Skip to content
Latchkey

Publish workflow (lutzroeder/netron)

The Publish workflow from lutzroeder/netron, explained and optimized by Latchkey.

D

CI health: D - needs work

Run this on Latchkey for self-healing, caching, and up to 58% lower cost.

Grade your own workflow free or run it on Latchkey →
Source: lutzroeder/netron.github/workflows/publish.ymlLicense MITView source

What it does

This is the Publish workflow from the lutzroeder/netron repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)

name: Publish

on:
  push:
    tags: [ 'v**' ]

jobs:
  publish:
    runs-on: ${{ matrix.os }}

    strategy:
      matrix:
        os: [ macos-latest, ubuntu-latest, windows-latest ]

    steps:
      - name: Check out Git repository
        uses: actions/checkout@v4

      - name: Git credentials
        run: |
          git config --global user.name ${{ secrets.PUBLISH_GITHUB_USER_NAME }}
          git config --global user.email ${{ secrets.PUBLISH_GITHUB_USER_EMAIL }}

      - name: Install Node.js
        uses: actions/setup-node@v4
        with:
          node-version: latest

      - name: Install Python
        uses: actions/setup-python@v5
        with:
          python-version: 3.x

      - name: Install Packages
        run: npm run install

      - name: Publish Electron
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
          APPLE_API_KEY: ~/.private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8
          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          CSC_LINK: ${{ secrets.CSC_LINK }}
          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
        run: |
          npx electron-builder install-app-deps
          case "${{ matrix.os }}" in
            macos*)
              mkdir -p ~/.private_keys
              echo '${{ secrets.APPLE_API_KEY }}' > ~/.private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8
              npm run publish electron mac
              ;;
            ubuntu*)
              sudo apt-get install rpm --yes
              npm run publish electron linux
              ;;
            windows*)
              unset CSC_LINK;
              unset CSC_KEY_PASSWORD;
              npm run publish electron windows
              ;;
          esac

      - if: startsWith(matrix.os, 'ubuntu')
        name: Publish Python
        env:
          TWINE_USERNAME: __token__
          TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
        run: npm run publish python

      - if: startsWith(matrix.os, 'ubuntu')
        name: Publish Web
        env:
          GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
          GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }}
        run: git push origin HEAD:release --force

      - if: false # startsWith(matrix.os, 'macos')
        name: Publish cask
        env:
          GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
          GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }}
        run: npm run publish cask

      - if: startsWith(matrix.os, 'windows')
        name: Publish winget
        env:
          GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }}
          GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
          WINGET_TOKEN: ${{ secrets.WINGET_TOKEN }}
        run: npm run publish winget

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

 
name: Publish
 
on:
  push:
    tags: [ 'v**' ]
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  publish:
    timeout-minutes: 30
    runs-on: ${{ matrix.os }}
 
    strategy:
      matrix:
        os: [ macos-latest, ubuntu-latest, windows-latest ]
 
    steps:
      - name: Check out Git repository
        uses: actions/checkout@v4
 
      - name: Git credentials
        run: |
          git config --global user.name ${{ secrets.PUBLISH_GITHUB_USER_NAME }}
          git config --global user.email ${{ secrets.PUBLISH_GITHUB_USER_EMAIL }}
 
      - name: Install Node.js
        uses: actions/setup-node@v4
        with:
          cache: 'npm'
          node-version: latest
 
      - name: Install Python
        uses: actions/setup-python@v5
        with:
          python-version: 3.x
 
      - name: Install Packages
        run: npm run install
 
      - name: Publish Electron
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
          APPLE_API_KEY: ~/.private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8
          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          CSC_LINK: ${{ secrets.CSC_LINK }}
          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
        run: |
          npx electron-builder install-app-deps
          case "${{ matrix.os }}" in
            macos*)
              mkdir -p ~/.private_keys
              echo '${{ secrets.APPLE_API_KEY }}' > ~/.private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8
              npm run publish electron mac
              ;;
            ubuntu*)
              sudo apt-get install rpm --yes
              npm run publish electron linux
              ;;
            windows*)
              unset CSC_LINK;
              unset CSC_KEY_PASSWORD;
              npm run publish electron windows
              ;;
          esac
 
      - if: startsWith(matrix.os, 'ubuntu')
        name: Publish Python
        env:
          TWINE_USERNAME: __token__
          TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
        run: npm run publish python
 
      - if: startsWith(matrix.os, 'ubuntu')
        name: Publish Web
        env:
          GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
          GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }}
        run: git push origin HEAD:release --force
 
      - if: false # startsWith(matrix.os, 'macos')
        name: Publish cask
        env:
          GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
          GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }}
        run: npm run publish cask
 
      - if: startsWith(matrix.os, 'windows')
        name: Publish winget
        env:
          GITHUB_USER: ${{ secrets.PUBLISH_GITHUB_USER }}
          GITHUB_TOKEN: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
          WINGET_TOKEN: ${{ secrets.WINGET_TOKEN }}
        run: npm run publish winget
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job (3 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow