Skip to content
Latchkey

CI workflow (pinojs/pino)

The CI workflow from pinojs/pino, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: pinojs/pino.github/workflows/ci.ymlLicense MITView source

What it does

This is the CI workflow from the pinojs/pino repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: CI

on:
  push:
    branches:
      - main
      - 'v*'
    paths-ignore:
      - 'docs/**'
      - '*.md'
  pull_request:
    paths-ignore:
      - 'docs/**'
      - '*.md'

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
  cancel-in-progress: true

jobs:
  dependency-review:
    name: Dependency Review
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Check out repo
        uses: actions/checkout@v6.0.2
        with:
          persist-credentials: false

      - name: Dependency review
        uses: actions/dependency-review-action@v4

  test:
    name: ${{ matrix.node-version }} ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
        os: [macOS-latest, windows-latest, ubuntu-latest]
        node-version: [20, 22, 24, 25]
        exclude:
          - os: windows-latest
            node-version: 22

    steps:
      - name: Check out repo
        uses: actions/checkout@v6.0.2
        with:
          persist-credentials: false

      - name: Setup Node ${{ matrix.node-version }}
        uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}

      - name: Install dependencies
        run: npm i --ignore-scripts

      - name: Run tests
        run: npm run test-ci

      - name: Run smoke test
        if: >
          matrix.os != 'windows-latest' &&
          matrix.node-version > 14
        run: npm run test:smoke

  automerge:
    name: Automerge Dependabot PRs
    if: >
        github.event_name == 'pull_request' &&
        github.event.pull_request.user.login == 'dependabot[bot]'
    needs: test
    permissions:
      pull-requests: write
      contents: write
    runs-on: ubuntu-latest
    steps:
      - uses: fastify/github-action-merge-dependabot@v3
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          exclude: 'sonic-boom,pino-std-serializers,quick-format-unescaped,fast-redact'

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: CI
 
on:
  push:
    branches:
      - main
      - 'v*'
    paths-ignore:
      - 'docs/**'
      - '*.md'
  pull_request:
    paths-ignore:
      - 'docs/**'
      - '*.md'
 
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
  cancel-in-progress: true
 
jobs:
  dependency-review:
    timeout-minutes: 30
    name: Dependency Review
    if: github.event_name == 'pull_request'
    runs-on: latchkey-small
    permissions:
      contents: read
    steps:
      - name: Check out repo
        uses: actions/checkout@v6.0.2
        with:
          persist-credentials: false
 
      - name: Dependency review
        uses: actions/dependency-review-action@v4
 
  test:
    timeout-minutes: 30
    name: ${{ matrix.node-version }} ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
        os: [macOS-latest, windows-latest, ubuntu-latest]
        node-version: [20, 22, 24, 25]
        exclude:
          - os: windows-latest
            node-version: 22
 
    steps:
      - name: Check out repo
        uses: actions/checkout@v6.0.2
        with:
          persist-credentials: false
 
      - name: Setup Node ${{ matrix.node-version }}
        uses: actions/setup-node@v6
        with:
          cache: 'npm'
          node-version: ${{ matrix.node-version }}
 
      - name: Install dependencies
        run: npm i --ignore-scripts
 
      - name: Run tests
        run: npm run test-ci
 
      - name: Run smoke test
        if: >
          matrix.os != 'windows-latest' &&
          matrix.node-version > 14
        run: npm run test:smoke
 
  automerge:
    timeout-minutes: 30
    name: Automerge Dependabot PRs
    if: >
        github.event_name == 'pull_request' &&
        github.event.pull_request.user.login == 'dependabot[bot]'
    needs: test
    permissions:
      pull-requests: write
      contents: write
    runs-on: latchkey-small
    steps:
      - uses: fastify/github-action-merge-dependabot@v3
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          exclude: 'sonic-boom,pino-std-serializers,quick-format-unescaped,fast-redact'
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 3 jobs (14 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow