Skip to content
Latchkey

Generate sha256 hashes for release files workflow (jgraph/drawio-desktop)

The Generate sha256 hashes for release files workflow from jgraph/drawio-desktop, explained and optimized by Latchkey.

A

CI health: A - excellent

Point runs-on at Latchkey and get job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: jgraph/drawio-desktop.github/workflows/hash-gen.ymlLicense Apache-2.0View source

What it does

This is the Generate sha256 hashes for release files workflow from the jgraph/drawio-desktop repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Generate sha256 hashes for release files

on:
  release:
    types: [published]

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      TAG: ${{ github.event.release.tag_name }}
    steps:
    - name: Generate and upload SHA256 hashes
      run: |
        # Download every asset attached to this release, compute SHA256 hashes,
        # and upload the result back to the same release as
        # Files-SHA256-Hashes.txt. Excludes any pre-existing hash file so a
        # re-run does not re-hash its own previous output.
        mkdir release-assets
        cd release-assets
        gh release download "$TAG" --repo "$GITHUB_REPOSITORY"
        find . -maxdepth 1 -type f ! -name 'Files-SHA256-Hashes.txt' -print0 \
          | xargs -0 sha256sum > ../Files-SHA256-Hashes.txt
        cd ..
        gh release upload "$TAG" Files-SHA256-Hashes.txt \
          --repo "$GITHUB_REPOSITORY" --clobber

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Generate sha256 hashes for release files
 
on:
  release:
    types: [published]
 
jobs:
  build:
    timeout-minutes: 30
    runs-on: latchkey-small
    permissions:
      contents: write
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      TAG: ${{ github.event.release.tag_name }}
    steps:
    - name: Generate and upload SHA256 hashes
      run: |
        # Download every asset attached to this release, compute SHA256 hashes,
        # and upload the result back to the same release as
        # Files-SHA256-Hashes.txt. Excludes any pre-existing hash file so a
        # re-run does not re-hash its own previous output.
        mkdir release-assets
        cd release-assets
        gh release download "$TAG" --repo "$GITHUB_REPOSITORY"
        find . -maxdepth 1 -type f ! -name 'Files-SHA256-Hashes.txt' -print0 \
          | xargs -0 sha256sum > ../Files-SHA256-Hashes.txt
        cd ..
        gh release upload "$TAG" Files-SHA256-Hashes.txt \
          --repo "$GITHUB_REPOSITORY" --clobber
 

What changed

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.