Skip to content
Latchkey

Repo Checks workflow (PatrickJS/awesome-cursorrules)

The Repo Checks workflow from PatrickJS/awesome-cursorrules, explained and optimized by Latchkey.

D

CI health: D - needs work

Point runs-on at Latchkey and get caching, run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: PatrickJS/awesome-cursorrules.github/workflows/main.ymlLicense CC0-1.0View source

What it does

This is the Repo Checks workflow from the PatrickJS/awesome-cursorrules repository, a real project running GitHub Actions. It is shown here with attribution under its CC0-1.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Repo Checks

on:
  pull_request_target:
    branches: [main]
    types: [opened, synchronize, reopened]
  pull_request:
    branches: [main]
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  pull-request-trust:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request_target'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: 20

      - name: Checkout trusted base checks
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false

      - name: Check PR author account age
        env:
          GITHUB_TOKEN: ${{ github.token }}
          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
          PR_AUTHOR_MINIMUM_AGE_DAYS: ${{ vars.PR_AUTHOR_MINIMUM_AGE_DAYS || '30' }}
          PR_AUTHOR_AGE_ALLOWLIST: ${{ vars.PR_AUTHOR_AGE_ALLOWLIST || 'PatrickJS,dependabot[bot],Copilot' }}
        run: |
          node .trusted-base/scripts/check-pr-author.mjs \
            --username "$PR_AUTHOR" \
            --minimum-age-days "$PR_AUTHOR_MINIMUM_AGE_DAYS" \
            --allowlist "$PR_AUTHOR_AGE_ALLOWLIST"

  readme-hygiene:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: 20

      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false

      - name: Checkout pull request content
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          path: pr
          fetch-depth: 0
          persist-credentials: false

      - name: Determine pull request changed files
        if: github.event_name == 'pull_request_target'
        shell: bash
        env:
          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
          git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git"
          git -C pr fetch --no-tags trusted-base "$BASE_REF"
          base="$(git -C pr rev-parse FETCH_HEAD)"

          git -C pr diff --name-only "$base"...HEAD > pr/.changed-files
          git -C pr diff --unified=0 "$base"...HEAD -- README.md > pr/.readme.diff || true

      - name: Run trusted README hygiene checks
        if: github.event_name == 'pull_request_target'
        run: node .trusted-base/scripts/check-readme-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files --diff-file .readme.diff

      - name: Checkout push content
        if: github.event_name == 'push'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Determine push changed files
        if: github.event_name == 'push'
        shell: bash
        run: |
          if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
            base="${{ github.event.before }}"
          else
            base="$(git rev-list --max-parents=0 HEAD)"
          fi

          git diff --name-only "$base"...HEAD > .changed-files
          git diff --unified=0 "$base"...HEAD -- README.md > .readme.diff || true

      - name: Run README hygiene checks
        if: github.event_name == 'push'
        run: node scripts/check-readme-hygiene.mjs --changed-files .changed-files --diff-file .readme.diff

  rule-hygiene:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: 20

      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false

      - name: Checkout pull request content
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          path: pr
          fetch-depth: 0
          persist-credentials: false

      - name: Determine pull request changed files
        if: github.event_name == 'pull_request_target'
        shell: bash
        env:
          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
          git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git"
          git -C pr fetch --no-tags trusted-base "$BASE_REF"
          base="$(git -C pr rev-parse FETCH_HEAD)"

          git -C pr diff --name-only "$base"...HEAD > pr/.changed-files

      - name: Run trusted rule hygiene checks
        if: github.event_name == 'pull_request_target'
        run: node .trusted-base/scripts/check-rule-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files

      - name: Checkout push content
        if: github.event_name == 'push'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Determine push changed files
        if: github.event_name == 'push'
        shell: bash
        run: |
          if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
            base="${{ github.event.before }}"
          else
            base="$(git rev-list --max-parents=0 HEAD)"
          fi

          git diff --name-only "$base"...HEAD > .changed-files

      - name: Run rule hygiene checks
        if: github.event_name == 'push'
        run: node scripts/check-rule-hygiene.mjs --changed-files .changed-files

  issue-template-policy:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: 20

      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false

      - name: Checkout pull request content
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          path: pr
          fetch-depth: 0
          persist-credentials: false

      - name: Run trusted issue template policy checks
        if: github.event_name == 'pull_request_target'
        run: node .trusted-base/scripts/check-issue-template-policy.mjs --root "$GITHUB_WORKSPACE/pr"

      - name: Checkout push content
        if: github.event_name == 'push'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Run issue template policy checks
        if: github.event_name == 'push'
        run: node scripts/check-issue-template-policy.mjs

  repo-security:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: 20

      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false

      - name: Checkout pull request content
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          path: pr
          fetch-depth: 0
          persist-credentials: false

      - name: Determine pull request changed files
        if: github.event_name == 'pull_request_target'
        shell: bash
        env:
          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
          git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git"
          git -C pr fetch --no-tags trusted-base "$BASE_REF"
          base="$(git -C pr rev-parse FETCH_HEAD)"

          git -C pr diff --name-only "$base"...HEAD > pr/.changed-files

      - name: Run trusted repo security checks
        if: github.event_name == 'pull_request_target'
        run: node .trusted-base/scripts/check-repo-security.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files

      - name: Checkout push content
        if: github.event_name == 'push'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Determine push changed files
        if: github.event_name == 'push'
        shell: bash
        run: |
          if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
            base="${{ github.event.before }}"
          else
            base="$(git rev-list --max-parents=0 HEAD)"
          fi

          git diff --name-only "$base"...HEAD > .changed-files

      - name: Run repo security checks
        if: github.event_name == 'push'
        run: node scripts/check-repo-security.mjs --changed-files .changed-files

  test:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request' || github.event_name == 'push'
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
          persist-credentials: false

      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: 20

      - name: Enable pnpm
        run: |
          corepack enable
          corepack prepare pnpm@10.20.0 --activate

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Run tests
        run: pnpm test

  awesome-lint:
    name: awesome-lint
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request_target'
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
          persist-credentials: false

      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: 20

      - name: Enable pnpm
        run: |
          corepack enable
          corepack prepare pnpm@10.20.0 --activate

      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.sha }}
          path: .trusted-base
          fetch-depth: 1
          persist-credentials: false

      - name: Run trusted awesome-list checks
        if: github.event_name == 'pull_request'
        run: |
          node .trusted-base/scripts/check-awesome-list.mjs --root "$GITHUB_WORKSPACE"
          (cd .trusted-base && pnpm dlx awesome-lint@2.3.0 "$GITHUB_WORKSPACE/README.md")

      - name: Install dependencies
        if: github.event_name != 'pull_request'
        run: pnpm install --frozen-lockfile

      - name: Run awesome-list checks
        if: github.event_name != 'pull_request'
        run: |
          pnpm run check:awesome-list
          pnpm run check:awesome-list:upstream

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: Repo Checks
 
on:
  pull_request_target:
    branches: [main]
    types: [opened, synchronize, reopened]
  pull_request:
    branches: [main]
  push:
    branches: [main]
 
permissions:
  contents: read
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  pull-request-trust:
    timeout-minutes: 30
    runs-on: latchkey-small
    if: github.event_name == 'pull_request_target'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          cache: 'npm'
          node-version: 20
 
      - name: Checkout trusted base checks
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false
 
      - name: Check PR author account age
        env:
          GITHUB_TOKEN: ${{ github.token }}
          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
          PR_AUTHOR_MINIMUM_AGE_DAYS: ${{ vars.PR_AUTHOR_MINIMUM_AGE_DAYS || '30' }}
          PR_AUTHOR_AGE_ALLOWLIST: ${{ vars.PR_AUTHOR_AGE_ALLOWLIST || 'PatrickJS,dependabot[bot],Copilot' }}
        run: |
          node .trusted-base/scripts/check-pr-author.mjs \
            --username "$PR_AUTHOR" \
            --minimum-age-days "$PR_AUTHOR_MINIMUM_AGE_DAYS" \
            --allowlist "$PR_AUTHOR_AGE_ALLOWLIST"
 
  readme-hygiene:
    timeout-minutes: 30
    runs-on: latchkey-small
    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          cache: 'npm'
          node-version: 20
 
      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false
 
      - name: Checkout pull request content
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          path: pr
          fetch-depth: 0
          persist-credentials: false
 
      - name: Determine pull request changed files
        if: github.event_name == 'pull_request_target'
        shell: bash
        env:
          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
          git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git"
          git -C pr fetch --no-tags trusted-base "$BASE_REF"
          base="$(git -C pr rev-parse FETCH_HEAD)"
 
          git -C pr diff --name-only "$base"...HEAD > pr/.changed-files
          git -C pr diff --unified=0 "$base"...HEAD -- README.md > pr/.readme.diff || true
 
      - name: Run trusted README hygiene checks
        if: github.event_name == 'pull_request_target'
        run: node .trusted-base/scripts/check-readme-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files --diff-file .readme.diff
 
      - name: Checkout push content
        if: github.event_name == 'push'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
          persist-credentials: false
 
      - name: Determine push changed files
        if: github.event_name == 'push'
        shell: bash
        run: |
          if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
            base="${{ github.event.before }}"
          else
            base="$(git rev-list --max-parents=0 HEAD)"
          fi
 
          git diff --name-only "$base"...HEAD > .changed-files
          git diff --unified=0 "$base"...HEAD -- README.md > .readme.diff || true
 
      - name: Run README hygiene checks
        if: github.event_name == 'push'
        run: node scripts/check-readme-hygiene.mjs --changed-files .changed-files --diff-file .readme.diff
 
  rule-hygiene:
    timeout-minutes: 30
    runs-on: latchkey-small
    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          cache: 'npm'
          node-version: 20
 
