Fallback Publish npm on Release workflow (VRSEN/OpenSwarm)
The Fallback Publish npm on Release workflow from VRSEN/OpenSwarm, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Fallback Publish npm on Release workflow from the VRSEN/OpenSwarm repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Fallback Publish npm on Release
on:
release:
types:
- published
permissions:
contents: read
jobs:
publish:
if: github.repository == 'VRSEN/OpenSwarm'
runs-on: ubuntu-latest
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_CONFIG_PROVENANCE: false
steps:
- name: Checkout release tag
uses: actions/checkout@v4
with:
ref: ${{ github.event.release.tag_name }}
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: "https://registry.npmjs.org"
- name: Validate release metadata
shell: bash
env:
GH_TOKEN: ${{ github.token }}
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: |
set -euo pipefail
if [[ -z "${NODE_AUTH_TOKEN}" ]]; then
echo "NPM_TOKEN is required to publish to npm." >&2
exit 1
fi
release_version="${RELEASE_TAG#v}"
npm_tag=latest
is_prerelease=false
if [[ "$release_version" == *-* ]]; then
is_prerelease=true
npm_tag="${release_version#*-}"
npm_tag="${npm_tag%%.*}"
fi
if [[ "$is_prerelease" != "${{ github.event.release.prerelease }}" ]]; then
echo "Release prerelease flag must match semver prerelease suffix." >&2
echo "tag=$RELEASE_TAG github_prerelease=${{ github.event.release.prerelease }}" >&2
exit 1
fi
package_version="$(node -p "require('./package.json').version")"
lock_version="$(node -p "require('./package-lock.json').packages[''].version")"
python_version="$(python3 - <<'PY'
import tomllib
with open("pyproject.toml", "rb") as handle:
print(tomllib.load(handle)["project"]["version"])
PY
)"
if [[ ! "$RELEASE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z][0-9A-Za-z.-]*)?$ ]]; then
echo "Release tag must be vX.Y.Z or vX.Y.Z-prerelease, got: $RELEASE_TAG" >&2
exit 1
fi
if [[ "$package_version" != "$release_version" || "$lock_version" != "$release_version" || "$python_version" != "$release_version" ]]; then
echo "Release tag, package.json, package-lock.json, and pyproject.toml versions must match." >&2
echo "tag=$release_version package=$package_version lock=$lock_version pyproject=$python_version" >&2
exit 1
fi
mapfile -t assets < <(gh release view "$RELEASE_TAG" --json assets --jq '.assets[].name' | sort)
required_assets=(
agentswarm-darwin-arm64
agentswarm-darwin-x64
agentswarm-darwin-x64-baseline
agentswarm-linux-arm64
agentswarm-linux-arm64-musl
agentswarm-linux-x64
agentswarm-linux-x64-baseline
agentswarm-linux-x64-baseline-musl
agentswarm-linux-x64-musl
agentswarm-windows-arm64.exe
agentswarm-windows-x64.exe
agentswarm-windows-x64-baseline.exe
)
for required in "${required_assets[@]}"; do
if ! printf '%s\n' "${assets[@]}" | grep -Fxq "$required"; then
echo "Release $RELEASE_TAG is missing required asset: $required" >&2
exit 1
fi
done
echo "NPM_TAG=$npm_tag" >> "$GITHUB_ENV"
- name: Install dependencies
run: npm ci
- name: Download platform release assets
shell: bash
env:
GH_TOKEN: ${{ github.token }}
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: |
set -euo pipefail
mkdir -p dist
gh release download "$RELEASE_TAG" --dir dist --clobber
- name: Pack platform npm packages
run: node scripts/package-platform-binaries.mjs dist platform-packages
- name: Publish platform npm packages
shell: bash
run: |
set -euo pipefail
mapfile -t packages < <(find platform-packages -maxdepth 1 -name '*.tgz' -type f | sort)
if (( ${#packages[@]} != 12 )); then
echo "Expected 12 OpenSwarm platform packages, got ${#packages[@]}." >&2
exit 1
fi
for package in "${packages[@]}"; do
pkg_id="$(tar -xOf "$package" package/package.json | node -e "const fs=require('fs'); const pkg=JSON.parse(fs.readFileSync(0,'utf8')); console.log(pkg.name+'@'+pkg.version)")"
if npm view "$pkg_id" version >/dev/null 2>&1; then
echo "Skipping $pkg_id; already published."
continue
fi
npm publish "./$package" --access public --tag "$NPM_TAG"
done
- name: Publish npm package
run: npm publish --access public --tag "$NPM_TAG"
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Fallback Publish npm on Release on: release: types: - published permissions: contents: read jobs: publish: timeout-minutes: 30 if: github.repository == 'VRSEN/OpenSwarm' runs-on: latchkey-small env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_CONFIG_PROVENANCE: false steps: - name: Checkout release tag uses: actions/checkout@v4 with: ref: ${{ github.event.release.tag_name }} - uses: actions/setup-node@v4 with: cache: 'npm' node-version: 20 registry-url: "https://registry.npmjs.org" - name: Validate release metadata shell: bash env: GH_TOKEN: ${{ github.token }} RELEASE_TAG: ${{ github.event.release.tag_name }} run: | set -euo pipefail if [[ -z "${NODE_AUTH_TOKEN}" ]]; then echo "NPM_TOKEN is required to publish to npm." >&2 exit 1 fi release_version="${RELEASE_TAG#v}" npm_tag=latest is_prerelease=false if [[ "$release_version" == *-* ]]; then is_prerelease=true npm_tag="${release_version#*-}" npm_tag="${npm_tag%%.*}" fi if [[ "$is_prerelease" != "${{ github.event.release.prerelease }}" ]]; then echo "Release prerelease flag must match semver prerelease suffix." >&2 echo "tag=$RELEASE_TAG github_prerelease=${{ github.event.release.prerelease }}" >&2 exit 1 fi package_version="$(node -p "require('./package.json').version")" lock_version="$(node -p "require('./package-lock.json').packages[''].version")" python_version="$(python3 - <<'PY' import tomllib with open("pyproject.toml", "rb") as handle: print(tomllib.load(handle)["project"]["version"]) PY )" if [[ ! "$RELEASE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z][0-9A-Za-z.-]*)?$ ]]; then echo "Release tag must be vX.Y.Z or vX.Y.Z-prerelease, got: $RELEASE_TAG" >&2 exit 1 fi if [[ "$package_version" != "$release_version" || "$lock_version" != "$release_version" || "$python_version" != "$release_version" ]]; then echo "Release tag, package.json, package-lock.json, and pyproject.toml versions must match." >&2 echo "tag=$release_version package=$package_version lock=$lock_version pyproject=$python_version" >&2 exit 1 fi mapfile -t assets < <(gh release view "$RELEASE_TAG" --json assets --jq '.assets[].name' | sort) required_assets=( agentswarm-darwin-arm64 agentswarm-darwin-x64 agentswarm-darwin-x64-baseline agentswarm-linux-arm64 agentswarm-linux-arm64-musl agentswarm-linux-x64 agentswarm-linux-x64-baseline agentswarm-linux-x64-baseline-musl agentswarm-linux-x64-musl agentswarm-windows-arm64.exe agentswarm-windows-x64.exe agentswarm-windows-x64-baseline.exe ) for required in "${required_assets[@]}"; do if ! printf '%s\n' "${assets[@]}" | grep -Fxq "$required"; then echo "Release $RELEASE_TAG is missing required asset: $required" >&2 exit 1 fi done echo "NPM_TAG=$npm_tag" >> "$GITHUB_ENV" - name: Install dependencies run: npm ci - name: Download platform release assets shell: bash env: GH_TOKEN: ${{ github.token }} RELEASE_TAG: ${{ github.event.release.tag_name }} run: | set -euo pipefail mkdir -p dist gh release download "$RELEASE_TAG" --dir dist --clobber - name: Pack platform npm packages run: node scripts/package-platform-binaries.mjs dist platform-packages - name: Publish platform npm packages shell: bash run: | set -euo pipefail mapfile -t packages < <(find platform-packages -maxdepth 1 -name '*.tgz' -type f | sort) if (( ${#packages[@]} != 12 )); then echo "Expected 12 OpenSwarm platform packages, got ${#packages[@]}." >&2 exit 1 fi for package in "${packages[@]}"; do pkg_id="$(tar -xOf "$package" package/package.json | node -e "const fs=require('fs'); const pkg=JSON.parse(fs.readFileSync(0,'utf8')); console.log(pkg.name+'@'+pkg.version)")" if npm view "$pkg_id" version >/dev/null 2>&1; then echo "Skipping $pkg_id; already published." continue fi npm publish "./$package" --access public --tag "$NPM_TAG" done - name: Publish npm package run: npm publish --access public --tag "$NPM_TAG"
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.