Deploy workflow (facebook/Ax)
The Deploy workflow from facebook/Ax, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Deploy workflow from the facebook/Ax repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
# This workflows will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
name: Deploy
on:
release:
types: [published]
workflow_dispatch:
jobs:
tests-and-coverage-pinned:
name: Tests with pinned BoTorch
uses: ./.github/workflows/reusable_test.yml
with:
pinned_botorch: true
secrets: inherit
version-and-publish-website:
name: Version and Publish website
uses: ./.github/workflows/publish_website.yml
with:
new_version: ${{ github.event.release.tag_name }}
run_tutorials: true
pinned_botorch: true
permissions:
pages: write
id-token: write
contents: write
deploy:
needs: tests-and-coverage-pinned # only run if test step succeeds
runs-on: ubuntu-latest
env:
# `uv pip ...` requires venv by default. This skips that requirement.
UV_SYSTEM_PYTHON: 1
steps:
- uses: actions/checkout@v6
- name: Install uv
uses: astral-sh/setup-uv@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.14"
- name: Install dependencies
run: |
# use stable Botorch
uv pip install -e ".[dev,mysql,notebook]"
uv pip install --upgrade build setuptools setuptools_scm wheel
- name: Fetch all history for all tags and branches
run: git fetch --prune --unshallow
- name: Build wheel
run: |
python -m build --sdist --wheel
- name: Deploy to PyPI
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13
with:
user: __token__
password: ${{ secrets.PYPI_TOKEN }}
verbose: true
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
# This workflows will upload a Python Package using Twine when a release is created # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries name: Deploy on: release: types: [published] workflow_dispatch: jobs: tests-and-coverage-pinned: timeout-minutes: 30 name: Tests with pinned BoTorch uses: ./.github/workflows/reusable_test.yml with: pinned_botorch: true secrets: inherit version-and-publish-website: timeout-minutes: 30 name: Version and Publish website uses: ./.github/workflows/publish_website.yml with: new_version: ${{ github.event.release.tag_name }} run_tutorials: true pinned_botorch: true permissions: pages: write id-token: write contents: write deploy: timeout-minutes: 30 needs: tests-and-coverage-pinned # only run if test step succeeds runs-on: latchkey-small env: # `uv pip ...` requires venv by default. This skips that requirement. UV_SYSTEM_PYTHON: 1 steps: - uses: actions/checkout@v6 - name: Install uv uses: astral-sh/setup-uv@v7 - name: Set up Python uses: actions/setup-python@v6 with: cache: 'pip' python-version: "3.14" - name: Install dependencies run: | # use stable Botorch uv pip install -e ".[dev,mysql,notebook]" uv pip install --upgrade build setuptools setuptools_scm wheel - name: Fetch all history for all tags and branches run: git fetch --prune --unshallow - name: Build wheel run: | python -m build --sdist --wheel - name: Deploy to PyPI uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13 with: user: __token__ password: ${{ secrets.PYPI_TOKEN }} verbose: true
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 3 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.