Skip to content
Latchkey

Tests and Checks workflow (jorisroovers/gitlint)

The Tests and Checks workflow from jorisroovers/gitlint, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: jorisroovers/gitlint.github/workflows/ci.ymlLicense MITView source

What it does

This is the Tests and Checks workflow from the jorisroovers/gitlint repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Tests and Checks

# Only run CI on pushes to main and pull requests
# We don't run CI on other branches, but those should be merged into main via a PR anyways which will trigger CI before the merge.
on:
  push:
    branches:
    - main
  pull_request:
    branches:
    - main

concurrency:
  group: ci-${{ github.ref }}-1
  cancel-in-progress: true

jobs:
  tests:
    runs-on: "ubuntu-latest"
    strategy:
      matrix:
        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9]
        os: ["macos-latest", "ubuntu-latest", "windows-latest"]
    steps:
      - uses: actions/checkout@v3.3.0
        with:
          ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit
          fetch-depth: 0 # checkout all history, needed for hatch versioning

      - name: Setup python
        uses: actions/setup-python@v4.7.0
        with:
          python-version: ${{ matrix.python-version }}

      - name: Install Hatch
        run: python -m pip install hatch==1.7.0

      - name: Unit Tests
        run: hatch run test:unit-tests

      - name: Code formatting (black)
        run: hatch run test:format
      
      - name: Code linting (ruff)
        run: hatch run test:lint

      - name: Static type checking (mypy)
        run: hatch run test:type-check

      - name: Install local gitlint for integration tests
        run: hatch run qa:install-local

      - name: Integration tests
        run: hatch run qa:integration-tests
        if: matrix.os != 'windows-latest'

      - name: Integration tests (GITLINT_QA_USE_SH_LIB=0)
        run: hatch run qa:integration-tests -k "not(test_commit_hook_continue or test_commit_hook_abort or test_commit_hook_edit)" qa
        env:
          GITLINT_QA_USE_SH_LIB: 0
        if: matrix.os != 'windows-latest'

      - name: Integration tests (Windows)
        run: |
          hatch run qa:integration-tests -k "not (test_commit_hook_continue or test_commit_hook_abort or test_commit_hook_edit or test_lint_staged_stdin or test_stdin_file or test_stdin_pipe_empty)" qa
        if: matrix.os == 'windows-latest'

      # Run gitlint. Skip during PR runs, since PR commit messages are transient and usually full of gitlint violations.
      # PRs get squashed and get a proper commit message during merge.
      - name: gitlint --debug
        run: hatch run dev:gitlint --debug
        continue-on-error: ${{ github.event_name	== 'pull_request' }} # Don't enforce gitlint in PRs

      - name: Code Coverage (coveralls)
        uses: coverallsapp/github-action@master
        with:
          path-to-lcov: ".coverage.lcov"
          github-token: ${{ secrets.GITHUB_TOKEN }}
          git-commit: ${{ github.event.pull_request.head.sha }}
          flag-name: gitlint-${{ matrix.os }}-${{ matrix.python-version }}
          parallel: true

  build-test:
    runs-on: "ubuntu-latest"
    strategy:
      matrix:
        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9]
        os: ["macos-latest", "ubuntu-latest", "windows-latest"]
    steps:
        - uses: actions/checkout@v3.3.0
          with:
            ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit
            fetch-depth: 0 # checkout all history, needed for hatch versioning
            
        - name: Install pypa/build
          run: python -m pip install build==0.10.0

        - name: Build test (gitlint)
          run: python -m build

        - name: Upload sdist tarball (gitlint)
          uses: actions/upload-artifact@v3
          with:
            name: sdist-gitlint-${{ matrix.python-version }}
            path: dist/*.tar.gz
          if: matrix.os == 'ubuntu-latest'

        - name: Build test (gitlint-core)
          run: python -m build
          working-directory: ./gitlint-core
  
        - name: Upload sdist tarball (gitlint-core)
          uses: actions/upload-artifact@v3
          with:
            name: sdist-gitlint-core-${{ matrix.python-version }}
            path: ./gitlint-core/dist/*.tar.gz
          if: matrix.os == 'ubuntu-latest'
  
  sdist-build-smoke-test:
    # Ensure we can re-build gitlint from its sdist tarball (and that gitlint works after that)
    # This is important for downstream packages (e.g. debian, homebrew, etc)
    needs: build-test
    runs-on: "ubuntu-latest"
    strategy:
      matrix:
        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9]
    steps:
      - name: Setup python ${{ matrix.python-version }}
        uses: actions/setup-python@v4.7.0
        with:
          python-version: ${{ matrix.python-version }}

      - name: Download sdist artifact (gitlint)
        uses: actions/download-artifact@v3
        with:
          name: sdist-gitlint-${{ matrix.python-version }}
          path: gitlint

      - name: Download sdist artifact (gitlint-core)
        uses: actions/download-artifact@v3
        with:
          name: sdist-gitlint-core-${{ matrix.python-version }}
          path: gitlint-core

      - name: Extract sdist tarball (gitlint)
        run: tar xzvf *.tar.gz --strip-components=1
        working-directory: ./gitlint

      - name: Extract sdist tarball (gitlint-core)
        run: tar xzvf *.tar.gz --strip-components=1
        working-directory: ./gitlint-core
      
      - name: Install pypa/build
        run: python -m pip install build==0.10.0

      - name: Build test (gitlint)
        run: python -m build
        working-directory: ./gitlint

      - name: Build test (gitlint-core)
        run: python -m build
        working-directory: ./gitlint-core

      - name: Install from wheel (gitlint and gitlint-core)
        run: python -m pip install gitlint-core/dist/*.whl gitlint/dist/*.whl

      # Make sure gitlint works
      - name: gitlint --version
        run: gitlint --version

  doc-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3.3.0
        with:
          ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit

      - name: Setup python
        uses: actions/setup-python@v4.7.0
        with:
          python-version: 3.11

      - name: Install Hatch
        run: python -m pip install hatch==1.7.0

      - name: Docs validation (mkdocs build & linkchecker)
        run: hatch run docs:validate
  
  upload-coveralls:
    needs: tests
    runs-on: ubuntu-latest
    steps:
      - name: Upload coverage to coveralls
        uses: coverallsapp/github-action@master
        with:
          path-to-lcov: ".coverage.lcov"
          github-token: ${{ secrets.GITHUB_TOKEN }}
          parallel-finished: true
  
  check:  # This job does nothing and is only used for the branch protection
    if: always()  # Ref: https://github.com/marketplace/actions/alls-green#why

    needs:
      - tests
      - build-test
      - sdist-build-smoke-test
      - doc-checks
      - upload-coveralls

    runs-on: ubuntu-latest

    steps:
      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@release/v1
        with:
          jobs: ${{ toJSON(needs) }}

  # When on main, auto publish dev build
  auto-publish-dev:
    needs:
      - check

    if: github.ref == 'refs/heads/main'
    uses: ./.github/workflows/publish-release.yml
    secrets: inherit # pass all secrets (required to access secrets in a called workflow)
    with:
      environment: "production"
      repo_release_ref: "main"
      docker_image_tag: "latest_dev"

  # When on main, auto publish docs
  auto-publish-docs:
    needs:
      - check

    if: github.ref == 'refs/heads/main'
    uses: ./.github/workflows/publish-docs.yml
    secrets: inherit # pass all secrets (required to access secrets in a called workflow)
    with:
      docs_version: "dev"

  # After merging a PR, leave a comment on the PR with a link to the new dev build
  notify:
    needs:
      - auto-publish-dev
    if: github.ref == 'refs/heads/main'
    runs-on: "ubuntu-latest"
    steps:
      # Checkout code in order to determine PR number
      - uses: actions/checkout@v3.3.0
        with:
          fetch-depth: 0

      - name: Get PR number
        run: |
          commit_sha=$(git rev-parse HEAD)
          pr_number=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
            "https://api.github.com/repos/jorisroovers/gitlint/commits/$commit_sha/pulls" | jq -r '.[0].number')
          echo "PR_NUMBER=$pr_number" >> $GITHUB_ENV
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - uses: actions/github-script@v6
        with:
          script: |
            const body = `Build \
            [${{ needs.auto-publish-dev.outputs.gitlint_version }}](https://pypi.org/project/gitlint/${{ needs.auto-publish-dev.outputs.gitlint_version }}) \
            is now available on PyPI!

            Install using:
            \`\`\`sh
            pip install gitlint==${{ needs.auto-publish-dev.outputs.gitlint_version }}
            \`\`\`
            `;
            github.rest.issues.createComment({
              issue_number: process.env.PR_NUMBER,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });
        # Don't run this step if there is no PR number, i.e. on a direct push to main
        if: ${{ env.PR_NUMBER != '' }}

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: Tests and Checks
 
# Only run CI on pushes to main and pull requests
# We don't run CI on other branches, but those should be merged into main via a PR anyways which will trigger CI before the merge.
on:
  push:
    branches:
    - main
  pull_request:
    branches:
    - main
 
concurrency:
  group: ci-${{ github.ref }}-1
  cancel-in-progress: true
 
jobs:
  tests:
    timeout-minutes: 30
    runs-on: "ubuntu-latest"
    strategy:
      matrix:
        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9]
        os: ["macos-latest", "ubuntu-latest", "windows-latest"]
    steps:
      - uses: actions/checkout@v3.3.0
        with:
          ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit
          fetch-depth: 0 # checkout all history, needed for hatch versioning
 
      - name: Setup python
        uses: actions/setup-python@v4.7.0
        with:
          cache: 'pip'
          python-version: ${{ matrix.python-version }}
 
      - name: Install Hatch
        run: python -m pip install hatch==1.7.0
 
      - name: Unit Tests
        run: hatch run test:unit-tests
 
      - name: Code formatting (black)
        run: hatch run test:format
      
      - name: Code linting (ruff)
        run: hatch run test:lint
 
      - name: Static type checking (mypy)
        run: hatch run test:type-check
 
      - name: Install local gitlint for integration tests
        run: hatch run qa:install-local
 
      - name: Integration tests
        run: hatch run qa:integration-tests
        if: matrix.os != 'windows-latest'
 
      - name: Integration tests (GITLINT_QA_USE_SH_LIB=0)
        run: hatch run qa:integration-tests -k "not(test_commit_hook_continue or test_commit_hook_abort or test_commit_hook_edit)" qa
        env:
          GITLINT_QA_USE_SH_LIB: 0
        if: matrix.os != 'windows-latest'
 
      - name: Integration tests (Windows)
        run: |
          hatch run qa:integration-tests -k "not (test_commit_hook_continue or test_commit_hook_abort or test_commit_hook_edit or test_lint_staged_stdin or test_stdin_file or test_stdin_pipe_empty)" qa
        if: matrix.os == 'windows-latest'
 
      # Run gitlint. Skip during PR runs, since PR commit messages are transient and usually full of gitlint violations.
      # PRs get squashed and get a proper commit message during merge.
      - name: gitlint --debug
        run: hatch run dev:gitlint --debug
        continue-on-error: ${{ github.event_name	== 'pull_request' }} # Don't enforce gitlint in PRs
 
      - name: Code Coverage (coveralls)
        uses: coverallsapp/github-action@master
        with:
          path-to-lcov: ".coverage.lcov"
          github-token: ${{ secrets.GITHUB_TOKEN }}
          git-commit: ${{ github.event.pull_request.head.sha }}
          flag-name: gitlint-${{ matrix.os }}-${{ matrix.python-version }}
          parallel: true
 
  build-test:
    timeout-minutes: 30
    runs-on: "ubuntu-latest"
    strategy:
      matrix:
        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9]
        os: ["macos-latest", "ubuntu-latest", "windows-latest"]
    steps:
        - uses: actions/checkout@v3.3.0
          with:
            ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit
            fetch-depth: 0 # checkout all history, needed for hatch versioning
            
        - name: Install pypa/build
          run: python -m pip install build==0.10.0
 
        - name: Build test (gitlint)
          run: python -m build
 
        - name: Upload sdist tarball (gitlint)
          uses: actions/upload-artifact@v3
          with:
            name: sdist-gitlint-${{ matrix.python-version }}
            path: dist/*.tar.gz
          if: matrix.os == 'ubuntu-latest'
 
        - name: Build test (gitlint-core)
          run: python -m build
          working-directory: ./gitlint-core
  
        - name: Upload sdist tarball (gitlint-core)
          uses: actions/upload-artifact@v3
          with:
            name: sdist-gitlint-core-${{ matrix.python-version }}
            path: ./gitlint-core/dist/*.tar.gz
          if: matrix.os == 'ubuntu-latest'
  
  sdist-build-smoke-test:
    timeout-minutes: 30
    # Ensure we can re-build gitlint from its sdist tarball (and that gitlint works after that)
    # This is important for downstream packages (e.g. debian, homebrew, etc)
    needs: build-test
    runs-on: "ubuntu-latest"
    strategy:
      matrix:
        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9]
    steps:
      - name: Setup python ${{ matrix.python-version }}
        uses: actions/setup-python@v4.7.0
        with:
          cache: 'pip'
          python-version: ${{ matrix.python-version }}
 
      - name: Download sdist artifact (gitlint)
        uses: actions/download-artifact@v3
        with:
          name: sdist-gitlint-${{ matrix.python-version }}
          path: gitlint
 
      - name: Download sdist artifact (gitlint-core)
        uses: actions/download-artifact@v3
        with:
          name: sdist-gitlint-core-${{ matrix.python-version }}
          path: gitlint-core
 
      - name: Extract sdist tarball (gitlint)
        run: tar xzvf *.tar.gz --strip-components=1
        working-directory: ./gitlint
 
      - name: Extract sdist tarball (gitlint-core)
        run: tar xzvf *.tar.gz --strip-components=1
        working-directory: ./gitlint-core
      
      - name: Install pypa/build
        run: python -m pip install build==0.10.0
 
      - name: Build test (gitlint)
        run: python -m build
        working-directory: ./gitlint
 
      - name: Build test (gitlint-core)
        run: python -m build
        working-directory: ./gitlint-core
 
      - name: Install from wheel (gitlint and gitlint-core)
        run: python -m pip install gitlint-core/dist/*.whl gitlint/dist/*.whl
 
      # Make sure gitlint works
      - name: gitlint --version
        run: gitlint --version
 
  doc-checks:
    timeout-minutes: 30
    runs-on: latchkey-small
    steps:
      - uses: actions/checkout@v3.3.0
        with:
          ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit
 
      - name: Setup python
        uses: actions/setup-python@v4.7.0
        with:
          cache: 'pip'
          python-version: 3.11
 
      - name: Install Hatch
        run: python -m pip install hatch==1.7.0
 
      - name: Docs validation (mkdocs build & linkchecker)
        run: hatch run docs:validate
  
  upload-coveralls:
    timeout-minutes: 30
    needs: tests
    runs-on: latchkey-small
    steps:
      - name: Upload coverage to coveralls
        uses: coverallsapp/github-action@master
        with:
          path-to-lcov: ".coverage.lcov"
          github-token: ${{ secrets.GITHUB_TOKEN }}
          parallel-finished: true
  
  check:  # This job does nothing and is only used for the branch protection
    timeout-minutes: 30
    if: always()  # Ref: https://github.com/marketplace/actions/alls-green#why
 
    needs:
      - tests
      - build-test
      - sdist-build-smoke-test
      - doc-checks
      - upload-coveralls
 
    runs-on: latchkey-small
 
    steps:
      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@release/v1
        with:
          jobs: ${{ toJSON(needs) }}
 
  # When on main, auto publish dev build
  auto-publish-dev:
    timeout-minutes: 30
    needs:
      - check
 
    if: github.ref == 'refs/heads/main'
    uses: ./.github/workflows/publish-release.yml
    secrets: inherit # pass all secrets (required to access secrets in a called workflow)
    with:
      environment: "production"
      repo_release_ref: "main"
      docker_image_tag: "latest_dev"
 
  # When on main, auto publish docs
  auto-publish-docs:
    timeout-minutes: 30
    needs:
      - check
 
    if: github.ref == 'refs/heads/main'
    uses: ./.github/workflows/publish-docs.yml
    secrets: inherit # pass all secrets (required to access secrets in a called workflow)
    with:
      docs_version: "dev"
 
  # After merging a PR, leave a comment on the PR with a link to the new dev build
  notify:
    timeout-minutes: 30
    needs:
      - auto-publish-dev
    if: github.ref == 'refs/heads/main'
    runs-on: "ubuntu-latest"
    steps:
      # Checkout code in order to determine PR number
      - uses: actions/checkout@v3.3.0
        with:
          fetch-depth: 0
 
      - name: Get PR number
        run: |
          commit_sha=$(git rev-parse HEAD)
          pr_number=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
            "https://api.github.com/repos/jorisroovers/gitlint/commits/$commit_sha/pulls" | jq -r '.[0].number')
          echo "PR_NUMBER=$pr_number" >> $GITHUB_ENV
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
      - uses: actions/github-script@v6
        with:
          script: |
            const body = `Build \
            [${{ needs.auto-publish-dev.outputs.gitlint_version }}](https://pypi.org/project/gitlint/${{ needs.auto-publish-dev.outputs.gitlint_version }}) \
            is now available on PyPI!
 
            Install using:
            \`\`\`sh
            pip install gitlint==${{ needs.auto-publish-dev.outputs.gitlint_version }}
            \`\`\`
            `;
            github.rest.issues.createComment({
              issue_number: process.env.PR_NUMBER,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });
        # Don't run this step if there is no PR number, i.e. on a direct push to main
        if: ${{ env.PR_NUMBER != '' }}

What changed

2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 9 jobs (48 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow