Skip to content
Latchkey

Dependabot - Bump libs and cut release workflow (Unstructured-IO/unstructured-api)

The Dependabot - Bump libs and cut release workflow from Unstructured-IO/unstructured-api, explained and optimized by Latchkey.

C

CI health: C - fair

Run this on Latchkey for self-healing, caching, and up to 58% lower cost.

Grade your own workflow free or run it on Latchkey →
Source: Unstructured-IO/unstructured-api.github/workflows/bump_libraries.yamlLicense Apache-2.0View source

What it does

This is the Dependabot - Bump libs and cut release workflow from the Unstructured-IO/unstructured-api repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Dependabot - Bump libs and cut release

on:
  pull_request:
    types:
      - opened
      - reopened
    paths:
      - 'uv.lock'
      - 'pyproject.toml'

jobs:
    bump-changelog:
        runs-on: opensource-linux-8core
        if: ${{ github.actor == 'dependabot[bot]' }}
        permissions:
          contents: write 
        steps:
        - uses: actions/checkout@v5
        - name: Read Python version from .python-version
          run: echo "PYTHON_VERSION=$(cat .python-version)" >> $GITHUB_ENV
        - name: Install uv
          uses: astral-sh/setup-uv@v7
        - name: Set up Python ${{ env.PYTHON_VERSION }}
          run: uv python install ${{ env.PYTHON_VERSION }}
        - name: Dependabot metadata
          id: metadata
          uses: dependabot/fetch-metadata@v2
          with:
            github-token: "${{ secrets.GITHUB_TOKEN }}"
        - name: Create release version
          run: |
            uv lock --upgrade
            package=${{ steps.metadata.outputs.dependency-names }}
            # Strip any [extras] from name
            package=${package%\[*}
            changelog_message="Bump $package to ${{ steps.metadata.outputs.new-version }}"
            ./scripts/version-increment.sh "$changelog_message"
            make version-sync
        - uses: stefanzweifel/git-auto-commit-action@v6
          with:
            commit_message: "Bump libraries and release"

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Dependabot - Bump libs and cut release
 
on:
  pull_request:
    types:
      - opened
      - reopened
    paths:
      - 'uv.lock'
      - 'pyproject.toml'
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
    bump-changelog:
      timeout-minutes: 30
        runs-on: opensource-linux-8core
        if: ${{ github.actor == 'dependabot[bot]' }}
        permissions:
          contents: write 
        steps:
        - uses: actions/checkout@v5
        - name: Read Python version from .python-version
          run: echo "PYTHON_VERSION=$(cat .python-version)" >> $GITHUB_ENV
        - name: Install uv
          uses: astral-sh/setup-uv@v7
        - name: Set up Python ${{ env.PYTHON_VERSION }}
          run: uv python install ${{ env.PYTHON_VERSION }}
        - name: Dependabot metadata
          id: metadata
          uses: dependabot/fetch-metadata@v2
          with:
            github-token: "${{ secrets.GITHUB_TOKEN }}"
        - name: Create release version
          run: |
            uv lock --upgrade
            package=${{ steps.metadata.outputs.dependency-names }}
            # Strip any [extras] from name
            package=${package%\[*}
            changelog_message="Bump $package to ${{ steps.metadata.outputs.new-version }}"
            ./scripts/version-increment.sh "$changelog_message"
            make version-sync
        - uses: stefanzweifel/git-auto-commit-action@v6
          with:
            commit_message: "Bump libraries and release"
 

What changed

3 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow