Create Release Pull Request workflow (simple-icons/simple-icons)
The Create Release Pull Request workflow from simple-icons/simple-icons, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Create Release Pull Request workflow from the simple-icons/simple-icons repository, a real project running GitHub Actions. It is shown here with attribution under its CC0-1.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Create Release Pull Request
on:
# THIS WORKFLOW SHOULD NEVER BE TRIGGERED ON A PUSH EVENT. IF TRIGGERED ON A
# PUSH EVENT IT MAY CREATE AN ENDLESS STREAM OF 'version bump' COMMITS.
workflow_dispatch:
schedule:
# "At 00:00 on Sunday" (https://crontab.guru/once-a-week)
- cron: '0 0 * * 0'
# This Workflow can be triggered manually through the GitHub UI or API. For the
# API use the following request:
# curl -X POST \
# -H "Authorization: Bearer <token>" \
# -d '{"ref":"develop"}' \
# https://api.github.com/repos/simple-icons/simple-icons/actions/workflows/create-release.yml/dispatches
# Replacing <token> by a personal access token with scope `public_repo`
jobs:
check-is-fork:
name: Check if running in a fork
runs-on: ubuntu-latest
permissions: {}
outputs:
is-fork: ${{ steps.check.outputs.is-fork }}
steps:
- uses: actions/checkout@v6
- uses: ./.github/actions/check-is-fork
id: check
with:
in-fork-message: 'Create Release Pull Request workflow only can run in the main repository, skipping.'
release-pr:
runs-on: ubuntu-latest
needs: check-is-fork
permissions:
contents: read
pull-requests: write
issues: write
if: |
github.event_name != 'push' &&
needs.check-is-fork.outputs.is-fork != 'true'
outputs:
did-create-pr: ${{ steps.release.outputs.did-create-pr }}
new-version: ${{ steps.release.outputs.new-version }}
steps:
- uses: actions/create-github-app-token@v3
id: app-token
with:
client-id: ${{ secrets.BOT_CLIENT_ID }}
private-key: ${{ secrets.BOT_PRIVATE_KEY }}
- uses: simple-icons/release-action@v3
id: release
with:
repo-token: ${{ steps.app-token.outputs.token }}
version-bump:
runs-on: ubuntu-latest
needs: release-pr
permissions:
contents: write
if: |
github.event_name != 'push' &&
needs.release-pr.outputs.did-create-pr == 'true'
steps:
- uses: actions/create-github-app-token@v3
id: app-token
with:
client-id: ${{ secrets.BOT_CLIENT_ID }}
private-key: ${{ secrets.BOT_PRIVATE_KEY }}
- name: Checkout
uses: actions/checkout@v6
with:
# Ensure the commit can be pushed regardless of branch protections (must belong to an admin of this repo)
token: ${{ steps.app-token.outputs.token }}
# Ensure we are checked out on the develop branch
ref: develop
- name: Use Node.js
uses: actions/setup-node@v6
with:
node-version-file: .node-version
cache: npm
cache-dependency-path: '**/package-lock.json'
- name: Bump version
run: |
npm version --no-commit-hooks --no-git-tag-version \
"${{ needs.release-pr.outputs.new-version }}"
- name: Install dependencies
run: npm ci --no-audit --no-fund
- name: Update major version in CDN URLs
run: node scripts/release/update-cdn-urls.js
- name: Update SVGs count milestone
run: node scripts/release/update-svgs-count.js
- name: Update slugs table
run: node scripts/release/update-slugs-table.js
- name: Update SDK Typescript definitions
run: node scripts/release/update-sdk-ts-defs.js
- name: Commit version bump
uses: stefanzweifel/git-auto-commit-action@v7
with:
commit_message: Bump version to ${{ needs.release-pr.outputs.new-version }}
commit_user_name: 'simple-icons[bot]'
commit_user_email: 'simple-icons[bot]@users.noreply.github.com'
commit_author: 'simple-icons[bot] <simple-icons[bot]@users.noreply.github.com>'
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Create Release Pull Request on: # THIS WORKFLOW SHOULD NEVER BE TRIGGERED ON A PUSH EVENT. IF TRIGGERED ON A # PUSH EVENT IT MAY CREATE AN ENDLESS STREAM OF 'version bump' COMMITS. workflow_dispatch: schedule: # "At 00:00 on Sunday" (https://crontab.guru/once-a-week) - cron: '0 0 * * 0' # This Workflow can be triggered manually through the GitHub UI or API. For the # API use the following request: # curl -X POST \ # -H "Authorization: Bearer <token>" \ # -d '{"ref":"develop"}' \ # https://api.github.com/repos/simple-icons/simple-icons/actions/workflows/create-release.yml/dispatches # Replacing <token> by a personal access token with scope `public_repo` jobs: check-is-fork: timeout-minutes: 30 name: Check if running in a fork runs-on: latchkey-small permissions: {} outputs: is-fork: ${{ steps.check.outputs.is-fork }} steps: - uses: actions/checkout@v6 - uses: ./.github/actions/check-is-fork id: check with: in-fork-message: 'Create Release Pull Request workflow only can run in the main repository, skipping.' release-pr: timeout-minutes: 30 runs-on: latchkey-small needs: check-is-fork permissions: contents: read pull-requests: write issues: write if: | github.event_name != 'push' && needs.check-is-fork.outputs.is-fork != 'true' outputs: did-create-pr: ${{ steps.release.outputs.did-create-pr }} new-version: ${{ steps.release.outputs.new-version }} steps: - uses: actions/create-github-app-token@v3 id: app-token with: client-id: ${{ secrets.BOT_CLIENT_ID }} private-key: ${{ secrets.BOT_PRIVATE_KEY }} - uses: simple-icons/release-action@v3 id: release with: repo-token: ${{ steps.app-token.outputs.token }} version-bump: timeout-minutes: 30 runs-on: latchkey-small needs: release-pr permissions: contents: write if: | github.event_name != 'push' && needs.release-pr.outputs.did-create-pr == 'true' steps: - uses: actions/create-github-app-token@v3 id: app-token with: client-id: ${{ secrets.BOT_CLIENT_ID }} private-key: ${{ secrets.BOT_PRIVATE_KEY }} - name: Checkout uses: actions/checkout@v6 with: # Ensure the commit can be pushed regardless of branch protections (must belong to an admin of this repo) token: ${{ steps.app-token.outputs.token }} # Ensure we are checked out on the develop branch ref: develop - name: Use Node.js uses: actions/setup-node@v6 with: node-version-file: .node-version cache: npm cache-dependency-path: '**/package-lock.json' - name: Bump version run: | npm version --no-commit-hooks --no-git-tag-version \ "${{ needs.release-pr.outputs.new-version }}" - name: Install dependencies run: npm ci --no-audit --no-fund - name: Update major version in CDN URLs run: node scripts/release/update-cdn-urls.js - name: Update SVGs count milestone run: node scripts/release/update-svgs-count.js - name: Update slugs table run: node scripts/release/update-slugs-table.js - name: Update SDK Typescript definitions run: node scripts/release/update-sdk-ts-defs.js - name: Commit version bump uses: stefanzweifel/git-auto-commit-action@v7 with: commit_message: Bump version to ${{ needs.release-pr.outputs.new-version }} commit_user_name: 'simple-icons[bot]' commit_user_email: 'simple-icons[bot]@users.noreply.github.com' commit_author: 'simple-icons[bot] <simple-icons[bot]@users.noreply.github.com>'
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
- Network fetches
This workflow runs 3 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.