Plan Release workflow (shipshapecode/tether)
The Plan Release workflow from shipshapecode/tether, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Plan Release workflow from the shipshapecode/tether repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Plan Release
on:
workflow_dispatch:
push:
branches:
- main
- master
pull_request_target: # This workflow has permissions on the repo, do NOT run code from PRs in this workflow. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
types:
- labeled
- unlabeled
concurrency:
group: plan-release # only the latest one of these should ever be running
cancel-in-progress: true
jobs:
should-run-release-plan-prepare:
name: Should we run release-plan prepare?
runs-on: ubuntu-latest
outputs:
should-prepare: ${{ steps.should-prepare.outputs.should-prepare }}
steps:
- uses: release-plan/actions/should-prepare-release@v1
with:
ref: 'master'
id: should-prepare
create-prepare-release-pr:
name: Create Prepare Release PR
runs-on: ubuntu-latest
timeout-minutes: 5
needs: should-run-release-plan-prepare
permissions:
contents: write
issues: read
pull-requests: write
if: needs.should-run-release-plan-prepare.outputs.should-prepare == 'true'
steps:
- uses: release-plan/actions/prepare@v1
name: Run release-plan prepare
with:
ref: 'master'
env:
GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }}
id: explanation
- uses: peter-evans/create-pull-request@v7
name: Create Prepare Release PR
with:
commit-message: "Prepare Release ${{ steps.explanation.outputs.new-version}} using 'release-plan'"
labels: "internal"
sign-commits: true
branch: release-preview
title: Prepare Release ${{ steps.explanation.outputs.new-version }}
body: |
This PR is a preview of the release that [release-plan](https://github.com/embroider-build/release-plan) has prepared. To release you should just merge this PR 👍
-----------------------------------------
${{ steps.explanation.outputs.text }}
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Plan Release on: workflow_dispatch: push: branches: - main - master pull_request_target: # This workflow has permissions on the repo, do NOT run code from PRs in this workflow. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ types: - labeled - unlabeled concurrency: group: plan-release # only the latest one of these should ever be running cancel-in-progress: true jobs: should-run-release-plan-prepare: timeout-minutes: 30 name: Should we run release-plan prepare? runs-on: latchkey-small outputs: should-prepare: ${{ steps.should-prepare.outputs.should-prepare }} steps: - uses: release-plan/actions/should-prepare-release@v1 with: ref: 'master' id: should-prepare create-prepare-release-pr: name: Create Prepare Release PR runs-on: latchkey-small timeout-minutes: 5 needs: should-run-release-plan-prepare permissions: contents: write issues: read pull-requests: write if: needs.should-run-release-plan-prepare.outputs.should-prepare == 'true' steps: - uses: release-plan/actions/prepare@v1 name: Run release-plan prepare with: ref: 'master' env: GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }} id: explanation - uses: peter-evans/create-pull-request@v7 name: Create Prepare Release PR with: commit-message: "Prepare Release ${{ steps.explanation.outputs.new-version}} using 'release-plan'" labels: "internal" sign-commits: true branch: release-preview title: Prepare Release ${{ steps.explanation.outputs.new-version }} body: | This PR is a preview of the release that [release-plan](https://github.com/embroider-build/release-plan) has prepared. To release you should just merge this PR 👍 ----------------------------------------- ${{ steps.explanation.outputs.text }}
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.