Skip to content
Latchkey

Staging Deployment workflow (openreview/openreview-py)

The Staging Deployment workflow from openreview/openreview-py, explained and optimized by Latchkey.

B

CI health: B - good

Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: openreview/openreview-py.github/workflows/deploy-dev.ymlLicense MITView source

What it does

This is the Staging Deployment workflow from the openreview/openreview-py repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
# This workflow deploys any branch or tag to the staging environment.

name: Staging Deployment

on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
    inputs:
      tag:
        description: The branch, tag, or commit hash to deploy
        required: false
        default: master
        type: string
  repository_dispatch:
    types: [openreview-py-updated]

jobs:
  deploy:
    # Allow the job to fetch a GitHub ID token
    permissions:
      id-token: write
      contents: read
    runs-on: ubuntu-latest
    env:
      TAG: ${{ github.event.inputs.tag }}
    steps:
      - uses: actions/checkout@v3
      - name: Authenticate with Google Cloud
        id: auth
        uses: google-github-actions/auth@v1
        with:
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
          create_credentials_file: true
          cleanup_credentials: true
          export_environment_variables: true
      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@v2
      - name: Run deploy script
        run: |
          instance_prefix='dev-instance'

          instances=$(gcloud compute instances list | grep "$instance_prefix" | grep RUNNING | tr -s ' ' | cut -d' ' -f1,2)

          instances_arr=(${instances// / })

          instance_names=()
          zones=()
          for i in ${!instances_arr[@]}; do
            if echo "${instances_arr[$i]}" | grep -q "$instance_prefix"; then
              instance_names+=(${instances_arr[$i]})
            else
              zones+=(${instances_arr[$i]})
            fi
          done

          for i in ${!instance_names[@]}; do
            echo Deploying to ${instance_names[$i]}
            gcloud compute ssh --zone ${zones[$i]} --tunnel-through-iap openreview@${instance_names[$i]} --command "bash bin/deploy-openreview-py.sh ${TAG}"
          done

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

# This workflow deploys any branch or tag to the staging environment.
 
name: Staging Deployment
 
on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
    inputs:
      tag:
        description: The branch, tag, or commit hash to deploy
        required: false
        default: master
        type: string
  repository_dispatch:
    types: [openreview-py-updated]
 
jobs:
  deploy:
    timeout-minutes: 30
    # Allow the job to fetch a GitHub ID token
    permissions:
      id-token: write
      contents: read
    runs-on: latchkey-small
    env:
      TAG: ${{ github.event.inputs.tag }}
    steps:
      - uses: actions/checkout@v3
      - name: Authenticate with Google Cloud
        id: auth
        uses: google-github-actions/auth@v1
        with:
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
          create_credentials_file: true
          cleanup_credentials: true
          export_environment_variables: true
      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@v2
      - name: Run deploy script
        run: |
          instance_prefix='dev-instance'
 
          instances=$(gcloud compute instances list | grep "$instance_prefix" | grep RUNNING | tr -s ' ' | cut -d' ' -f1,2)
 
          instances_arr=(${instances// / })
 
          instance_names=()
          zones=()
          for i in ${!instances_arr[@]}; do
            if echo "${instances_arr[$i]}" | grep -q "$instance_prefix"; then
              instance_names+=(${instances_arr[$i]})
            else
              zones+=(${instances_arr[$i]})
            fi
          done
 
          for i in ${!instance_names[@]}; do
            echo Deploying to ${instance_names[$i]}
            gcloud compute ssh --zone ${zones[$i]} --tunnel-through-iap openreview@${instance_names[$i]} --command "bash bin/deploy-openreview-py.sh ${TAG}"
          done
 

What changed

2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow