Tests and Checks workflow (jorisroovers/gitlint)
The Tests and Checks workflow from jorisroovers/gitlint, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Tests and Checks workflow from the jorisroovers/gitlint repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Tests and Checks
# Only run CI on pushes to main and pull requests
# We don't run CI on other branches, but those should be merged into main via a PR anyways which will trigger CI before the merge.
on:
push:
branches:
- main
pull_request:
branches:
- main
concurrency:
group: ci-${{ github.ref }}-1
cancel-in-progress: true
jobs:
tests:
runs-on: "ubuntu-latest"
strategy:
matrix:
python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9]
os: ["macos-latest", "ubuntu-latest", "windows-latest"]
steps:
- uses: actions/checkout@v3.3.0
with:
ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit
fetch-depth: 0 # checkout all history, needed for hatch versioning
- name: Setup python
uses: actions/setup-python@v4.7.0
with:
python-version: ${{ matrix.python-version }}
- name: Install Hatch
run: python -m pip install hatch==1.7.0
- name: Unit Tests
run: hatch run test:unit-tests
- name: Code formatting (black)
run: hatch run test:format
- name: Code linting (ruff)
run: hatch run test:lint
- name: Static type checking (mypy)
run: hatch run test:type-check
- name: Install local gitlint for integration tests
run: hatch run qa:install-local
- name: Integration tests
run: hatch run qa:integration-tests
if: matrix.os != 'windows-latest'
- name: Integration tests (GITLINT_QA_USE_SH_LIB=0)
run: hatch run qa:integration-tests -k "not(test_commit_hook_continue or test_commit_hook_abort or test_commit_hook_edit)" qa
env:
GITLINT_QA_USE_SH_LIB: 0
if: matrix.os != 'windows-latest'
- name: Integration tests (Windows)
run: |
hatch run qa:integration-tests -k "not (test_commit_hook_continue or test_commit_hook_abort or test_commit_hook_edit or test_lint_staged_stdin or test_stdin_file or test_stdin_pipe_empty)" qa
if: matrix.os == 'windows-latest'
# Run gitlint. Skip during PR runs, since PR commit messages are transient and usually full of gitlint violations.
# PRs get squashed and get a proper commit message during merge.
- name: gitlint --debug
run: hatch run dev:gitlint --debug
continue-on-error: ${{ github.event_name == 'pull_request' }} # Don't enforce gitlint in PRs
- name: Code Coverage (coveralls)
uses: coverallsapp/github-action@master
with:
path-to-lcov: ".coverage.lcov"
github-token: ${{ secrets.GITHUB_TOKEN }}
git-commit: ${{ github.event.pull_request.head.sha }}
flag-name: gitlint-${{ matrix.os }}-${{ matrix.python-version }}
parallel: true
build-test:
runs-on: "ubuntu-latest"
strategy:
matrix:
python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9]
os: ["macos-latest", "ubuntu-latest", "windows-latest"]
steps:
- uses: actions/checkout@v3.3.0
with:
ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit
fetch-depth: 0 # checkout all history, needed for hatch versioning
- name: Install pypa/build
run: python -m pip install build==0.10.0
- name: Build test (gitlint)
run: python -m build
- name: Upload sdist tarball (gitlint)
uses: actions/upload-artifact@v3
with:
name: sdist-gitlint-${{ matrix.python-version }}
path: dist/*.tar.gz
if: matrix.os == 'ubuntu-latest'
- name: Build test (gitlint-core)
run: python -m build
working-directory: ./gitlint-core
- name: Upload sdist tarball (gitlint-core)
uses: actions/upload-artifact@v3
with:
name: sdist-gitlint-core-${{ matrix.python-version }}
path: ./gitlint-core/dist/*.tar.gz
if: matrix.os == 'ubuntu-latest'
sdist-build-smoke-test:
