Python Tests workflow (oauthlib/oauthlib)
The Python Tests workflow from oauthlib/oauthlib, explained and optimized by Latchkey.
CI health: F - at risk
Point runs-on at Latchkey and get caching, run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Python Tests workflow from the oauthlib/oauthlib repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Python Tests
run-name: Run Tests by ${{ github.actor }}
on: [push, pull_request, workflow_dispatch]
jobs:
tests:
env:
FORCE_COLOR: 1
strategy:
matrix:
python: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Set up Python ${{ matrix.python }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
- name: Check out repository code
uses: actions/checkout@v5
with:
persist-credentials: false
- name: Install prereq
run: pip install tox coveralls
- name: Run python tests
run: tox -e ${{ matrix.python }}
- name: Coveralls
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COVERALLS_FLAG_NAME: ${{ matrix.python-version }}
COVERALLS_PARALLEL: true
run: coveralls
coveralls:
name: Indicate completion to coveralls.io
needs: tests
runs-on: ubuntu-latest
container: python:3-slim
permissions:
contents: read
steps:
- name: Finished
run: |
pip3 install --upgrade coveralls
coveralls --service=github --finish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
docs:
strategy:
matrix:
toxenv: ["docs", "readme"]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- run: sudo apt install -y graphviz
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.11"
- name: Check out repository code
uses: actions/checkout@v5
with:
persist-credentials: false
- name: Install prereq
run: pip install tox
- name: Run python tests
run: tox -e ${{ matrix.toxenv }}
build:
name: Build oauthlib distribution
needs:
- tests
- docs
- coveralls
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.11"
- name: Check out repository code
uses: actions/checkout@v5
with:
persist-credentials: false
- name: Install pypa/build
run: >-
python3 -m
pip install
build
--user
- name: Build wheel and tarball
run: python3 -m build
- name: Store the package's artifact
uses: actions/upload-artifact@v5
with:
name: python-package-distributions
path: dist/
pypi-publish:
if: success() && github.repository == 'oauthlib/oauthlib' && github.ref_type == 'tag'
needs:
- build
name: Upload release to PyPI
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/oauthlib
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- name: Download all the dists
uses: actions/download-artifact@v6
with:
name: python-package-distributions
path: dist/
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Python Tests run-name: Run Tests by ${{ github.actor }} on: [push, pull_request, workflow_dispatch] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: tests: timeout-minutes: 30 env: FORCE_COLOR: 1 strategy: matrix: python: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] runs-on: latchkey-small permissions: contents: read steps: - name: Set up Python ${{ matrix.python }} uses: actions/setup-python@v6 with: cache: 'pip' python-version: ${{ matrix.python }} allow-prereleases: true - name: Check out repository code uses: actions/checkout@v5 with: persist-credentials: false - name: Install prereq run: pip install tox coveralls - name: Run python tests run: tox -e ${{ matrix.python }} - name: Coveralls env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} COVERALLS_FLAG_NAME: ${{ matrix.python-version }} COVERALLS_PARALLEL: true run: coveralls coveralls: timeout-minutes: 30 name: Indicate completion to coveralls.io needs: tests runs-on: latchkey-small container: python:3-slim permissions: contents: read steps: - name: Finished run: | pip3 install --upgrade coveralls coveralls --service=github --finish env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} docs: timeout-minutes: 30 strategy: matrix: toxenv: ["docs", "readme"] runs-on: latchkey-small permissions: contents: read steps: - run: sudo apt install -y graphviz - name: Set up Python uses: actions/setup-python@v6 with: cache: 'pip' python-version: "3.11" - name: Check out repository code uses: actions/checkout@v5 with: persist-credentials: false - name: Install prereq run: pip install tox - name: Run python tests run: tox -e ${{ matrix.toxenv }} build: timeout-minutes: 30 name: Build oauthlib distribution needs: - tests - docs - coveralls runs-on: latchkey-small permissions: contents: read steps: - name: Set up Python uses: actions/setup-python@v6 with: cache: 'pip' python-version: "3.11" - name: Check out repository code uses: actions/checkout@v5 with: persist-credentials: false - name: Install pypa/build run: >- python3 -m pip install build --user - name: Build wheel and tarball run: python3 -m build - name: Store the package's artifact uses: actions/upload-artifact@v5 with: name: python-package-distributions path: dist/ pypi-publish: timeout-minutes: 30 if: success() && github.repository == 'oauthlib/oauthlib' && github.ref_type == 'tag' needs: - build name: Upload release to PyPI runs-on: latchkey-small environment: name: pypi url: https://pypi.org/p/oauthlib permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - name: Download all the dists uses: actions/download-artifact@v6 with: name: python-package-distributions path: dist/ - name: Publish package distributions to PyPI uses: pypa/gh-action-pypi-publish@release/v1
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 5 jobs (11 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.