Skip to content
Latchkey

Release workflow (python-social-auth/social-core)

The Release workflow from python-social-auth/social-core, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: python-social-auth/social-core.github/workflows/release.ymlLicense BSD-3-ClauseView source

What it does

This is the Release workflow from the python-social-auth/social-core repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Release

on:
  push:
  pull_request:

permissions:
  contents: read

jobs:
  build-wheel:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        persist-credentials: false
    - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2

    - name: Build wheel
      run: uv build --wheel

    - name: Upload wheel
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: dist-wheel
        path: dist/*.whl
        if-no-files-found: error

  build-sdist:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        persist-credentials: false
    - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2

    - name: Build source distribution
      run: uv build --sdist

    - name: Upload source distribution
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: dist-sdist
        path: dist/*.tar.gz
        if-no-files-found: error

  lint-dist:
    runs-on: ubuntu-latest
    needs:
    - build-wheel
    - build-sdist
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        persist-credentials: false
    - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2

    - name: Download distributions
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        pattern: dist-*
        path: dist
        merge-multiple: true

    - name: Verify wheel install
      run: |
        uv venv .venv-install-whl
        source .venv-install-whl/bin/activate
        uv pip install dist/*.whl

    - name: Verify source install
      run: |
        uv venv .venv-install-tar
        source .venv-install-tar/bin/activate
        uv pip install dist/*.tar.gz

    - name: Check package metadata
      run: uvx twine check dist/*

    - name: Check distribution contents
      run: uvx pydistcheck --inspect dist/*

    - name: Check source metadata
      run: uvx pyroma dist/*.tar.gz

    - name: Check wheel contents
      run: uvx check-wheel-contents dist/*.whl

    - name: Check source manifest
      run: uvx check-manifest -v

  publish-pypi:
    runs-on: ubuntu-latest
    needs: lint-dist
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
    permissions:
      id-token: write
    steps:
    - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2

    - name: Download distributions
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        pattern: dist-*
        path: dist
        merge-multiple: true

    - name: Publish to PyPI
      run: uv publish --trusted-publishing always

  publish-github-release:
    runs-on: ubuntu-latest
    needs: lint-dist
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
    permissions:
      contents: write
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        persist-credentials: false

    - name: Download distributions
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        pattern: dist-*
        path: dist
        merge-multiple: true

    - name: Extract release notes
      env:
        TAG_NAME: ${{ github.ref_name }}
      run: |
        version="${TAG_NAME#v}"
        awk -v version="$version" '
          index($0, "## [" version "]") == 1 { in_section = 1; next }
          in_section && /^## / { exit }
          in_section { print }
        ' CHANGELOG.md > release-notes.md
        sed -i '1{/^$/d;}' release-notes.md
        if ! grep -q '[^[:space:]]' release-notes.md; then
          echo "No CHANGELOG.md section found for ${version}" >&2
          exit 1
        fi

    - name: Update GitHub release notes
      env:
        GH_TOKEN: ${{ github.token }}
        TAG_NAME: ${{ github.ref_name }}
      run: gh release edit "$TAG_NAME" --notes-file release-notes.md

    - name: Upload GitHub release assets
      env:
        GH_TOKEN: ${{ github.token }}
        TAG_NAME: ${{ github.ref_name }}
      run: gh release upload "$TAG_NAME" dist/*.whl dist/*.tar.gz --clobber

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Release
 
on:
  push:
  pull_request:
 
permissions:
  contents: read
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  build-wheel:
    timeout-minutes: 30
    runs-on: latchkey-small
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        persist-credentials: false
    - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
 
    - name: Build wheel
      run: uv build --wheel
 
    - name: Upload wheel
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: dist-wheel
        path: dist/*.whl
        if-no-files-found: error
 
  build-sdist:
    timeout-minutes: 30
    runs-on: latchkey-small
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        persist-credentials: false
    - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
 
    - name: Build source distribution
      run: uv build --sdist
 
    - name: Upload source distribution
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: dist-sdist
        path: dist/*.tar.gz
        if-no-files-found: error
 
  lint-dist:
    timeout-minutes: 30
    runs-on: latchkey-small
    needs:
    - build-wheel
    - build-sdist
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        persist-credentials: false
    - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
 
    - name: Download distributions
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        pattern: dist-*
        path: dist
        merge-multiple: true
 
    - name: Verify wheel install
      run: |
        uv venv .venv-install-whl
        source .venv-install-whl/bin/activate
        uv pip install dist/*.whl
 
    - name: Verify source install
      run: |
        uv venv .venv-install-tar
        source .venv-install-tar/bin/activate
        uv pip install dist/*.tar.gz
 
    - name: Check package metadata
      run: uvx twine check dist/*
 
    - name: Check distribution contents
      run: uvx pydistcheck --inspect dist/*
 
    - name: Check source metadata
      run: uvx pyroma dist/*.tar.gz
 
    - name: Check wheel contents
      run: uvx check-wheel-contents dist/*.whl
 
    - name: Check source manifest
      run: uvx check-manifest -v
 
  publish-pypi:
    timeout-minutes: 30
    runs-on: latchkey-small
    needs: lint-dist
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
    permissions:
      id-token: write
    steps:
    - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
 
    - name: Download distributions
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        pattern: dist-*
        path: dist
        merge-multiple: true
 
    - name: Publish to PyPI
      run: uv publish --trusted-publishing always
 
  publish-github-release:
    timeout-minutes: 30
    runs-on: latchkey-small
    needs: lint-dist
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
    permissions:
      contents: write
    steps:
    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      with:
        persist-credentials: false
 
    - name: Download distributions
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        pattern: dist-*
        path: dist
        merge-multiple: true
 
    - name: Extract release notes
      env:
        TAG_NAME: ${{ github.ref_name }}
      run: |
        version="${TAG_NAME#v}"
        awk -v version="$version" '
          index($0, "## [" version "]") == 1 { in_section = 1; next }
          in_section && /^## / { exit }
          in_section { print }
        ' CHANGELOG.md > release-notes.md
        sed -i '1{/^$/d;}' release-notes.md
        if ! grep -q '[^[:space:]]' release-notes.md; then
          echo "No CHANGELOG.md section found for ${version}" >&2
          exit 1
        fi
 
    - name: Update GitHub release notes
      env:
        GH_TOKEN: ${{ github.token }}
        TAG_NAME: ${{ github.ref_name }}
      run: gh release edit "$TAG_NAME" --notes-file release-notes.md
 
    - name: Upload GitHub release assets
      env:
        GH_TOKEN: ${{ github.token }}
        TAG_NAME: ${{ github.ref_name }}
      run: gh release upload "$TAG_NAME" dist/*.whl dist/*.tar.gz --clobber
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 5 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow