Protect OpenAPI Client workflow (langchain-ai/langsmith-sdk)
The Protect OpenAPI Client workflow from langchain-ai/langsmith-sdk, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Protect OpenAPI Client workflow from the langchain-ai/langsmith-sdk repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Protect OpenAPI Client
on:
pull_request:
branches: [main]
paths:
- "python/langsmith/_openapi_client/**"
- "js/src/_openapi_client/**"
permissions: {}
jobs:
check-openapi-client-changes:
name: Block unauthorized changes to _openapi_client
runs-on: ubuntu-latest
steps:
- name: Check if PR is from the authorized sync workflow
env:
HEAD_REF: ${{ github.head_ref }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
run: |
echo "PR branch: $HEAD_REF"
echo "PR author: $PR_AUTHOR"
# The only authorized source for changes to python/langsmith/_openapi_client/
# is the sync_python_sdk workflow in langchain-ai/langchainplus, which opens
# PRs from the 'sync/langsmith-api' branch via the 'langtions-bot' app.
if [[ "$HEAD_REF" == "sync/langsmith-api" && "$PR_AUTHOR" == "langtions-bot[bot]" ]]; then
echo "✅ Changes to python/langsmith/_openapi_client/ are authorized (sync workflow)."
exit 0
fi
echo ""
echo "❌ Unauthorized changes detected in python/langsmith/_openapi_client/ or js/src/_openapi_client/"
echo ""
echo "These directories are auto-generated and must only be updated via the"
echo "stlc_sync_python_and_js_sdks workflow in langchain-ai/langchainplus:"
echo "https://github.com/langchain-ai/langchainplus/actions/workflows/stlc_sync_python_and_js_sdks.yml"
echo ""
echo "Please remove any modifications to python/langsmith/_openapi_client/ or js/src/_openapi_client/ from this PR."
exit 1
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Protect OpenAPI Client on: pull_request: branches: [main] paths: - "python/langsmith/_openapi_client/**" - "js/src/_openapi_client/**" permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: check-openapi-client-changes: timeout-minutes: 30 name: Block unauthorized changes to _openapi_client runs-on: latchkey-small steps: - name: Check if PR is from the authorized sync workflow env: HEAD_REF: ${{ github.head_ref }} PR_AUTHOR: ${{ github.event.pull_request.user.login }} run: | echo "PR branch: $HEAD_REF" echo "PR author: $PR_AUTHOR" # The only authorized source for changes to python/langsmith/_openapi_client/ # is the sync_python_sdk workflow in langchain-ai/langchainplus, which opens # PRs from the 'sync/langsmith-api' branch via the 'langtions-bot' app. if [[ "$HEAD_REF" == "sync/langsmith-api" && "$PR_AUTHOR" == "langtions-bot[bot]" ]]; then echo "✅ Changes to python/langsmith/_openapi_client/ are authorized (sync workflow)." exit 0 fi echo "" echo "❌ Unauthorized changes detected in python/langsmith/_openapi_client/ or js/src/_openapi_client/" echo "" echo "These directories are auto-generated and must only be updated via the" echo "stlc_sync_python_and_js_sdks workflow in langchain-ai/langchainplus:" echo "https://github.com/langchain-ai/langchainplus/actions/workflows/stlc_sync_python_and_js_sdks.yml" echo "" echo "Please remove any modifications to python/langsmith/_openapi_client/ or js/src/_openapi_client/ from this PR." exit 1
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.