# Ensure we can re-build gitlint from its sdist tarball (and that gitlint works after that)
# This is important for downstream packages (e.g. debian, homebrew, etc)
needs: build-test
runs-on: "ubuntu-latest"
strategy:
matrix:
python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9]
steps:
- name: Setup python ${{ matrix.python-version }}
uses: actions/setup-python@v4.7.0
with:
python-version: ${{ matrix.python-version }}
- name: Download sdist artifact (gitlint)
uses: actions/download-artifact@v3
with:
name: sdist-gitlint-${{ matrix.python-version }}
path: gitlint
- name: Download sdist artifact (gitlint-core)
uses: actions/download-artifact@v3
with:
name: sdist-gitlint-core-${{ matrix.python-version }}
path: gitlint-core
- name: Extract sdist tarball (gitlint)
run: tar xzvf *.tar.gz --strip-components=1
working-directory: ./gitlint
- name: Extract sdist tarball (gitlint-core)
run: tar xzvf *.tar.gz --strip-components=1
working-directory: ./gitlint-core
- name: Install pypa/build
run: python -m pip install build==0.10.0
- name: Build test (gitlint)
run: python -m build
working-directory: ./gitlint
- name: Build test (gitlint-core)
run: python -m build
working-directory: ./gitlint-core
- name: Install from wheel (gitlint and gitlint-core)
run: python -m pip install gitlint-core/dist/*.whl gitlint/dist/*.whl
# Make sure gitlint works
- name: gitlint --version
run: gitlint --version
doc-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3.3.0
with:
ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit
- name: Setup python
uses: actions/setup-python@v4.7.0
with:
python-version: 3.11
- name: Install Hatch
run: python -m pip install hatch==1.7.0
- name: Docs validation (mkdocs build & linkchecker)
run: hatch run docs:validate
upload-coveralls:
needs: tests
runs-on: ubuntu-latest
steps:
- name: Upload coverage to coveralls
uses: coverallsapp/github-action@master
with:
path-to-lcov: ".coverage.lcov"
github-token: ${{ secrets.GITHUB_TOKEN }}
parallel-finished: true
check: # This job does nothing and is only used for the branch protection
if: always() # Ref: https://github.com/marketplace/actions/alls-green#why
needs:
- tests
- build-test
- sdist-build-smoke-test
- doc-checks
- upload-coveralls
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1
with:
jobs: ${{ toJSON(needs) }}
# When on main, auto publish dev build
auto-publish-dev:
needs:
- check
if: github.ref == 'refs/heads/main'
uses: ./.github/workflows/publish-release.yml
secrets: inherit # pass all secrets (required to access secrets in a called workflow)
with:
environment: "production"
repo_release_ref: "main"
docker_image_tag: "latest_dev"
# When on main, auto publish docs
auto-publish-docs:
needs:
- check
if: github.ref == 'refs/heads/main'
uses: ./.github/workflows/publish-docs.yml
secrets: inherit # pass all secrets (required to access secrets in a called workflow)
with:
docs_version: "dev"
# After merging a PR, leave a comment on the PR with a link to the new dev build
notify:
needs:
- auto-publish-dev
if: github.ref == 'refs/heads/main'
runs-on: "ubuntu-latest"
steps:
# Checkout code in order to determine PR number
- uses: actions/checkout@v3.3.0
with:
fetch-depth: 0
- name: Get PR number
run: |
commit_sha=$(git rev-parse HEAD)
pr_number=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
"https://api.github.com/repos/jorisroovers/gitlint/commits/$commit_sha/pulls" | jq -r '.[0].number')
echo "PR_NUMBER=$pr_number" >> $GITHUB_ENV
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/github-script@v6
with:
script: |
const body = `Build \
[${{ needs.auto-publish-dev.outputs.gitlint_version }}](https://pypi.org/project/gitlint/${{ needs.auto-publish-dev.outputs.gitlint_version }}) \
is now available on PyPI!
