Skip to content
Latchkey

cd-sdist workflow (mpi4py/mpi4py)

The cd-sdist workflow from mpi4py/mpi4py, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: mpi4py/mpi4py.github/workflows/cd-sdist.ymlLicense BSD-3-ClauseView source

What it does

This is the cd-sdist workflow from the mpi4py/mpi4py repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: cd-sdist

on:  # yamllint disable-line rule:truthy
  workflow_call:
  workflow_dispatch:

permissions:
  contents: read

jobs:

  sdist:
    runs-on: ubuntu-latest
    steps:

    - uses: step-security/harden-runner@v2
      with:
        egress-policy: audit

    - id: checkout
      uses: actions/checkout@v7

    - id: source-date-epoch
      run: |
        # source-date-epoch
        SOURCE_DATE_EPOCH=$(git log -1 --pretty=%at)
        echo SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH >> $GITHUB_ENV
        echo $(git log -1 --pretty=%ai) [timestamp=$SOURCE_DATE_EPOCH]

    - id: setup-python
      uses: actions/setup-python@v6
      with:
        python-version: 3
        pip-install: build twine

    - id: build
      run: python -m build --sdist

    - id: check
      run: python -m twine check dist/*.tar.gz

    - id: upload
      uses: actions/upload-artifact@v7
      with:
        name: sdist
        path: dist/*.tar.gz

    - id: report
      run: |
        artifact='Artifact: <${{ steps.upload.outputs.artifact-url }}>'
        echo $artifact >> $GITHUB_STEP_SUMMARY
        echo '```'     >> $GITHUB_STEP_SUMMARY
        sha256sum -b * >> $GITHUB_STEP_SUMMARY
        echo '```'     >> $GITHUB_STEP_SUMMARY
      shell: bash
      working-directory: dist

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: cd-sdist
 
on:  # yamllint disable-line rule:truthy
  workflow_call:
  workflow_dispatch:
 
permissions:
  contents: read
 
jobs:
 
  sdist:
    timeout-minutes: 30
    runs-on: latchkey-small
    steps:
 
    - uses: step-security/harden-runner@v2
      with:
        egress-policy: audit
 
    - id: checkout
      uses: actions/checkout@v7
 
    - id: source-date-epoch
      run: |
        # source-date-epoch
        SOURCE_DATE_EPOCH=$(git log -1 --pretty=%at)
        echo SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH >> $GITHUB_ENV
        echo $(git log -1 --pretty=%ai) [timestamp=$SOURCE_DATE_EPOCH]
 
    - id: setup-python
      uses: actions/setup-python@v6
      with:
        cache: 'pip'
        python-version: 3
        pip-install: build twine
 
    - id: build
      run: python -m build --sdist
 
    - id: check
      run: python -m twine check dist/*.tar.gz
 
    - id: upload
      uses: actions/upload-artifact@v7
      with:
        name: sdist
        path: dist/*.tar.gz
 
    - id: report
      run: |
        artifact='Artifact: <${{ steps.upload.outputs.artifact-url }}>'
        echo $artifact >> $GITHUB_STEP_SUMMARY
        echo '```'     >> $GITHUB_STEP_SUMMARY
        sha256sum -b * >> $GITHUB_STEP_SUMMARY
        echo '```'     >> $GITHUB_STEP_SUMMARY
      shell: bash
      working-directory: dist
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow