Skip to content
Latchkey

Fallback Publish npm on Release workflow (VRSEN/OpenSwarm)

The Fallback Publish npm on Release workflow from VRSEN/OpenSwarm, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get caching, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: VRSEN/OpenSwarm.github/workflows/publish-npm-on-release.ymlLicense MITView source

What it does

This is the Fallback Publish npm on Release workflow from the VRSEN/OpenSwarm repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Fallback Publish npm on Release

on:
  release:
    types:
      - published

permissions:
  contents: read

jobs:
  publish:
    if: github.repository == 'VRSEN/OpenSwarm'
    runs-on: ubuntu-latest
    env:
      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
      NPM_CONFIG_PROVENANCE: false
    steps:
      - name: Checkout release tag
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.release.tag_name }}

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          registry-url: "https://registry.npmjs.org"

      - name: Validate release metadata
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_TAG: ${{ github.event.release.tag_name }}
        run: |
          set -euo pipefail

          if [[ -z "${NODE_AUTH_TOKEN}" ]]; then
            echo "NPM_TOKEN is required to publish to npm." >&2
            exit 1
          fi

          release_version="${RELEASE_TAG#v}"
          npm_tag=latest
          is_prerelease=false
          if [[ "$release_version" == *-* ]]; then
            is_prerelease=true
            npm_tag="${release_version#*-}"
            npm_tag="${npm_tag%%.*}"
          fi
          if [[ "$is_prerelease" != "${{ github.event.release.prerelease }}" ]]; then
            echo "Release prerelease flag must match semver prerelease suffix." >&2
            echo "tag=$RELEASE_TAG github_prerelease=${{ github.event.release.prerelease }}" >&2
            exit 1
          fi
          package_version="$(node -p "require('./package.json').version")"
          lock_version="$(node -p "require('./package-lock.json').packages[''].version")"
          python_version="$(python3 - <<'PY'
          import tomllib
          with open("pyproject.toml", "rb") as handle:
              print(tomllib.load(handle)["project"]["version"])
          PY
          )"

          if [[ ! "$RELEASE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z][0-9A-Za-z.-]*)?$ ]]; then
            echo "Release tag must be vX.Y.Z or vX.Y.Z-prerelease, got: $RELEASE_TAG" >&2
            exit 1
          fi

          if [[ "$package_version" != "$release_version" || "$lock_version" != "$release_version" || "$python_version" != "$release_version" ]]; then
            echo "Release tag, package.json, package-lock.json, and pyproject.toml versions must match." >&2
            echo "tag=$release_version package=$package_version lock=$lock_version pyproject=$python_version" >&2
            exit 1
          fi

          mapfile -t assets < <(gh release view "$RELEASE_TAG" --json assets --jq '.assets[].name' | sort)
          required_assets=(
            agentswarm-darwin-arm64
            agentswarm-darwin-x64
            agentswarm-darwin-x64-baseline
            agentswarm-linux-arm64
            agentswarm-linux-arm64-musl
            agentswarm-linux-x64
            agentswarm-linux-x64-baseline
            agentswarm-linux-x64-baseline-musl
            agentswarm-linux-x64-musl
            agentswarm-windows-arm64.exe
            agentswarm-windows-x64.exe
            agentswarm-windows-x64-baseline.exe
          )

          for required in "${required_assets[@]}"; do
            if ! printf '%s\n' "${assets[@]}" | grep -Fxq "$required"; then
              echo "Release $RELEASE_TAG is missing required asset: $required" >&2
              exit 1
            fi
          done

          echo "NPM_TAG=$npm_tag" >> "$GITHUB_ENV"

      - name: Install dependencies
        run: npm ci

      - name: Download platform release assets
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_TAG: ${{ github.event.release.tag_name }}
        run: |
          set -euo pipefail
          mkdir -p dist
          gh release download "$RELEASE_TAG" --dir dist --clobber

      - name: Pack platform npm packages
        run: node scripts/package-platform-binaries.mjs dist platform-packages

      - name: Publish platform npm packages
        shell: bash
        run: |
          set -euo pipefail
          mapfile -t packages < <(find platform-packages -maxdepth 1 -name '*.tgz' -type f | sort)
          if (( ${#packages[@]} != 12 )); then
            echo "Expected 12 OpenSwarm platform packages, got ${#packages[@]}." >&2
            exit 1
          fi
          for package in "${packages[@]}"; do
            pkg_id="$(tar -xOf "$package" package/package.json | node -e "const fs=require('fs'); const pkg=JSON.parse(fs.readFileSync(0,'utf8')); console.log(pkg.name+'@'+pkg.version)")"
            if npm view "$pkg_id" version >/dev/null 2>&1; then
              echo "Skipping $pkg_id; already published."
              continue
            fi
            npm publish "./$package" --access public --tag "$NPM_TAG"
          done

      - name: Publish npm package
        run: npm publish --access public --tag "$NPM_TAG"

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: Fallback Publish npm on Release
 
on:
  release:
    types:
      - published
 
permissions:
  contents: read
 
jobs:
  publish:
    timeout-minutes: 30
    if: github.repository == 'VRSEN/OpenSwarm'
    runs-on: latchkey-small
    env:
      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
      NPM_CONFIG_PROVENANCE: false
    steps:
      - name: Checkout release tag
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.release.tag_name }}
 
      - uses: actions/setup-node@v4
        with:
          cache: 'npm'
          node-version: 20
          registry-url: "https://registry.npmjs.org"
 
      - name: Validate release metadata
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_TAG: ${{ github.event.release.tag_name }}
        run: |
          set -euo pipefail
 
          if [[ -z "${NODE_AUTH_TOKEN}" ]]; then
            echo "NPM_TOKEN is required to publish to npm." >&2
            exit 1
          fi
 
          release_version="${RELEASE_TAG#v}"
          npm_tag=latest
          is_prerelease=false
          if [[ "$release_version" == *-* ]]; then
            is_prerelease=true
            npm_tag="${release_version#*-}"
            npm_tag="${npm_tag%%.*}"
          fi
          if [[ "$is_prerelease" != "${{ github.event.release.prerelease }}" ]]; then
            echo "Release prerelease flag must match semver prerelease suffix." >&2
            echo "tag=$RELEASE_TAG github_prerelease=${{ github.event.release.prerelease }}" >&2
            exit 1
          fi
          package_version="$(node -p "require('./package.json').version")"
          lock_version="$(node -p "require('./package-lock.json').packages[''].version")"
          python_version="$(python3 - <<'PY'
          import tomllib
          with open("pyproject.toml", "rb") as handle:
              print(tomllib.load(handle)["project"]["version"])
          PY
          )"
 
          if [[ ! "$RELEASE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z][0-9A-Za-z.-]*)?$ ]]; then
            echo "Release tag must be vX.Y.Z or vX.Y.Z-prerelease, got: $RELEASE_TAG" >&2
            exit 1
          fi
 
          if [[ "$package_version" != "$release_version" || "$lock_version" != "$release_version" || "$python_version" != "$release_version" ]]; then
            echo "Release tag, package.json, package-lock.json, and pyproject.toml versions must match." >&2
            echo "tag=$release_version package=$package_version lock=$lock_version pyproject=$python_version" >&2
            exit 1
          fi
 
          mapfile -t assets < <(gh release view "$RELEASE_TAG" --json assets --jq '.assets[].name' | sort)
          required_assets=(
            agentswarm-darwin-arm64
            agentswarm-darwin-x64
            agentswarm-darwin-x64-baseline
            agentswarm-linux-arm64
            agentswarm-linux-arm64-musl
            agentswarm-linux-x64
            agentswarm-linux-x64-baseline
            agentswarm-linux-x64-baseline-musl
            agentswarm-linux-x64-musl
            agentswarm-windows-arm64.exe
            agentswarm-windows-x64.exe
            agentswarm-windows-x64-baseline.exe
          )
 
          for required in "${required_assets[@]}"; do
            if ! printf '%s\n' "${assets[@]}" | grep -Fxq "$required"; then
              echo "Release $RELEASE_TAG is missing required asset: $required" >&2
              exit 1
            fi
          done
 
          echo "NPM_TAG=$npm_tag" >> "$GITHUB_ENV"
 
      - name: Install dependencies
        run: npm ci
 
      - name: Download platform release assets
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_TAG: ${{ github.event.release.tag_name }}
        run: |
          set -euo pipefail
          mkdir -p dist
          gh release download "$RELEASE_TAG" --dir dist --clobber
 
      - name: Pack platform npm packages
        run: node scripts/package-platform-binaries.mjs dist platform-packages
 
      - name: Publish platform npm packages
        shell: bash
        run: |
          set -euo pipefail
          mapfile -t packages < <(find platform-packages -maxdepth 1 -name '*.tgz' -type f | sort)
          if (( ${#packages[@]} != 12 )); then
            echo "Expected 12 OpenSwarm platform packages, got ${#packages[@]}." >&2
            exit 1
          fi
          for package in "${packages[@]}"; do
            pkg_id="$(tar -xOf "$package" package/package.json | node -e "const fs=require('fs'); const pkg=JSON.parse(fs.readFileSync(0,'utf8')); console.log(pkg.name+'@'+pkg.version)")"
            if npm view "$pkg_id" version >/dev/null 2>&1; then
              echo "Skipping $pkg_id; already published."
              continue
            fi
            npm publish "./$package" --access public --tag "$NPM_TAG"
          done
 
      - name: Publish npm package
        run: npm publish --access public --tag "$NPM_TAG"
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow