Skip to content
Latchkey

Release kube-linter workflow (stackrox/kube-linter)

The Release kube-linter workflow from stackrox/kube-linter, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: stackrox/kube-linter.github/workflows/release.yamlLicense Apache-2.0View source

What it does

This is the Release kube-linter workflow from the stackrox/kube-linter repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Release kube-linter

on:
  push:
    tags:
      - "v*"

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}

jobs:
  goreleaser:
    runs-on: ubuntu-latest

    permissions:
      contents: write
      packages: write
      id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**

    steps:
      # Install the cosign tool except on PR
      # https://github.com/sigstore/cosign-installer
      - name: Install cosign
        uses: sigstore/cosign-installer@v4.1.2

      # Workaround: https://github.com/docker/build-push-action/issues/461
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c

      # Login against a Docker registry except on PR
      # https://github.com/docker/login-action
      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # Login against a Docker registry except on PR
      # https://github.com/docker/login-action
      - name: Log into registry dockerhub
        uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      # Install the cosign tool except on PR
      # https://github.com/sigstore/cosign-installer
      - name: Install cosign
        uses: sigstore/cosign-installer@v4.1.2

      - name: Checkout
        uses: actions/checkout@v7
        with:
          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
          go-version: stable

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser
          version: latest
          args: release
        env:
          KEY: ${{ secrets.COSIGN_KEY }}
          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Release kube-linter
 
on:
  push:
    tags:
      - "v*"
 
env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  goreleaser:
    timeout-minutes: 30
    runs-on: latchkey-small
 
    permissions:
      contents: write
      packages: write
      id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
 
    steps:
      # Install the cosign tool except on PR
      # https://github.com/sigstore/cosign-installer
      - name: Install cosign
        uses: sigstore/cosign-installer@v4.1.2
 
      # Workaround: https://github.com/docker/build-push-action/issues/461
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c
 
      # Login against a Docker registry except on PR
      # https://github.com/docker/login-action
      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
 
      # Login against a Docker registry except on PR
      # https://github.com/docker/login-action
      - name: Log into registry dockerhub
        uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
 
      # Install the cosign tool except on PR
      # https://github.com/sigstore/cosign-installer
      - name: Install cosign
        uses: sigstore/cosign-installer@v4.1.2
 
      - name: Checkout
        uses: actions/checkout@v7
        with:
          fetch-depth: 0
 
      - name: Setup Go
        uses: actions/setup-go@v6
        with:
          go-version: stable
 
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser
          version: latest
          args: release
        env:
          KEY: ${{ secrets.COSIGN_KEY }}
          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

What changed

2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow