Skip to content
Latchkey

deploy workflow (pytest-dev/pytest)

The deploy workflow from pytest-dev/pytest, explained and optimized by Latchkey.

A

CI health: A - excellent

Point runs-on at Latchkey and get caching, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: pytest-dev/pytest.github/workflows/deploy.ymlLicense MITView source

What it does

This is the deploy workflow from the pytest-dev/pytest repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: deploy

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Release version'
        required: true
        default: '1.2.3'


# Set permissions at the job level.
permissions: {}

jobs:
  package:
    runs-on: ubuntu-latest
    env:
      SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST: ${{ github.event.inputs.version }}
    timeout-minutes: 10

    # Required by attest-build-provenance-github.
    permissions:
      id-token: write
      attestations: write

    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        fetch-depth: 0
        persist-credentials: false

    - name: Build and Check Package
      uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df
      with:
        attest-build-provenance-github: 'true'

  generate-gh-release-notes:
    needs: [package]
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        fetch-depth: 0
        persist-credentials: false

    - name: Set up Python
      uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
      with:
        python-version: "3.13"

    - name: Install tox
      run: |
        python -m pip install --upgrade pip
        pip install tox

    - name: Generate release notes
      env:
        VERSION: ${{ github.event.inputs.version }}
      run: |
        tox -e generate-gh-release-notes -- "$VERSION" gh-release-notes.md

    - name: Upload release notes
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: release-notes
        path: gh-release-notes.md
        retention-days: 1

  publish-to-pypi:
    if: github.repository == 'pytest-dev/pytest'
    # Need generate-gh-release-notes only for ordering.
    # Don't want to release to PyPI if generating GitHub release notes fails.
    needs: [package, generate-gh-release-notes]
    runs-on: ubuntu-latest
    environment: deploy
    timeout-minutes: 30
    permissions:
      id-token: write
    steps:
    - name: Download Package
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: Packages
        path: dist

    - name: Publish package to PyPI
      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
      with:
        attestations: true

  push-tag:
    needs: [publish-to-pypi]
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      contents: write
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        fetch-depth: 0
        persist-credentials: true

    - name: Push tag
      env:
          VERSION: ${{ github.event.inputs.version }}
      run: |
        git config user.name "pytest bot"
        git config user.email "pytestbot@gmail.com"
        git tag --annotate --message=v"$VERSION" "$VERSION" ${{ github.sha }}
        git push origin "$VERSION"

  create-github-release:
    needs: [push-tag, generate-gh-release-notes]
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      contents: write
    steps:
    - name: Download Package
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: Packages
        path: dist

    - name: Download release notes
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: release-notes
        path: .

    - name: Publish GitHub Release
      env:
        VERSION: ${{ github.event.inputs.version }}
        GH_REPO: ${{ github.repository }}
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        gh release create --notes-file gh-release-notes.md --verify-tag "$VERSION" dist/*

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: deploy
 
on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Release version'
        required: true
        default: '1.2.3'
 
 
# Set permissions at the job level.
permissions: {}
 
jobs:
  package:
    runs-on: latchkey-small
    env:
      SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST: ${{ github.event.inputs.version }}
    timeout-minutes: 10
 
    # Required by attest-build-provenance-github.
    permissions:
      id-token: write
      attestations: write
 
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        fetch-depth: 0
        persist-credentials: false
 
    - name: Build and Check Package
      uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df
      with:
        attest-build-provenance-github: 'true'
 
  generate-gh-release-notes:
    needs: [package]
    runs-on: latchkey-small
    timeout-minutes: 30
    permissions:
      contents: read
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        fetch-depth: 0
        persist-credentials: false
 
    - name: Set up Python
      uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
      with:
        cache: 'pip'
        python-version: "3.13"
 
    - name: Install tox
      run: |
        python -m pip install --upgrade pip
        pip install tox
 
    - name: Generate release notes
      env:
        VERSION: ${{ github.event.inputs.version }}
      run: |
        tox -e generate-gh-release-notes -- "$VERSION" gh-release-notes.md
 
    - name: Upload release notes
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: release-notes
        path: gh-release-notes.md
        retention-days: 1
 
  publish-to-pypi:
    if: github.repository == 'pytest-dev/pytest'
    # Need generate-gh-release-notes only for ordering.
    # Don't want to release to PyPI if generating GitHub release notes fails.
    needs: [package, generate-gh-release-notes]
    runs-on: latchkey-small
    environment: deploy
    timeout-minutes: 30
    permissions:
      id-token: write
    steps:
    - name: Download Package
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: Packages
        path: dist
 
    - name: Publish package to PyPI
      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
      with:
        attestations: true
 
  push-tag:
    needs: [publish-to-pypi]
    runs-on: latchkey-small
    timeout-minutes: 10
    permissions:
      contents: write
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        fetch-depth: 0
        persist-credentials: true
 
    - name: Push tag
      env:
          VERSION: ${{ github.event.inputs.version }}
      run: |
        git config user.name "pytest bot"
        git config user.email "pytestbot@gmail.com"
        git tag --annotate --message=v"$VERSION" "$VERSION" ${{ github.sha }}
        git push origin "$VERSION"
 
  create-github-release:
    needs: [push-tag, generate-gh-release-notes]
    runs-on: latchkey-small
    timeout-minutes: 10
    permissions:
      contents: write
    steps:
    - name: Download Package
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: Packages
        path: dist
 
    - name: Download release notes
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: release-notes
        path: .
 
    - name: Publish GitHub Release
      env:
        VERSION: ${{ github.event.inputs.version }}
        GH_REPO: ${{ github.repository }}
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        gh release create --notes-file gh-release-notes.md --verify-tag "$VERSION" dist/*
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 5 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow