build workflow (helm/chartmuseum)
The build workflow from helm/chartmuseum, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the build workflow from the helm/chartmuseum repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: build
on:
push:
branches:
- main
tags:
- v*
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Reclaim disk space
run: |
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Checkout
uses: actions/checkout@v2
- name: setup go environment
uses: actions/setup-go@v6
with:
go-version-file: go.mod
- name: download dependencies
run: make bootstrap
- name: run unit tests
run: make test
- name: build binaries
run: make build-cross
- name: run acceptance tests
run: sudo pip install virtualenv && make acceptance
- name: Prepare
id: prepare
run: |
DOCKER_IMAGE=ghcr.io/helm/chartmuseum
DOCKER_PLATFORMS=linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386
VERSION=canary
if [[ $GITHUB_REF == refs/tags/* ]]; then
VERSION=${GITHUB_REF#refs/tags/}
fi
TAGS="--tag ${DOCKER_IMAGE}:${VERSION}"
echo ::set-output name=docker_image::${DOCKER_IMAGE}
echo ::set-output name=version::${VERSION}
echo ::set-output name=buildx_args::--platform ${DOCKER_PLATFORMS} \
--build-arg revision=$(git rev-parse --short HEAD) \
${TAGS} .
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
with:
platforms: all
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
with:
version: v0.9.1
- name: Available platforms
run: echo ${{ steps.buildx.outputs.platforms }}
- name: Docker Login
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker Buildx (build and push)
run: |
docker buildx build --no-cache --pull --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
- name: Docker Check Manifest
run: |
docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
- name: Install Kubernetes SBOM Tool
uses: puerco/bom-installer@aa0837e37b6965b5fc50adfad0683ec3c0a2c2c4
- name: Install sigstore cosign
uses: sigstore/cosign-installer@v3.10.1
with:
cosign-version: 'v2.2.4'
- name: Release artifacts (includes SBOM and signatures)
id: release-artifacts
env:
AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }}
AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
COSIGN_EXPERIMENTAL: "true"
run: |
SKIP_BUILD=true VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh
- name: Sign the published images (via GitHub OIDC token)
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign --yes ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
- name: Attach SBOM to published images
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign attach sbom --sbom _dist/chartmuseum-${{ steps.prepare.outputs.version }}.spdx ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
- name: Clear
if: always()
run: |
rm -f ${HOME}/.docker/config.json
- name: upload coverage report
uses: actions/upload-artifact@main
with:
name: chartmuseum-coverage-report-${{ github.sha }}
path: .cover/
if: always()
- name: upload acceptance test report
uses: actions/upload-artifact@main
with:
name: chartmuseum-acceptance-report-${{ github.sha }}
path: .robot/
if: always()
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: build on: push: branches: - main tags: - v* concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: build: timeout-minutes: 30 runs-on: latchkey-small permissions: contents: read packages: write id-token: write steps: - name: Reclaim disk space run: | sudo rm -rf /usr/local/lib/android sudo rm -rf /usr/share/dotnet - name: Checkout uses: actions/checkout@v2 - name: setup go environment uses: actions/setup-go@v6 with: go-version-file: go.mod - name: download dependencies run: make bootstrap - name: run unit tests run: make test - name: build binaries run: make build-cross - name: run acceptance tests run: sudo pip install virtualenv && make acceptance - name: Prepare id: prepare run: | DOCKER_IMAGE=ghcr.io/helm/chartmuseum DOCKER_PLATFORMS=linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386 VERSION=canary if [[ $GITHUB_REF == refs/tags/* ]]; then VERSION=${GITHUB_REF#refs/tags/} fi TAGS="--tag ${DOCKER_IMAGE}:${VERSION}" echo ::set-output name=docker_image::${DOCKER_IMAGE} echo ::set-output name=version::${VERSION} echo ::set-output name=buildx_args::--platform ${DOCKER_PLATFORMS} \ --build-arg revision=$(git rev-parse --short HEAD) \ ${TAGS} . - name: Set up QEMU uses: docker/setup-qemu-action@v1 with: platforms: all - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v2 with: version: v0.9.1 - name: Available platforms run: echo ${{ steps.buildx.outputs.platforms }} - name: Docker Login uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker Buildx (build and push) run: | docker buildx build --no-cache --pull --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }} - name: Docker Check Manifest run: | docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} - name: Install Kubernetes SBOM Tool uses: puerco/bom-installer@aa0837e37b6965b5fc50adfad0683ec3c0a2c2c4 - name: Install sigstore cosign uses: sigstore/cosign-installer@v3.10.1 with: cosign-version: 'v2.2.4' - name: Release artifacts (includes SBOM and signatures) id: release-artifacts env: AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }} AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }} COSIGN_EXPERIMENTAL: "true" run: | SKIP_BUILD=true VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh - name: Sign the published images (via GitHub OIDC token) env: COSIGN_EXPERIMENTAL: "true" run: | cosign sign --yes ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} - name: Attach SBOM to published images env: COSIGN_EXPERIMENTAL: "true" run: | cosign attach sbom --sbom _dist/chartmuseum-${{ steps.prepare.outputs.version }}.spdx ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} - name: Clear if: always() run: | rm -f ${HOME}/.docker/config.json - name: upload coverage report uses: actions/upload-artifact@main with: name: chartmuseum-coverage-report-${{ github.sha }} path: .cover/ if: always() - name: upload acceptance test report uses: actions/upload-artifact@main with: name: chartmuseum-acceptance-report-${{ github.sha }} path: .robot/ if: always()
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
4 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
- Container pulls and builds
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.