Install using:
\`\`\`sh
pip install gitlint==${{ needs.auto-publish-dev.outputs.gitlint_version }}
\`\`\`
`;
github.rest.issues.createComment({
issue_number: process.env.PR_NUMBER,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});
# Don't run this step if there is no PR number, i.e. on a direct push to main
if: ${{ env.PR_NUMBER != '' }}The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Tests and Checks # Only run CI on pushes to main and pull requests # We don't run CI on other branches, but those should be merged into main via a PR anyways which will trigger CI before the merge. on: push: branches: - main pull_request: branches: - main concurrency: group: ci-${{ github.ref }}-1 cancel-in-progress: true jobs: tests: timeout-minutes: 30 runs-on: "ubuntu-latest" strategy: matrix: python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9] os: ["macos-latest", "ubuntu-latest", "windows-latest"] steps: - uses: actions/checkout@v3.3.0 with: ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit fetch-depth: 0 # checkout all history, needed for hatch versioning - name: Setup python uses: actions/setup-python@v4.7.0 with: cache: 'pip' python-version: ${{ matrix.python-version }} - name: Install Hatch run: python -m pip install hatch==1.7.0 - name: Unit Tests run: hatch run test:unit-tests - name: Code formatting (black) run: hatch run test:format - name: Code linting (ruff) run: hatch run test:lint - name: Static type checking (mypy) run: hatch run test:type-check - name: Install local gitlint for integration tests run: hatch run qa:install-local - name: Integration tests run: hatch run qa:integration-tests if: matrix.os != 'windows-latest' - name: Integration tests (GITLINT_QA_USE_SH_LIB=0) run: hatch run qa:integration-tests -k "not(test_commit_hook_continue or test_commit_hook_abort or test_commit_hook_edit)" qa env: GITLINT_QA_USE_SH_LIB: 0 if: matrix.os != 'windows-latest' - name: Integration tests (Windows) run: | hatch run qa:integration-tests -k "not (test_commit_hook_continue or test_commit_hook_abort or test_commit_hook_edit or test_lint_staged_stdin or test_stdin_file or test_stdin_pipe_empty)" qa if: matrix.os == 'windows-latest' # Run gitlint. Skip during PR runs, since PR commit messages are transient and usually full of gitlint violations. # PRs get squashed and get a proper commit message during merge. - name: gitlint --debug run: hatch run dev:gitlint --debug continue-on-error: ${{ github.event_name == 'pull_request' }} # Don't enforce gitlint in PRs - name: Code Coverage (coveralls) uses: coverallsapp/github-action@master with: path-to-lcov: ".coverage.lcov" github-token: ${{ secrets.GITHUB_TOKEN }} git-commit: ${{ github.event.pull_request.head.sha }} flag-name: gitlint-${{ matrix.os }}-${{ matrix.python-version }} parallel: true build-test: timeout-minutes: 30 runs-on: "ubuntu-latest" strategy: matrix: python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9] os: ["macos-latest", "ubuntu-latest", "windows-latest"] steps: - uses: actions/checkout@v3.3.0 with: ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit fetch-depth: 0 # checkout all history, needed for hatch versioning - name: Install pypa/build run: python -m pip install build==0.10.0 - name: Build test (gitlint) run: python -m build - name: Upload sdist tarball (gitlint) uses: actions/upload-artifact@v3 with: name: sdist-gitlint-${{ matrix.python-version }} path: dist/*.tar.gz if: matrix.os == 'ubuntu-latest' - name: Build test (gitlint-core) run: python -m build working-directory: ./gitlint-core - name: Upload sdist tarball (gitlint-core) uses: actions/upload-artifact@v3 with: name: sdist-gitlint-core-${{ matrix.python-version }} path: ./gitlint-core/dist/*.tar.gz if: matrix.os == 'ubuntu-latest' sdist-build-smoke-test: timeout-minutes: 30 # Ensure we can re-build gitlint from its sdist tarball (and that gitlint works after that) # This is important for downstream packages (e.g. debian, homebrew, etc) needs: build-test runs-on: "ubuntu-latest" strategy: matrix: python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", pypy-3.9] steps: - name: Setup python ${{ matrix.python-version }} uses: