Publish workflow (lutzroeder/netron)
The Publish workflow from lutzroeder/netron, explained and optimized by Latchkey.
CI health: D - needs work
Run this on Latchkey for self-healing, caching, and up to 58% lower cost.
Grade your own workflow free or run it on Latchkey →What it does
This is the Publish workflow from the lutzroeder/netron repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Publish
on:
push:
tags: [ 'v**' ]
jobs:
publish:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ macos-latest, ubuntu-latest, windows-latest ]
steps:
- name: Check out Git repository
uses: actions/checkout@v4
- name: Git credentials
run: |
git config --global user.name ${{ secrets.PUBLISH_GITHUB_USER_NAME }}
git config --global user.email ${{ secrets.PUBLISH_GITHUB_USER_EMAIL }}
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: latest
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install Packages
run: npm run install
- name: Publish Electron
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
APPLE_API_KEY: ~/.private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
CSC_LINK: ${{ secrets.CSC_LINK }}
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
run: |
npx electron-builder install-app-deps
case "${{ matrix.os }}" in
macos*)
mkdir -p ~/.private_keys
echo '${{ secrets.APPLE_API_KEY }}' > ~/.private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8
npm run publish electron mac
;;
ubuntu*)
sudo apt-get install rpm --yes
npm run publish electron linux
;;
windows*)
unset CSC_LINK;
unset CSC_KEY_PASSWORD;
npm run publish electron windows
;;
esac
- if: startsWith(matrix.os, 'ubuntu')
name: Publish Python
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
run: npm run publish python
- if: startsWith(matrix.os, 'ubuntu')
name: Publish Web
env:
GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }}
run: git push origin HEAD:release --force
- if: false # startsWith(matrix.os, 'macos')
name: Publish cask
env:
GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }}
run: npm run publish cask
- if: startsWith(matrix.os, 'windows')
name: Publish winget
env:
GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }}
GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
WINGET_TOKEN: ${{ secrets.WINGET_TOKEN }}
run: npm run publish winget
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Publish on: push: tags: [ 'v**' ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: publish: timeout-minutes: 30 runs-on: ${{ matrix.os }} strategy: matrix: os: [ macos-latest, ubuntu-latest, windows-latest ] steps: - name: Check out Git repository uses: actions/checkout@v4 - name: Git credentials run: | git config --global user.name ${{ secrets.PUBLISH_GITHUB_USER_NAME }} git config --global user.email ${{ secrets.PUBLISH_GITHUB_USER_EMAIL }} - name: Install Node.js uses: actions/setup-node@v4 with: cache: 'npm' node-version: latest - name: Install Python uses: actions/setup-python@v5 with: python-version: 3.x - name: Install Packages run: npm run install - name: Publish Electron shell: bash env: GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }} APPLE_API_KEY: ~/.private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8 APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} run: | npx electron-builder install-app-deps case "${{ matrix.os }}" in macos*) mkdir -p ~/.private_keys echo '${{ secrets.APPLE_API_KEY }}' > ~/.private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8 npm run publish electron mac ;; ubuntu*) sudo apt-get install rpm --yes npm run publish electron linux ;; windows*) unset CSC_LINK; unset CSC_KEY_PASSWORD; npm run publish electron windows ;; esac - if: startsWith(matrix.os, 'ubuntu') name: Publish Python env: TWINE_USERNAME: __token__ TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} run: npm run publish python - if: startsWith(matrix.os, 'ubuntu') name: Publish Web env: GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }} GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }} run: git push origin HEAD:release --force - if: false # startsWith(matrix.os, 'macos') name: Publish cask env: GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }} GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }} run: npm run publish cask - if: startsWith(matrix.os, 'windows') name: Publish winget env: GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }} GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }} WINGET_TOKEN: ${{ secrets.WINGET_TOKEN }} run: npm run publish winget
What changed
- Cancel superseded runs when a branch or PR gets a newer push.
- Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 1 job (3 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.