      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false
 
      - name: Checkout pull request content
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          path: pr
          fetch-depth: 0
          persist-credentials: false
 
      - name: Determine pull request changed files
        if: github.event_name == 'pull_request_target'
        shell: bash
        env:
          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
          git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git"
          git -C pr fetch --no-tags trusted-base "$BASE_REF"
          base="$(git -C pr rev-parse FETCH_HEAD)"
 
          git -C pr diff --name-only "$base"...HEAD > pr/.changed-files
 
      - name: Run trusted rule hygiene checks
        if: github.event_name == 'pull_request_target'
        run: node .trusted-base/scripts/check-rule-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files
 
      - name: Checkout push content
        if: github.event_name == 'push'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
          persist-credentials: false
 
      - name: Determine push changed files
        if: github.event_name == 'push'
        shell: bash
        run: |
          if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
            base="${{ github.event.before }}"
          else
            base="$(git rev-list --max-parents=0 HEAD)"
          fi
 
          git diff --name-only "$base"...HEAD > .changed-files
 
      - name: Run rule hygiene checks
        if: github.event_name == 'push'
        run: node scripts/check-rule-hygiene.mjs --changed-files .changed-files
 
  issue-template-policy:
    timeout-minutes: 30
    runs-on: latchkey-small
    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          cache: 'npm'
          node-version: 20
 
      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false
 
      - name: Checkout pull request content
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          path: pr
          fetch-depth: 0
          persist-credentials: false
 
      - name: Run trusted issue template policy checks
        if: github.event_name == 'pull_request_target'
        run: node .trusted-base/scripts/check-issue-template-policy.mjs --root "$GITHUB_WORKSPACE/pr"
 
      - name: Checkout push content
        if: github.event_name == 'push'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
          persist-credentials: false
 
      - name: Run issue template policy checks
        if: github.event_name == 'push'
        run: node scripts/check-issue-template-policy.mjs
 
  repo-security:
    timeout-minutes: 30
    runs-on: latchkey-small
    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
    steps:
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          cache: 'npm'
          node-version: 20
 
      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.ref }}
          path: .trusted-base
          fetch-depth: 0
          persist-credentials: false
 
      - name: Checkout pull request content
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.sha }}
          path: pr
          fetch-depth: 0
          persist-credentials: false
 
      - name: Determine pull request changed files
        if: github.event_name == 'pull_request_target'
        shell: bash
        env:
          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
          git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git"
          git -C pr fetch --no-tags trusted-base "$BASE_REF"
          base="$(git -C pr rev-parse FETCH_HEAD)"
 
          git -C pr diff --name-only "$base"...HEAD > pr/.changed-files
 
      - name: Run trusted repo security checks
        if: github.event_name == 'pull_request_target'
        run: node .trusted-base/scripts/check-repo-security.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files
 
      - name: Checkout push content
        if: github.event_name == 'push'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
          persist-credentials: false
 
      - name: Determine push changed files
        if: github.event_name == 'push'
        shell: bash
        run: |
          if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
            base="${{ github.event.before }}"
          else
            base="$(git rev-list --max-parents=0 HEAD)"
          fi
 
          git diff --name-only "$base"...HEAD > .changed-files
 
      - name: Run repo security checks
        if: github.event_name == 'push'
        run: node scripts/check-repo-security.mjs --changed-files .changed-files
 
  test:
    timeout-minutes: 30
    runs-on: latchkey-small
    if: github.event_name == 'pull_request' || github.event_name == 'push'
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
          persist-credentials: false
 
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          cache: 'npm'
          node-version: 20
 
      - name: Enable pnpm
        run: |
          corepack enable
          corepack prepare pnpm@10.20.0 --activate
 
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
 
      - name: Run tests
        run: pnpm test
 
  awesome-lint:
    timeout-minutes: 30
    name: awesome-lint
    runs-on: latchkey-small
    if: github.event_name != 'pull_request_target'
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
          persist-credentials: false
 
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          cache: 'npm'
          node-version: 20
 
      - name: Enable pnpm
        run: |
          corepack enable
          corepack prepare pnpm@10.20.0 --activate
 
      - name: Checkout trusted base checks
        if: github.event_name == 'pull_request'
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.pull_request.base.sha }}
          path: .trusted-base
          fetch-depth: 1
          persist-credentials: false
 
      - name: Run trusted awesome-list checks
        if: github.event_name == 'pull_request'
        run: |
          node .trusted-base/scripts/check-awesome-list.mjs --root "$GITHUB_WORKSPACE"
          (cd .trusted-base && pnpm dlx awesome-lint@2.3.0 "$GITHUB_WORKSPACE/README.md")
 
      - name: Install dependencies
        if: github.event_name != 'pull_request'
        run: pnpm install --frozen-lockfile
 
      - name: Run awesome-list checks
        if: github.event_name != 'pull_request'
        run: |
          pnpm run check:awesome-list
          pnpm run check:awesome-list:upstream
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 7 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow