CI workflow (aio-libs/janus)
The CI workflow from aio-libs/janus, explained and optimized by Latchkey.
CI health: F - at risk
Point runs-on at Latchkey and get caching, run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the CI workflow from the aio-libs/janus repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: CI
on:
push:
branches: [ master ]
tags: [ 'v*' ]
pull_request:
branches: [ master ]
schedule:
- cron: '0 6 * * *' # Daily 6AM UTC build
env:
COLOR: >- # Supposedly, pytest or coveragepy use this
yes
FORCE_COLOR: 1 # Request colored output from CLI tools supporting it
MYPY_FORCE_COLOR: 1 # MyPy's color enforcement
PIP_DISABLE_PIP_VERSION_CHECK: 1
PIP_NO_PYTHON_VERSION_WARNING: 1
PIP_NO_WARN_SCRIPT_LOCATION: 1
PRE_COMMIT_COLOR: always
PROJECT_NAME: janus
PY_COLORS: 1 # Recognized by the `py` package, dependency of `pytest`
PYTHONIOENCODING: utf-8
PYTHONUTF8: 1
jobs:
lint:
name: Linter
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v7
- name: Setup Python
uses: actions/setup-python@v6
with:
python-version: 3.13
- name: Cache PyPI
uses: actions/cache@v6
with:
key: pip-lint-${{ hashFiles('requirements-dev.txt') }}
path: ~/.cache/pip
restore-keys: |
pip-lint-
- name: Install dependencies
uses: py-actions/py-dependency-install@v4.1.0
with:
path: requirements-dev.txt
- name: Run linters
run: |
make lint
unit:
name: Unit
strategy:
matrix:
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
os: [ubuntu]
fail-fast:
false
runs-on: ${{ matrix.os }}-latest
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@v7
- name: Setup Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- name: Get pip cache dir
id: pip-cache
run: |
echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT # - name: Cache
shell: bash
- name: Cache PyPI
uses: actions/cache@v6
with:
key: pip-ci-${{ runner.os }}-${{ matrix.python-version }}-${{ hashFiles('requirements-dev.txt') }}
path: ${{ steps.pip-cache.outputs.dir }}
restore-keys: |
pip-ci-${{ runner.os }}-${{ matrix.python-version }}-
- name: Install dependencies
uses: py-actions/py-dependency-install@v4.1.0
with:
path: requirements-dev.txt
- name: Run unittests
env:
COLOR: 'yes'
run: |
pytest --cov=janus --cov=tests --cov-report=term --cov-report=xml:coverage.xml
- name: Upload coverage artifact
uses: aio-libs/prepare-coverage@v24.9.2
benchmark:
name: Benchmark
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@v7
- name: Setup Python 3.13
uses: actions/setup-python@v6
with:
python-version: 3.13
- name: Get pip cache dir
id: pip-cache
run: |
echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT # - name: Cache
shell: bash
- name: Cache PyPI
uses: actions/cache@v6
with:
key: pip-ci-ubuntu-3.13-${{ hashFiles('requirements-dev.txt') }}
path: ${{ steps.pip-cache.outputs.dir }}
restore-keys: |
pip-ci-ubuntu-3.13-
- name: Install dependencies
uses: py-actions/py-dependency-install@v4.1.0
with:
path: requirements-dev.txt
- name: Run benchmarks
uses: CodSpeedHQ/action@v3
with:
token: ${{ secrets.CODSPEED_TOKEN }}
run: python -Im pytest --no-cov -vvvvv --codspeed
check: # The branch protection check
if: always()
needs: [lint, unit, benchmark]
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1
with:
jobs: ${{ toJSON(needs) }}
- name: Checkout
uses: actions/checkout@v7
- name: Upload coverage
uses: aio-libs/upload-coverage@v25.11.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
deploy:
name: Deploy
needs: check
runs-on: ubuntu-latest
# Run only on pushing a tag
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for trusted publishing & sigstore
environment:
name: pypi
url: https://pypi.org/p/${{ env.PROJECT_NAME }}
steps:
- name: Checkout
uses: actions/checkout@v7
- name: Setup Python
uses: actions/setup-python@v6
with:
python-version: 3.13
- name: Install dependencies
uses: py-actions/py-dependency-install@v4.1.0
with:
path: requirements-dev.txt
- name: Install builder
run: |
python -m pip install wheel build
- name: Make dists
run: |
python -m build
- name: Login
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
- name: Make Release
uses: aio-libs/create-release@v1.6.6
with:
changes_file: CHANGES.rst
version_file: ${{ env.PROJECT_NAME }}/__init__.py
github_token: ${{ secrets.GITHUB_TOKEN }}
head_line: >-
{version} \({date}\)\n
# fix_issue_regex: >-
# :issue:`(\d+)`
# fix_issue_repl: >-
# #\1
- name: >-
Publish ππ¦ to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
- name: Sign the dists with Sigstore
uses: sigstore/gh-action-sigstore-python@v3.4.0
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
- name: Upload artifact signatures to GitHub Release
# Confusingly, this action also supports updating releases, not
# just creating them. This is what we want here, since we've manually
# created the release above.
uses: softprops/action-gh-release@v3
with:
# dist/ contains the built packages, which smoketest-artifacts/
# contains the signatures and certificates.
files: dist/**
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: CI on: push: branches: [ master ] tags: [ 'v*' ] pull_request: branches: [ master ] schedule: - cron: '0 6 * * *' # Daily 6AM UTC build env: COLOR: >- # Supposedly, pytest or coveragepy use this yes FORCE_COLOR: 1 # Request colored output from CLI tools supporting it MYPY_FORCE_COLOR: 1 # MyPy's color enforcement PIP_DISABLE_PIP_VERSION_CHECK: 1 PIP_NO_PYTHON_VERSION_WARNING: 1 PIP_NO_WARN_SCRIPT_LOCATION: 1 PRE_COMMIT_COLOR: always PROJECT_NAME: janus PY_COLORS: 1 # Recognized by the `py` package, dependency of `pytest` PYTHONIOENCODING: utf-8 PYTHONUTF8: 1 concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: lint: name: Linter runs-on: latchkey-small timeout-minutes: 5 steps: - name: Checkout uses: actions/checkout@v7 - name: Setup Python uses: actions/setup-python@v6 with: cache: 'pip' python-version: 3.13 - name: Cache PyPI uses: actions/cache@v6 with: key: pip-lint-${{ hashFiles('requirements-dev.txt') }} path: ~/.cache/pip restore-keys: | pip-lint- - name: Install dependencies uses: py-actions/py-dependency-install@v4.1.0 with: path: requirements-dev.txt - name: Run linters run: | make lint unit: name: Unit strategy: matrix: python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"] os: [ubuntu] fail-fast: false runs-on: ${{ matrix.os }}-latest timeout-minutes: 15 steps: - name: Checkout uses: actions/checkout@v7 - name: Setup Python ${{ matrix.python-version }} uses: actions/setup-python@v6 with: cache: 'pip' python-version: ${{ matrix.python-version }} - name: Get pip cache dir id: pip-cache run: | echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT # - name: Cache shell: bash - name: Cache PyPI uses: actions/cache@v6 with: key: pip-ci-${{ runner.os }}-${{ matrix.python-version }}-${{ hashFiles('requirements-dev.txt') }} path: ${{ steps.pip-cache.outputs.dir }} restore-keys: | pip-ci-${{ runner.os }}-${{ matrix.python-version }}- - name: Install dependencies uses: py-actions/py-dependency-install@v4.1.0 with: path: requirements-dev.txt - name: Run unittests env: COLOR: 'yes' run: | pytest --cov=janus --cov=tests --cov-report=term --cov-report=xml:coverage.xml - name: Upload coverage artifact uses: aio-libs/prepare-coverage@v24.9.2 benchmark: name: Benchmark runs-on: latchkey-small timeout-minutes: 15 steps: - name: Checkout uses: actions/checkout@v7 - name: Setup Python 3.13 uses: actions/setup-python@v6 with: cache: 'pip' python-version: 3.13 - name: Get pip cache dir id: pip-cache run: | echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT # - name: Cache shell: bash - name: Cache PyPI uses: actions/cache@v6 with: key: pip-ci-ubuntu-3.13-${{ hashFiles('requirements-dev.txt') }} path: ${{ steps.pip-cache.outputs.dir }} restore-keys: | pip-ci-ubuntu-3.13- - name: Install dependencies uses: py-actions/py-dependency-install@v4.1.0 with: path: requirements-dev.txt - name: Run benchmarks uses: CodSpeedHQ/action@v3 with: token: ${{ secrets.CODSPEED_TOKEN }} run: python -Im pytest --no-cov -vvvvv --codspeed check: # The branch protection check timeout-minutes: 30 if: always() needs: [lint, unit, benchmark] runs-on: latchkey-small steps: - name: Decide whether the needed jobs succeeded or failed uses: re-actors/alls-green@release/v1 with: jobs: ${{ toJSON(needs) }} - name: Checkout uses: actions/checkout@v7 - name: Upload coverage uses: aio-libs/upload-coverage@v25.11.0 with: token: ${{ secrets.CODECOV_TOKEN }} deploy: timeout-minutes: 30 name: Deploy needs: check runs-on: latchkey-small # Run only on pushing a tag if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') permissions: contents: write # IMPORTANT: mandatory for making GitHub Releases id-token: write # IMPORTANT: mandatory for trusted publishing & sigstore environment: name: pypi url: https://pypi.org/p/${{ env.PROJECT_NAME }} steps: - name: Checkout uses: actions/checkout@v7 - name: Setup Python uses: actions/setup-python@v6 with: cache: 'pip' python-version: 3.13 - name: Install dependencies uses: py-actions/py-dependency-install@v4.1.0 with: path: requirements-dev.txt - name: Install builder run: | python -m pip install wheel build - name: Make dists run: | python -m build - name: Login run: | echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token - name: Make Release uses: aio-libs/create-release@v1.6.6 with: changes_file: CHANGES.rst version_file: ${{ env.PROJECT_NAME }}/__init__.py github_token: ${{ secrets.GITHUB_TOKEN }} head_line: >- {version} \({date}\)\n # fix_issue_regex: >- # :issue:`(\d+)` # fix_issue_repl: >- # #\1 - name: >- Publish ππ¦ to PyPI uses: pypa/gh-action-pypi-publish@release/v1 - name: Sign the dists with Sigstore uses: sigstore/gh-action-sigstore-python@v3.4.0 with: inputs: >- ./dist/*.tar.gz ./dist/*.whl - name: Upload artifact signatures to GitHub Release # Confusingly, this action also supports updating releases, not # just creating them. This is what we want here, since we've manually # created the release above. uses: softprops/action-gh-release@v3 with: # dist/ contains the built packages, which smoketest-artifacts/ # contains the signatures and certificates. files: dist/**
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
9 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 5 jobs (9 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.