actions/setup-python@v4.7.0 with: cache: 'pip' python-version: ${{ matrix.python-version }} - name: Download sdist artifact (gitlint) uses: actions/download-artifact@v3 with: name: sdist-gitlint-${{ matrix.python-version }} path: gitlint - name: Download sdist artifact (gitlint-core) uses: actions/download-artifact@v3 with: name: sdist-gitlint-core-${{ matrix.python-version }} path: gitlint-core - name: Extract sdist tarball (gitlint) run: tar xzvf *.tar.gz --strip-components=1 working-directory: ./gitlint - name: Extract sdist tarball (gitlint-core) run: tar xzvf *.tar.gz --strip-components=1 working-directory: ./gitlint-core - name: Install pypa/build run: python -m pip install build==0.10.0 - name: Build test (gitlint) run: python -m build working-directory: ./gitlint - name: Build test (gitlint-core) run: python -m build working-directory: ./gitlint-core - name: Install from wheel (gitlint and gitlint-core) run: python -m pip install gitlint-core/dist/*.whl gitlint/dist/*.whl # Make sure gitlint works - name: gitlint --version run: gitlint --version doc-checks: timeout-minutes: 30 runs-on: latchkey-small steps: - uses: actions/checkout@v3.3.0 with: ref: ${{ github.event.pull_request.head.sha }} # Checkout pull request HEAD commit instead of merge commit - name: Setup python uses: actions/setup-python@v4.7.0 with: cache: 'pip' python-version: 3.11 - name: Install Hatch run: python -m pip install hatch==1.7.0 - name: Docs validation (mkdocs build & linkchecker) run: hatch run docs:validate upload-coveralls: timeout-minutes: 30 needs: tests runs-on: latchkey-small steps: - name: Upload coverage to coveralls uses: coverallsapp/github-action@master with: path-to-lcov: ".coverage.lcov" github-token: ${{ secrets.GITHUB_TOKEN }} parallel-finished: true check: # This job does nothing and is only used for the branch protection timeout-minutes: 30 if: always() # Ref: https://github.com/marketplace/actions/alls-green#why needs: - tests - build-test - sdist-build-smoke-test - doc-checks - upload-coveralls runs-on: latchkey-small steps: - name: Decide whether the needed jobs succeeded or failed uses: re-actors/alls-green@release/v1 with: jobs: ${{ toJSON(needs) }} # When on main, auto publish dev build auto-publish-dev: timeout-minutes: 30 needs: - check if: github.ref == 'refs/heads/main' uses: ./.github/workflows/publish-release.yml secrets: inherit # pass all secrets (required to access secrets in a called workflow) with: environment: "production" repo_release_ref: "main" docker_image_tag: "latest_dev" # When on main, auto publish docs auto-publish-docs: timeout-minutes: 30 needs: - check if: github.ref == 'refs/heads/main' uses: ./.github/workflows/publish-docs.yml secrets: inherit # pass all secrets (required to access secrets in a called workflow) with: docs_version: "dev" # After merging a PR, leave a comment on the PR with a link to the new dev build notify: timeout-minutes: 30 needs: - auto-publish-dev if: github.ref == 'refs/heads/main' runs-on: "ubuntu-latest" steps: # Checkout code in order to determine PR number - uses: actions/checkout@v3.3.0 with: fetch-depth: 0 - name: Get PR number run: | commit_sha=$(git rev-parse HEAD) pr_number=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ "https://api.github.com/repos/jorisroovers/gitlint/commits/$commit_sha/pulls" | jq -r '.[0].number') echo "PR_NUMBER=$pr_number" >> $GITHUB_ENV env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - uses: actions/github-script@v6 with: script: | const body = `Build \ [${{ needs.auto-publish-dev.outputs.gitlint_version }}](https://pypi.org/project/gitlint/${{ needs.auto-publish-dev.outputs.gitlint_version }}) \ is now available on PyPI! Install using: \`\`\`sh pip install gitlint==${{ needs.auto-publish-dev.outputs.gitlint_version }} \`\`\` `; github.rest.issues.createComment({ issue_number: process.env.PR_NUMBER, owner: context.repo.owner, repo: context.repo.repo, body: body }); # Don't run this step if there is no PR number, i.e. on a direct push to main if: ${{ env.PR_NUMBER != '' }}
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 9 jobs (48 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.