Skip to content
Latchkey

Publish to PyPI workflow (kr8s-org/kr8s)

The Publish to PyPI workflow from kr8s-org/kr8s, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: kr8s-org/kr8s.github/workflows/release.yamlLicense BSD-3-ClauseView source

What it does

This is the Publish to PyPI workflow from the kr8s-org/kr8s repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Publish to PyPI
on:
  push:
    tags:
      - "v*.*.*"
jobs:
  publish-kr8s:
    if: github.repository == 'kr8s-org/kr8s'
    runs-on: ubuntu-latest
    environment:
      name: pypi
      url: https://pypi.org/p/kr8s
    permissions:
      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Install uv
        uses: astral-sh/setup-uv@v6
      - name: Build package
        run: uv build
      - name: Publish kr8s
        uses: pypa/gh-action-pypi-publish@release/v1
  publish-kubectl-ng:
    if: github.repository == 'kr8s-org/kr8s'
    runs-on: ubuntu-latest
    needs: publish-kr8s
    timeout-minutes: 30
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
      - name: Install uv
        uses: astral-sh/setup-uv@v5
      - name: Set env
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
      - name: Update kr8s pin in kubectl-ng
        run: |
          until false; do
            uv add --project examples/kubectl-ng kr8s==${RELEASE_VERSION} && break
            echo "Waiting for kr8s==${RELEASE_VERSION} to be available on PyPI..."
            sleep 15
          done
      - name: Push new pins back to the repo
        run: |
          git config --global user.name 'Kr8s Bot'
          git config --global user.email 'kr8s-bot@users.noreply.github.com'
          git commit -am "Bumping kubectl-ng pin to ${RELEASE_VERSION}"
          git push origin HEAD:main

          # Move the pin forward in our working copy to ensure the version is
          # dynamically generated correctly during publishing
          git tag -d ${RELEASE_VERSION} && git tag ${RELEASE_VERSION}
      - name: Publish kubectl-ng
        run: |
          uv build --project examples/kubectl-ng
          uv publish --project examples/kubectl-ng --token ${{ secrets.PYPI_TOKEN_KUBECTL_NG }}

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Publish to PyPI
on:
  push:
    tags:
      - "v*.*.*"
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  publish-kr8s:
    timeout-minutes: 30
    if: github.repository == 'kr8s-org/kr8s'
    runs-on: latchkey-small
    environment:
      name: pypi
      url: https://pypi.org/p/kr8s
    permissions:
      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Install uv
        uses: astral-sh/setup-uv@v6
      - name: Build package
        run: uv build
      - name: Publish kr8s
        uses: pypa/gh-action-pypi-publish@release/v1
  publish-kubectl-ng:
    if: github.repository == 'kr8s-org/kr8s'
    runs-on: latchkey-small
    needs: publish-kr8s
    timeout-minutes: 30
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
      - name: Install uv
        uses: astral-sh/setup-uv@v5
      - name: Set env
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
      - name: Update kr8s pin in kubectl-ng
        run: |
          until false; do
            uv add --project examples/kubectl-ng kr8s==${RELEASE_VERSION} && break
            echo "Waiting for kr8s==${RELEASE_VERSION} to be available on PyPI..."
            sleep 15
          done
      - name: Push new pins back to the repo
        run: |
          git config --global user.name 'Kr8s Bot'
          git config --global user.email 'kr8s-bot@users.noreply.github.com'
          git commit -am "Bumping kubectl-ng pin to ${RELEASE_VERSION}"
          git push origin HEAD:main
 
          # Move the pin forward in our working copy to ensure the version is
          # dynamically generated correctly during publishing
          git tag -d ${RELEASE_VERSION} && git tag ${RELEASE_VERSION}
      - name: Publish kubectl-ng
        run: |
          uv build --project examples/kubectl-ng
          uv publish --project examples/kubectl-ng --token ${{ secrets.PYPI_TOKEN_KUBECTL_NG }}
 

What changed

2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow