Skip to content
Latchkey

Protect OpenAPI Client workflow (langchain-ai/langsmith-sdk)

The Protect OpenAPI Client workflow from langchain-ai/langsmith-sdk, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: langchain-ai/langsmith-sdk.github/workflows/protect-openapi-client.ymlLicense MITView source

What it does

This is the Protect OpenAPI Client workflow from the langchain-ai/langsmith-sdk repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Protect OpenAPI Client

on:
  pull_request:
    branches: [main]
    paths:
      - "python/langsmith/_openapi_client/**"
      - "js/src/_openapi_client/**"

permissions: {}

jobs:
  check-openapi-client-changes:
    name: Block unauthorized changes to _openapi_client
    runs-on: ubuntu-latest
    steps:
      - name: Check if PR is from the authorized sync workflow
        env:
          HEAD_REF: ${{ github.head_ref }}
          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
        run: |
          echo "PR branch: $HEAD_REF"
          echo "PR author: $PR_AUTHOR"

          # The only authorized source for changes to python/langsmith/_openapi_client/
          # is the sync_python_sdk workflow in langchain-ai/langchainplus, which opens
          # PRs from the 'sync/langsmith-api' branch via the 'langtions-bot' app.
          if [[ "$HEAD_REF" == "sync/langsmith-api" && "$PR_AUTHOR" == "langtions-bot[bot]" ]]; then
            echo "✅ Changes to python/langsmith/_openapi_client/ are authorized (sync workflow)."
            exit 0
          fi

          echo ""
          echo "❌ Unauthorized changes detected in python/langsmith/_openapi_client/ or js/src/_openapi_client/"
          echo ""
          echo "These directories are auto-generated and must only be updated via the"
          echo "stlc_sync_python_and_js_sdks workflow in langchain-ai/langchainplus:"
          echo "https://github.com/langchain-ai/langchainplus/actions/workflows/stlc_sync_python_and_js_sdks.yml"
          echo ""
          echo "Please remove any modifications to python/langsmith/_openapi_client/ or js/src/_openapi_client/ from this PR."
          exit 1

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Protect OpenAPI Client
 
on:
  pull_request:
    branches: [main]
    paths:
      - "python/langsmith/_openapi_client/**"
      - "js/src/_openapi_client/**"
 
permissions: {}
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  check-openapi-client-changes:
    timeout-minutes: 30
    name: Block unauthorized changes to _openapi_client
    runs-on: latchkey-small
    steps:
      - name: Check if PR is from the authorized sync workflow
        env:
          HEAD_REF: ${{ github.head_ref }}
          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
        run: |
          echo "PR branch: $HEAD_REF"
          echo "PR author: $PR_AUTHOR"
 
          # The only authorized source for changes to python/langsmith/_openapi_client/
          # is the sync_python_sdk workflow in langchain-ai/langchainplus, which opens
          # PRs from the 'sync/langsmith-api' branch via the 'langtions-bot' app.
          if [[ "$HEAD_REF" == "sync/langsmith-api" && "$PR_AUTHOR" == "langtions-bot[bot]" ]]; then
            echo "✅ Changes to python/langsmith/_openapi_client/ are authorized (sync workflow)."
            exit 0
          fi
 
          echo ""
          echo "❌ Unauthorized changes detected in python/langsmith/_openapi_client/ or js/src/_openapi_client/"
          echo ""
          echo "These directories are auto-generated and must only be updated via the"
          echo "stlc_sync_python_and_js_sdks workflow in langchain-ai/langchainplus:"
          echo "https://github.com/langchain-ai/langchainplus/actions/workflows/stlc_sync_python_and_js_sdks.yml"
          echo ""
          echo "Please remove any modifications to python/langsmith/_openapi_client/ or js/src/_openapi_client/ from this PR."
          exit 1
 

What changed

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.