Release workflow (developmentseed/lonboard)
The Release workflow from developmentseed/lonboard, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Release workflow from the developmentseed/lonboard repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Release
# Only run on new tags starting with `v`
on:
push:
tags:
- "v*"
jobs:
build:
name: Build dist
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: actions/setup-python@v6
name: Install Python
with:
python-version: "3.11"
- uses: pnpm/action-setup@v6
# Note: this should stay synced with the volta-pinned version in
# package.json
- uses: actions/setup-node@v6
with:
node-version: "22"
cache: "pnpm"
- name: Install JS dependencies
run: pnpm install --frozen-lockfile
- name: Build JS bundle
run: pnpm run build
- name: Build dist
run: |
python -m pip install -U build
python -m build
- name: Ensure JS files included
run: |
# If no files with path lonboard/static, fail
unzip -l dist/*.whl | grep "lonboard/static" || exit 1
- uses: actions/upload-artifact@v7
with:
path: ./dist/
upload_pypi:
name: Upload release to PyPI
needs: [build]
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
runs-on: ubuntu-latest
environment:
# Note: this environment must be configured in the repo settings
name: pypi-release
url: https://pypi.org/p/lonboard
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- uses: actions/download-artifact@v8
with:
name: artifact
path: dist
merge-multiple: true
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
# Optional: test upload to Test PyPI instead of production PyPI
# with:
# repository-url: https://test.pypi.org/legacy/
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Release # Only run on new tags starting with `v` on: push: tags: - "v*" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: build: timeout-minutes: 30 name: Build dist runs-on: latchkey-small steps: - uses: actions/checkout@v7 - uses: actions/setup-python@v6 name: Install Python with: python-version: "3.11" - uses: pnpm/action-setup@v6 # Note: this should stay synced with the volta-pinned version in # package.json - uses: actions/setup-node@v6 with: node-version: "22" cache: "pnpm" - name: Install JS dependencies run: pnpm install --frozen-lockfile - name: Build JS bundle run: pnpm run build - name: Build dist run: | python -m pip install -U build python -m build - name: Ensure JS files included run: | # If no files with path lonboard/static, fail unzip -l dist/*.whl | grep "lonboard/static" || exit 1 - uses: actions/upload-artifact@v7 with: path: ./dist/ upload_pypi: timeout-minutes: 30 name: Upload release to PyPI needs: [build] if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') runs-on: latchkey-small environment: # Note: this environment must be configured in the repo settings name: pypi-release url: https://pypi.org/p/lonboard permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - uses: actions/download-artifact@v8 with: name: artifact path: dist merge-multiple: true - name: Publish package distributions to PyPI uses: pypa/gh-action-pypi-publish@release/v1 # Optional: test upload to Test PyPI instead of production PyPI # with: # repository-url: https://test.pypi.org/legacy/
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.