Docker Images workflow (RDFLib/rdflib)
The Docker Images workflow from RDFLib/rdflib, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Docker Images workflow from the RDFLib/rdflib repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Docker Images
on:
push:
branches: ["main"]
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
setup:
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
docker-push: ${{ steps.vars.outputs.docker-push }}
oci-reference: ${{ steps.vars.outputs.oci-reference }}
steps:
- id: vars
run: |
echo ::set-output name=github-ref::${{ github.ref }}
echo ::set-output name=docker-push::${{ github.ref == 'refs/heads/main' }}
echo ::set-output name=oci-reference::ghcr.io/$( echo "${{ github.repository}}" | tr '[:upper:]' '[:lower:]' )
- id: vars-dump
run: |
echo "steps.vars.github-ref = ${{ steps.vars.outputs.github-ref }}"
echo "steps.vars.docker-push = ${{ steps.vars.outputs.docker-push }}"
echo "steps.vars.oci-reference = ${{ steps.vars.outputs.oci-reference }}"
build:
needs: setup
permissions:
contents: read
packages: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
with:
fetch-depth: 1
- name: Install Task
uses: go-task/setup-task@v2
- name: Install poetry
run: |
pip install -r devtools/requirements-poetry.in
- name: Build images
shell: bash
run: |
task \
OCI_REFERENCE="${{ needs.setup.outputs.oci-reference }}" \
docker:latest docker:unstable
push:
if: "${{ needs.setup.outputs.docker-push == 'true' }}"
needs: [ setup, build ]
permissions:
id-token: write
packages: write
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
with:
fetch-depth: 1
- name: Install Task
uses: go-task/setup-task@v2
- name: Install poetry
run: |
pip install -r devtools/requirements-poetry.in
- name: Login to GitHub Container Registry
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push images
shell: bash
run: |
task \
DOCKER_PUSH=true \
OCI_REFERENCE="${{ needs.setup.outputs.oci-reference }}" \
docker:latest docker:unstable
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Docker Images on: push: branches: ["main"] pull_request: workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: setup: timeout-minutes: 30 permissions: contents: read runs-on: latchkey-small outputs: docker-push: ${{ steps.vars.outputs.docker-push }} oci-reference: ${{ steps.vars.outputs.oci-reference }} steps: - id: vars run: | echo ::set-output name=github-ref::${{ github.ref }} echo ::set-output name=docker-push::${{ github.ref == 'refs/heads/main' }} echo ::set-output name=oci-reference::ghcr.io/$( echo "${{ github.repository}}" | tr '[:upper:]' '[:lower:]' ) - id: vars-dump run: | echo "steps.vars.github-ref = ${{ steps.vars.outputs.github-ref }}" echo "steps.vars.docker-push = ${{ steps.vars.outputs.docker-push }}" echo "steps.vars.oci-reference = ${{ steps.vars.outputs.oci-reference }}" build: timeout-minutes: 30 needs: setup permissions: contents: read packages: read runs-on: latchkey-small steps: - uses: actions/checkout@v7 with: fetch-depth: 1 - name: Install Task uses: go-task/setup-task@v2 - name: Install poetry run: | pip install -r devtools/requirements-poetry.in - name: Build images shell: bash run: | task \ OCI_REFERENCE="${{ needs.setup.outputs.oci-reference }}" \ docker:latest docker:unstable push: timeout-minutes: 30 if: "${{ needs.setup.outputs.docker-push == 'true' }}" needs: [ setup, build ] permissions: id-token: write packages: write contents: read runs-on: latchkey-small steps: - uses: actions/checkout@v7 with: fetch-depth: 1 - name: Install Task uses: go-task/setup-task@v2 - name: Install poetry run: | pip install -r devtools/requirements-poetry.in - name: Login to GitHub Container Registry uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Push images shell: bash run: | task \ DOCKER_PUSH=true \ OCI_REFERENCE="${{ needs.setup.outputs.oci-reference }}" \ docker:latest docker:unstable
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 3 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.