
        run: |
          docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
      - name: Install Kubernetes SBOM Tool
        uses: puerco/bom-installer@aa0837e37b6965b5fc50adfad0683ec3c0a2c2c4
      - name: Install sigstore cosign
        uses: sigstore/cosign-installer@v3.10.1
        with:
          cosign-version: 'v2.2.4'
      - name: Release artifacts (includes SBOM and signatures)
        id: release-artifacts
        env:
          AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }}
          AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
          COSIGN_EXPERIMENTAL: "true"
        run: |
          SKIP_BUILD=true VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh
      - name: Sign the published images (via GitHub OIDC token)
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign --yes ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
      - name: Attach SBOM to published images
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign attach sbom --sbom _dist/chartmuseum-${{ steps.prepare.outputs.version }}.spdx ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
      - name: Clear
        if: always()
        run: |
          rm -f ${HOME}/.docker/config.json
      - name: upload coverage report
        uses: actions/upload-artifact@main
        with:
          name: chartmuseum-coverage-report-${{ github.sha }}
          path: .cover/
        if: always()
      - name: upload acceptance test report
        uses: actions/upload-artifact@main
        with:
          name: chartmuseum-acceptance-report-${{ github.sha }}
          path: .robot/
        if: always()

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: build
 
on:
  push:
    branches:
      - main
    tags:
      - v*
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  build:
    timeout-minutes: 30
    runs-on: latchkey-small
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Reclaim disk space
        run: |
          sudo rm -rf /usr/local/lib/android
          sudo rm -rf /usr/share/dotnet
      - name: Checkout
        uses: actions/checkout@v2
      - name: setup go environment
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
      - name: download dependencies
        run: make bootstrap
      - name: run unit tests
        run: make test
      - name: build binaries
        run: make build-cross
      - name: run acceptance tests
        run: sudo pip install virtualenv && make acceptance
      - name: Prepare
        id: prepare
        run: |
          DOCKER_IMAGE=ghcr.io/helm/chartmuseum
          DOCKER_PLATFORMS=linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386
          VERSION=canary
 
          if [[ $GITHUB_REF == refs/tags/* ]]; then
            VERSION=${GITHUB_REF#refs/tags/}
          fi
 
          TAGS="--tag ${DOCKER_IMAGE}:${VERSION}"
 
          echo ::set-output name=docker_image::${DOCKER_IMAGE}
          echo ::set-output name=version::${VERSION}
          echo ::set-output name=buildx_args::--platform ${DOCKER_PLATFORMS} \
            --build-arg revision=$(git rev-parse --short HEAD) \
            ${TAGS} .
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
        with:
          platforms: all
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v2
        with:
          version: v0.9.1
      - name: Available platforms
        run: echo ${{ steps.buildx.outputs.platforms }}
      - name: Docker Login
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker Buildx (build and push)
        run: |
          docker buildx build --no-cache --pull --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
      - name: Docker Check Manifest
        run: |
          docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
      - name: Install Kubernetes SBOM Tool
        uses: puerco/bom-installer@aa0837e37b6965b5fc50adfad0683ec3c0a2c2c4
      - name: Install sigstore cosign
        uses: sigstore/cosign-installer@v3.10.1
        with:
          cosign-version: 'v2.2.4'
      - name: Release artifacts (includes SBOM and signatures)
        id: release-artifacts
        env:
          AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }}
          AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
          COSIGN_EXPERIMENTAL: "true"
        run: |
          SKIP_BUILD=true VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh
      - name: Sign the published images (via GitHub OIDC token)
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign --yes ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
      - name: Attach SBOM to published images
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign attach sbom --sbom _dist/chartmuseum-${{ steps.prepare.outputs.version }}.spdx ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
      - name: Clear
        if: always()
        run: |
          rm -f ${HOME}/.docker/config.json
      - name: upload coverage report
        uses: actions/upload-artifact@main
        with:
          name: chartmuseum-coverage-report-${{ github.sha }}
          path: .cover/
        if: always()
      - name: upload acceptance test report
        uses: actions/upload-artifact@main
        with:
          name: chartmuseum-acceptance-report-${{ github.sha }}
          path: .robot/
        if: always()
 

What changed

4 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow