deploy workflow (pytest-dev/pytest)
The deploy workflow from pytest-dev/pytest, explained and optimized by Latchkey.
CI health: A - excellent
Point runs-on at Latchkey and get caching, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the deploy workflow from the pytest-dev/pytest repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: deploy
on:
workflow_dispatch:
inputs:
version:
description: 'Release version'
required: true
default: '1.2.3'
# Set permissions at the job level.
permissions: {}
jobs:
package:
runs-on: ubuntu-latest
env:
SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST: ${{ github.event.inputs.version }}
timeout-minutes: 10
# Required by attest-build-provenance-github.
permissions:
id-token: write
attestations: write
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
- name: Build and Check Package
uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df
with:
attest-build-provenance-github: 'true'
generate-gh-release-notes:
needs: [package]
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: read
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.13"
- name: Install tox
run: |
python -m pip install --upgrade pip
pip install tox
- name: Generate release notes
env:
VERSION: ${{ github.event.inputs.version }}
run: |
tox -e generate-gh-release-notes -- "$VERSION" gh-release-notes.md
- name: Upload release notes
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: release-notes
path: gh-release-notes.md
retention-days: 1
publish-to-pypi:
if: github.repository == 'pytest-dev/pytest'
# Need generate-gh-release-notes only for ordering.
# Don't want to release to PyPI if generating GitHub release notes fails.
needs: [package, generate-gh-release-notes]
runs-on: ubuntu-latest
environment: deploy
timeout-minutes: 30
permissions:
id-token: write
steps:
- name: Download Package
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: Packages
path: dist
- name: Publish package to PyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
with:
attestations: true
push-tag:
needs: [publish-to-pypi]
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: true
- name: Push tag
env:
VERSION: ${{ github.event.inputs.version }}
run: |
git config user.name "pytest bot"
git config user.email "pytestbot@gmail.com"
git tag --annotate --message=v"$VERSION" "$VERSION" ${{ github.sha }}
git push origin "$VERSION"
create-github-release:
needs: [push-tag, generate-gh-release-notes]
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
steps:
- name: Download Package
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: Packages
path: dist
- name: Download release notes
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: release-notes
path: .
- name: Publish GitHub Release
env:
VERSION: ${{ github.event.inputs.version }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release create --notes-file gh-release-notes.md --verify-tag "$VERSION" dist/*
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: deploy on: workflow_dispatch: inputs: version: description: 'Release version' required: true default: '1.2.3' # Set permissions at the job level. permissions: {} jobs: package: runs-on: latchkey-small env: SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST: ${{ github.event.inputs.version }} timeout-minutes: 10 # Required by attest-build-provenance-github. permissions: id-token: write attestations: write steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false - name: Build and Check Package uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df with: attest-build-provenance-github: 'true' generate-gh-release-notes: needs: [package] runs-on: latchkey-small timeout-minutes: 30 permissions: contents: read steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: cache: 'pip' python-version: "3.13" - name: Install tox run: | python -m pip install --upgrade pip pip install tox - name: Generate release notes env: VERSION: ${{ github.event.inputs.version }} run: | tox -e generate-gh-release-notes -- "$VERSION" gh-release-notes.md - name: Upload release notes uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: release-notes path: gh-release-notes.md retention-days: 1 publish-to-pypi: if: github.repository == 'pytest-dev/pytest' # Need generate-gh-release-notes only for ordering. # Don't want to release to PyPI if generating GitHub release notes fails. needs: [package, generate-gh-release-notes] runs-on: latchkey-small environment: deploy timeout-minutes: 30 permissions: id-token: write steps: - name: Download Package uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: Packages path: dist - name: Publish package to PyPI uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b with: attestations: true push-tag: needs: [publish-to-pypi] runs-on: latchkey-small timeout-minutes: 10 permissions: contents: write steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: true - name: Push tag env: VERSION: ${{ github.event.inputs.version }} run: | git config user.name "pytest bot" git config user.email "pytestbot@gmail.com" git tag --annotate --message=v"$VERSION" "$VERSION" ${{ github.sha }} git push origin "$VERSION" create-github-release: needs: [push-tag, generate-gh-release-notes] runs-on: latchkey-small timeout-minutes: 10 permissions: contents: write steps: - name: Download Package uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: Packages path: dist - name: Download release notes uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: release-notes path: . - name: Publish GitHub Release env: VERSION: ${{ github.event.inputs.version }} GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | gh release create --notes-file gh-release-notes.md --verify-tag "$VERSION" dist/*
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 5 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.