cd-sdist workflow (mpi4py/mpi4py)
The cd-sdist workflow from mpi4py/mpi4py, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the cd-sdist workflow from the mpi4py/mpi4py repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: cd-sdist
on: # yamllint disable-line rule:truthy
workflow_call:
workflow_dispatch:
permissions:
contents: read
jobs:
sdist:
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: checkout
uses: actions/checkout@v7
- id: source-date-epoch
run: |
# source-date-epoch
SOURCE_DATE_EPOCH=$(git log -1 --pretty=%at)
echo SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH >> $GITHUB_ENV
echo $(git log -1 --pretty=%ai) [timestamp=$SOURCE_DATE_EPOCH]
- id: setup-python
uses: actions/setup-python@v6
with:
python-version: 3
pip-install: build twine
- id: build
run: python -m build --sdist
- id: check
run: python -m twine check dist/*.tar.gz
- id: upload
uses: actions/upload-artifact@v7
with:
name: sdist
path: dist/*.tar.gz
- id: report
run: |
artifact='Artifact: <${{ steps.upload.outputs.artifact-url }}>'
echo $artifact >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
sha256sum -b * >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
shell: bash
working-directory: dist
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: cd-sdist on: # yamllint disable-line rule:truthy workflow_call: workflow_dispatch: permissions: contents: read jobs: sdist: timeout-minutes: 30 runs-on: latchkey-small steps: - uses: step-security/harden-runner@v2 with: egress-policy: audit - id: checkout uses: actions/checkout@v7 - id: source-date-epoch run: | # source-date-epoch SOURCE_DATE_EPOCH=$(git log -1 --pretty=%at) echo SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH >> $GITHUB_ENV echo $(git log -1 --pretty=%ai) [timestamp=$SOURCE_DATE_EPOCH] - id: setup-python uses: actions/setup-python@v6 with: cache: 'pip' python-version: 3 pip-install: build twine - id: build run: python -m build --sdist - id: check run: python -m twine check dist/*.tar.gz - id: upload uses: actions/upload-artifact@v7 with: name: sdist path: dist/*.tar.gz - id: report run: | artifact='Artifact: <${{ steps.upload.outputs.artifact-url }}>' echo $artifact >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY sha256sum -b * >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY shell: bash working-directory: dist
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.