Skip to content
Latchkey

Publish to PyPI workflow (CalebBell/ht)

The Publish to PyPI workflow from CalebBell/ht, explained and optimized by Latchkey.

B

CI health: B - good

Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: CalebBell/ht.github/workflows/publish-pypi.ymlLicense MITView source

What it does

This is the Publish to PyPI workflow from the CalebBell/ht repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Publish to PyPI
on:
  release:
    types: [published]

permissions:
  id-token: write
  contents: read
jobs:
  test:
    uses: ./.github/workflows/quality.yml
  
  publish:
    # This job publishes to PyPI when a GitHub release is created with a tag starting with 'v' on the release branch.
    #
    # Requirements:
    # - Repository admin must create a release with a tag starting with 'v' (e.g., v1.2.3)
    # - The tag must be created on the 'release' branch
    # - The release branch is protected by rulesets requiring all changes go through PR review
    #
    # Security notes:
    # - The tag and branch checks in this job are soft checks (can be bypassed by modifying workflow)
    # - Real security enforcement comes from the 'pypi' environment which requires manual approval by org admin
    # - This provides a final gate before any code is published to PyPI
    needs: test
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v')
    environment:
      name: pypi
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Need full history to check branch ancestry

      - name: Check if tag is on release branch
        run: |
          if ! git branch -r --contains ${{ github.ref }} | grep -q 'origin/release'; then
            echo "Error: Tag is not on release branch"
            exit 1
          fi
          echo "Tag verified to be on release branch"

      - name: Download distributions
        uses: actions/download-artifact@v4
        with:
          name: distributions
          path: dist/
      
      - name: Upload to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1        

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Publish to PyPI
on:
  release:
    types: [published]
 
permissions:
  id-token: write
  contents: read
jobs:
  test:
    timeout-minutes: 30
    uses: ./.github/workflows/quality.yml
  
  publish:
    timeout-minutes: 30
    # This job publishes to PyPI when a GitHub release is created with a tag starting with 'v' on the release branch.
    #
    # Requirements:
    # - Repository admin must create a release with a tag starting with 'v' (e.g., v1.2.3)
    # - The tag must be created on the 'release' branch
    # - The release branch is protected by rulesets requiring all changes go through PR review
    #
    # Security notes:
    # - The tag and branch checks in this job are soft checks (can be bypassed by modifying workflow)
    # - Real security enforcement comes from the 'pypi' environment which requires manual approval by org admin
    # - This provides a final gate before any code is published to PyPI
    needs: test
    runs-on: latchkey-small
    if: startsWith(github.ref, 'refs/tags/v')
    environment:
      name: pypi
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Need full history to check branch ancestry
 
      - name: Check if tag is on release branch
        run: |
          if ! git branch -r --contains ${{ github.ref }} | grep -q 'origin/release'; then
            echo "Error: Tag is not on release branch"
            exit 1
          fi
          echo "Tag verified to be on release branch"
 
      - name: Download distributions
        uses: actions/download-artifact@v4
        with:
          name: distributions
          path: dist/
      
      - name: Upload to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1        

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow