Skip to content
Latchkey

Release workflow (mongodb/motor)

The Release workflow from mongodb/motor, explained and optimized by Latchkey.

B

CI health: B - good

Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: mongodb/motor.github/workflows/release.ymlLicense Apache-2.0View source

What it does

This is the Release workflow from the mongodb/motor repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Release

on:
  workflow_dispatch:
    inputs:
      following_version:
        description: "The post (dev) version to set"
      dry_run:
        description: "Dry Run?"
        default: false
        type: boolean
  schedule:
    - cron:  '30 5 * * *'

env:
  # Changes per repo
  PRODUCT_NAME: Motor
  # Changes per branch
  EVERGREEN_PROJECT: motor
  # Constant
  # inputs will be empty on a scheduled run.  so, we only set dry_run
  # to 'false' when the input is set to 'false'.
  DRY_RUN: ${{ ! contains(inputs.dry_run, 'false') }}
  FOLLOWING_VERSION: ${{ inputs.following_version || '' }}

defaults:
  run:
    shell: bash -eux {0}

jobs:
  pre-publish:
    environment: release
    if: github.repository_owner == 'mongodb' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
    outputs:
      version: ${{ steps.pre-publish.outputs.version }}
    steps:
      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v3
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: mongodb-labs/drivers-github-tools/setup@v3
        with:
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: ${{ vars.AWS_REGION_NAME }}
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
      - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v3
        id: pre-publish
        with:
          dry_run: ${{ env.DRY_RUN }}

  build-dist:
    needs: [pre-publish]
    uses: ./.github/workflows/dist.yml
    with:
      ref: ${{ needs.pre-publish.outputs.version }}

  static-scan:
    needs: [pre-publish]
    uses: ./.github/workflows/codeql.yml
    with:
      ref: ${{ needs.pre-publish.outputs.version }}

  publish:
    needs: [build-dist, static-scan]
    name: Upload release to PyPI
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write
    steps:
      - name: Download all the dists
        uses: actions/download-artifact@v8
        with:
          name: all-dist-${{ github.run_id }}
          path: dist/
      - name: Publish package distributions to TestPyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
        with:
          repository-url: https://test.pypi.org/legacy/
          skip-existing: true
          attestations: ${{ env.DRY_RUN }}
      - name: Publish package distributions to PyPI
        if: startsWith(env.DRY_RUN, 'false')
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1

  post-publish:
    needs: [publish]
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write
      contents: write
      attestations: write
      security-events: write
    steps:
      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v3
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: mongodb-labs/drivers-github-tools/setup@v3
        with:
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: ${{ vars.AWS_REGION_NAME }}
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
      - uses: mongodb-labs/drivers-github-tools/python/post-publish@v3
        with:
          following_version: ${{ env.FOLLOWING_VERSION }}
          product_name: ${{ env.PRODUCT_NAME }}
          evergreen_project: ${{ env.EVERGREEN_PROJECT }}
          token: ${{ github.token }}
          dry_run: ${{ env.DRY_RUN }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Release
 
on:
  workflow_dispatch:
    inputs:
      following_version:
        description: "The post (dev) version to set"
      dry_run:
        description: "Dry Run?"
        default: false
        type: boolean
  schedule:
    - cron:  '30 5 * * *'
 
env:
  # Changes per repo
  PRODUCT_NAME: Motor
  # Changes per branch
  EVERGREEN_PROJECT: motor
  # Constant
  # inputs will be empty on a scheduled run.  so, we only set dry_run
  # to 'false' when the input is set to 'false'.
  DRY_RUN: ${{ ! contains(inputs.dry_run, 'false') }}
  FOLLOWING_VERSION: ${{ inputs.following_version || '' }}
 
defaults:
  run:
    shell: bash -eux {0}
 
jobs:
  pre-publish:
    timeout-minutes: 30
    environment: release
    if: github.repository_owner == 'mongodb' || github.event_name == 'workflow_dispatch'
    runs-on: latchkey-small
    permissions:
      id-token: write
      contents: write
    outputs:
      version: ${{ steps.pre-publish.outputs.version }}
    steps:
      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v3
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: mongodb-labs/drivers-github-tools/setup@v3
        with:
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: ${{ vars.AWS_REGION_NAME }}
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
      - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v3
        id: pre-publish
        with:
          dry_run: ${{ env.DRY_RUN }}
 
  build-dist:
    timeout-minutes: 30
    needs: [pre-publish]
    uses: ./.github/workflows/dist.yml
    with:
      ref: ${{ needs.pre-publish.outputs.version }}
 
  static-scan:
    timeout-minutes: 30
    needs: [pre-publish]
    uses: ./.github/workflows/codeql.yml
    with:
      ref: ${{ needs.pre-publish.outputs.version }}
 
  publish:
    timeout-minutes: 30
    needs: [build-dist, static-scan]
    name: Upload release to PyPI
    runs-on: latchkey-small
    environment: release
    permissions:
      id-token: write
    steps:
      - name: Download all the dists
        uses: actions/download-artifact@v8
        with:
          name: all-dist-${{ github.run_id }}
          path: dist/
      - name: Publish package distributions to TestPyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
        with:
          repository-url: https://test.pypi.org/legacy/
          skip-existing: true
          attestations: ${{ env.DRY_RUN }}
      - name: Publish package distributions to PyPI
        if: startsWith(env.DRY_RUN, 'false')
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
 
  post-publish:
    timeout-minutes: 30
    needs: [publish]
    runs-on: latchkey-small
    environment: release
    permissions:
      id-token: write
      contents: write
      attestations: write
      security-events: write
    steps:
      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v3
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: mongodb-labs/drivers-github-tools/setup@v3
        with:
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: ${{ vars.AWS_REGION_NAME }}
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
      - uses: mongodb-labs/drivers-github-tools/python/post-publish@v3
        with:
          following_version: ${{ env.FOLLOWING_VERSION }}
          product_name: ${{ env.PRODUCT_NAME }}
          evergreen_project: ${{ env.EVERGREEN_PROJECT }}
          token: ${{ github.token }}
          dry_run: ${{ env.DRY_RUN }}
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 5 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow