Dependabot - Bump libs and cut release workflow (Unstructured-IO/unstructured-api)
The Dependabot - Bump libs and cut release workflow from Unstructured-IO/unstructured-api, explained and optimized by Latchkey.
CI health: C - fair
Run this on Latchkey for self-healing, caching, and up to 58% lower cost.
Grade your own workflow free or run it on Latchkey →What it does
This is the Dependabot - Bump libs and cut release workflow from the Unstructured-IO/unstructured-api repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Dependabot - Bump libs and cut release
on:
pull_request:
types:
- opened
- reopened
paths:
- 'uv.lock'
- 'pyproject.toml'
jobs:
bump-changelog:
runs-on: opensource-linux-8core
if: ${{ github.actor == 'dependabot[bot]' }}
permissions:
contents: write
steps:
- uses: actions/checkout@v5
- name: Read Python version from .python-version
run: echo "PYTHON_VERSION=$(cat .python-version)" >> $GITHUB_ENV
- name: Install uv
uses: astral-sh/setup-uv@v7
- name: Set up Python ${{ env.PYTHON_VERSION }}
run: uv python install ${{ env.PYTHON_VERSION }}
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Create release version
run: |
uv lock --upgrade
package=${{ steps.metadata.outputs.dependency-names }}
# Strip any [extras] from name
package=${package%\[*}
changelog_message="Bump $package to ${{ steps.metadata.outputs.new-version }}"
./scripts/version-increment.sh "$changelog_message"
make version-sync
- uses: stefanzweifel/git-auto-commit-action@v6
with:
commit_message: "Bump libraries and release"
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Dependabot - Bump libs and cut release on: pull_request: types: - opened - reopened paths: - 'uv.lock' - 'pyproject.toml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: bump-changelog: timeout-minutes: 30 runs-on: opensource-linux-8core if: ${{ github.actor == 'dependabot[bot]' }} permissions: contents: write steps: - uses: actions/checkout@v5 - name: Read Python version from .python-version run: echo "PYTHON_VERSION=$(cat .python-version)" >> $GITHUB_ENV - name: Install uv uses: astral-sh/setup-uv@v7 - name: Set up Python ${{ env.PYTHON_VERSION }} run: uv python install ${{ env.PYTHON_VERSION }} - name: Dependabot metadata id: metadata uses: dependabot/fetch-metadata@v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Create release version run: | uv lock --upgrade package=${{ steps.metadata.outputs.dependency-names }} # Strip any [extras] from name package=${package%\[*} changelog_message="Bump $package to ${{ steps.metadata.outputs.new-version }}" ./scripts/version-increment.sh "$changelog_message" make version-sync - uses: stefanzweifel/git-auto-commit-action@v6 with: commit_message: "Bump libraries and release"
What changed
- Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
3 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.