Deployment π workflow (minitap-ai/mobile-use)
The Deployment π workflow from minitap-ai/mobile-use, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Deployment π workflow from the minitap-ai/mobile-use repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Deployment π
on:
push:
tags: [ "v*" ]
jobs:
verify-tag:
runs-on: ubuntu-latest
steps:
- name: Clone the repository
uses: actions/checkout@v5
- name: Install uv
uses: astral-sh/setup-uv@v6
with:
enable-cache: true
- name: Get package version
run: |
PACKAGE_VERSION="$(uv run python -c 'import tomllib; print(tomllib.load(open("pyproject.toml","rb"))["project"]["version"])')"
echo "PACKAGE_VERSION=$PACKAGE_VERSION" >> $GITHUB_ENV
- name: Check tag version
uses: minitap-ai/devops-common/.github/actions/check-tag-version@v1
with:
expected-tag-version: ${{ env.PACKAGE_VERSION }}
dockerhub:
runs-on: ubuntu-latest
needs: verify-tag
permissions:
contents: read
environment:
name: DockerHub
url: https://hub.docker.com/r/minitap/mobile-use
steps:
- name: Clone the repository
uses: actions/checkout@v5
- uses: minitap-ai/devops-common/.github/actions/dockerhub-build-push@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
image-name: minitap/${{ vars.IMAGE_NAME }}
dockerfile: ${{ github.workspace }}/Dockerfile
docker-gcp:
runs-on: ubuntu-latest
needs: verify-tag
permissions:
contents: read
environment: GCP
steps:
- name: Clone the repository
uses: actions/checkout@v5
- uses: minitap-ai/devops-common/.github/actions/gcp-docker-build-push@v1
with:
gcp-credentials: ${{ secrets.GCP_SA_KEY }}
gcp-project-id: ${{ vars.GCP_PROJECT_ID }}
gcp-region: ${{ vars.GCP_REGION }}
gcp-artifact-repo: ${{ vars.GCP_ARTIFACT_REPO }}
github-token: ${{ secrets.GITHUB_TOKEN }}
image-name: ${{ vars.IMAGE_NAME }}-slim
dockerfile: ${{ github.workspace }}/slim.Dockerfile
pypi:
runs-on: ubuntu-latest
needs: verify-tag
permissions:
contents: read
id-token: write
environment:
name: PyPI
url: https://pypi.org/project/minitap-mobile-use/
steps:
- name: Clone the repository
uses: actions/checkout@v5
- name: Install uv
uses: astral-sh/setup-uv@v6
with:
enable-cache: true
- name: Build package
run: uv build
- name: Publish package
run: uv publish
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Deployment π on: push: tags: [ "v*" ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: verify-tag: timeout-minutes: 30 runs-on: latchkey-small steps: - name: Clone the repository uses: actions/checkout@v5 - name: Install uv uses: astral-sh/setup-uv@v6 with: enable-cache: true - name: Get package version run: | PACKAGE_VERSION="$(uv run python -c 'import tomllib; print(tomllib.load(open("pyproject.toml","rb"))["project"]["version"])')" echo "PACKAGE_VERSION=$PACKAGE_VERSION" >> $GITHUB_ENV - name: Check tag version uses: minitap-ai/devops-common/.github/actions/check-tag-version@v1 with: expected-tag-version: ${{ env.PACKAGE_VERSION }} dockerhub: timeout-minutes: 30 runs-on: latchkey-small needs: verify-tag permissions: contents: read environment: name: DockerHub url: https://hub.docker.com/r/minitap/mobile-use steps: - name: Clone the repository uses: actions/checkout@v5 - uses: minitap-ai/devops-common/.github/actions/dockerhub-build-push@v1 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} github-token: ${{ secrets.GITHUB_TOKEN }} image-name: minitap/${{ vars.IMAGE_NAME }} dockerfile: ${{ github.workspace }}/Dockerfile docker-gcp: timeout-minutes: 30 runs-on: latchkey-small needs: verify-tag permissions: contents: read environment: GCP steps: - name: Clone the repository uses: actions/checkout@v5 - uses: minitap-ai/devops-common/.github/actions/gcp-docker-build-push@v1 with: gcp-credentials: ${{ secrets.GCP_SA_KEY }} gcp-project-id: ${{ vars.GCP_PROJECT_ID }} gcp-region: ${{ vars.GCP_REGION }} gcp-artifact-repo: ${{ vars.GCP_ARTIFACT_REPO }} github-token: ${{ secrets.GITHUB_TOKEN }} image-name: ${{ vars.IMAGE_NAME }}-slim dockerfile: ${{ github.workspace }}/slim.Dockerfile pypi: timeout-minutes: 30 runs-on: latchkey-small needs: verify-tag permissions: contents: read id-token: write environment: name: PyPI url: https://pypi.org/project/minitap-mobile-use/ steps: - name: Clone the repository uses: actions/checkout@v5 - name: Install uv uses: astral-sh/setup-uv@v6 with: enable-cache: true - name: Build package run: uv build - name: Publish package run: uv publish
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 4 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.