Validate workflow (RDFLib/rdflib)
The Validate workflow from RDFLib/rdflib, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Validate workflow from the RDFLib/rdflib repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Validate
on:
push:
branches: ["main"]
pull_request:
workflow_dispatch:
env:
FORCE_COLOR: 1
XDG_CACHE_HOME: ${{ github.workspace }}/.var/cache
POETRY_CACHE_DIR: ${{ github.workspace }}/.var/cache/pypoetry
PIP_CACHE_DIR: ${{ github.workspace }}/.var/cache/pip
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
validate:
permissions:
contents: read
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
os: [ubuntu-latest, macos-latest, windows-latest]
# This is used for injecting additional tests for a specific python
# version and OS.
suffix: [""]
include:
- python-version: "3.8"
os: ubuntu-latest
extensive-tests: true
- python-version: "3.8"
os: ubuntu-latest
extensive-tests: true
PREPARATION: "sudo apt-get install -y libxml2-dev libxslt-dev"
suffix: "-min"
TOXENV_SUFFIX: "-min"
- python-version: "3.9"
os: ubuntu-latest
- python-version: "3.10"
os: ubuntu-latest
TOX_EXTRA_COMMAND: "- black --check --diff ./rdflib"
TOXENV_SUFFIX: "-lxml"
- python-version: "3.11"
os: ubuntu-latest
TOXENV_SUFFIX: "-docs"
TOX_PYTEST_EXTRA_ARGS: "-m 'not (testcontainer or webtest)'"
steps:
- uses: actions/checkout@v7
- name: Cache XDG_CACHE_HOME
uses: actions/cache@v6
with:
path: ${{ env.XDG_CACHE_HOME }}
key: ${{ github.job }}-xdg-v1-${{ matrix.os }}-${{ matrix.python-version }}-${{ hashFiles('**/pyproject.toml', '**/poetry.lock', '**/with-fuseki.sh', '**/*requirements*.txt', '**/*requirements*.in') }}
restore-keys: |
${{ github.job }}-xdg-v1-${{ matrix.os }}-${{ matrix.python-version }}-
${{ github.job }}-xdg-v1-${{ matrix.os }}-
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- name: Install poetry
run: |
pip install -r devtools/requirements-poetry.in
- uses: actions/setup-java@v5
if: ${{ matrix.extensive-tests }}
with:
distribution: "temurin"
java-version: "17"
- name: Install Task
uses: go-task/setup-task@v2
with:
version: 3.x
- name: Run preparation
if: ${{ matrix.PREPARATION }}
shell: bash
run: |
${{ matrix.PREPARATION }}
- name: Set testcontainer exclusion for non-Linux
if: ${{ matrix.os != 'ubuntu-latest' }}
shell: bash
run: |
if [ -z "${{ matrix.TOX_PYTEST_EXTRA_ARGS }}" ]; then
echo "TOX_PYTEST_EXTRA_ARGS=-m 'not testcontainer'" >> $GITHUB_ENV
fi
- name: Run validation
shell: bash
run: |
task \
OS=${{ matrix.os }} \
MATRIX_SUFFIX=${{ matrix.suffix }} \
EXTENSIVE=${{ matrix.extensive-tests || 'false' }} \
TOX_PYTHON_VERSION=${{ matrix.python-version }} \
TOXENV_SUFFIX=${{ matrix.TOXENV_SUFFIX }} \
TOX_JUNIT_XML_PREFIX=${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}- \
gha:validate
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TOX_PYTEST_EXTRA_ARGS: ${{ matrix.TOX_PYTEST_EXTRA_ARGS || env.TOX_PYTEST_EXTRA_ARGS }}
TOX_TEST_HARNESS: ${{ matrix.TOX_TEST_HARNESS }}
TOX_EXTRA_COMMAND: ${{ matrix.TOX_EXTRA_COMMAND }}
- uses: actions/upload-artifact@v7
if: ${{ (success() || failure()) }}
with:
name: ${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}-mypy-junit-xml
path: test_reports/${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}-mypy-junit.xml
- uses: actions/upload-artifact@v7
if: ${{ (success() || failure()) }}
with:
name: ${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}-pytest-junit-xml
path: test_reports/${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}-pytest-junit.xml
extra-tasks:
permissions:
contents: read
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- task: "gha:lint"
python-version: 3.8
steps:
- uses: actions/checkout@v7
- name: Cache XDG_CACHE_HOME
uses: actions/cache@v6
with:
path: ${{ env.XDG_CACHE_HOME }}
key: ${{ github.job }}-xdg-v1-${{ matrix.os }}-${{ matrix.python-version }}-${{ hashFiles('**/pyproject.toml', '**/poetry.lock', '**/with-fuseki.sh', '**/*requirements*.txt', '**/*requirements*.in') }}
restore-keys: |
${{ github.job }}-xdg-v1-${{ matrix.os }}-${{ matrix.python-version }}-
${{ github.job }}-xdg-v1-${{ matrix.os }}-
- name: Set up Python ${{env.DEFAULT_PYTHON}}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- name: Install poetry
run: |
pip install -r devtools/requirements-poetry.in
- name: Install Task
uses: go-task/setup-task@v2
with:
version: 3.x
- name: Run task
shell: bash
run: |
task ${{ matrix.task }}
finish:
permissions:
contents: read
needs: validate
runs-on: ubuntu-latest
steps:
- name: Coveralls Finished
uses: coverallsapp/github-action@master
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
parallel-finished: true
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Validate on: push: branches: ["main"] pull_request: workflow_dispatch: env: FORCE_COLOR: 1 XDG_CACHE_HOME: ${{ github.workspace }}/.var/cache POETRY_CACHE_DIR: ${{ github.workspace }}/.var/cache/pypoetry PIP_CACHE_DIR: ${{ github.workspace }}/.var/cache/pip concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: validate: timeout-minutes: 30 permissions: contents: read runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] os: [ubuntu-latest, macos-latest, windows-latest] # This is used for injecting additional tests for a specific python # version and OS. suffix: [""] include: - python-version: "3.8" os: ubuntu-latest extensive-tests: true - python-version: "3.8" os: ubuntu-latest extensive-tests: true PREPARATION: "sudo apt-get install -y libxml2-dev libxslt-dev" suffix: "-min" TOXENV_SUFFIX: "-min" - python-version: "3.9" os: ubuntu-latest - python-version: "3.10" os: ubuntu-latest TOX_EXTRA_COMMAND: "- black --check --diff ./rdflib" TOXENV_SUFFIX: "-lxml" - python-version: "3.11" os: ubuntu-latest TOXENV_SUFFIX: "-docs" TOX_PYTEST_EXTRA_ARGS: "-m 'not (testcontainer or webtest)'" steps: - uses: actions/checkout@v7 - name: Cache XDG_CACHE_HOME uses: actions/cache@v6 with: path: ${{ env.XDG_CACHE_HOME }} key: ${{ github.job }}-xdg-v1-${{ matrix.os }}-${{ matrix.python-version }}-${{ hashFiles('**/pyproject.toml', '**/poetry.lock', '**/with-fuseki.sh', '**/*requirements*.txt', '**/*requirements*.in') }} restore-keys: | ${{ github.job }}-xdg-v1-${{ matrix.os }}-${{ matrix.python-version }}- ${{ github.job }}-xdg-v1-${{ matrix.os }}- - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v6 with: cache: 'pip' python-version: ${{ matrix.python-version }} - name: Install poetry run: | pip install -r devtools/requirements-poetry.in - uses: actions/setup-java@v5 if: ${{ matrix.extensive-tests }} with: distribution: "temurin" java-version: "17" - name: Install Task uses: go-task/setup-task@v2 with: version: 3.x - name: Run preparation if: ${{ matrix.PREPARATION }} shell: bash run: | ${{ matrix.PREPARATION }} - name: Set testcontainer exclusion for non-Linux if: ${{ matrix.os != 'ubuntu-latest' }} shell: bash run: | if [ -z "${{ matrix.TOX_PYTEST_EXTRA_ARGS }}" ]; then echo "TOX_PYTEST_EXTRA_ARGS=-m 'not testcontainer'" >> $GITHUB_ENV fi - name: Run validation shell: bash run: | task \ OS=${{ matrix.os }} \ MATRIX_SUFFIX=${{ matrix.suffix }} \ EXTENSIVE=${{ matrix.extensive-tests || 'false' }} \ TOX_PYTHON_VERSION=${{ matrix.python-version }} \ TOXENV_SUFFIX=${{ matrix.TOXENV_SUFFIX }} \ TOX_JUNIT_XML_PREFIX=${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}- \ gha:validate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TOX_PYTEST_EXTRA_ARGS: ${{ matrix.TOX_PYTEST_EXTRA_ARGS || env.TOX_PYTEST_EXTRA_ARGS }} TOX_TEST_HARNESS: ${{ matrix.TOX_TEST_HARNESS }} TOX_EXTRA_COMMAND: ${{ matrix.TOX_EXTRA_COMMAND }} - uses: actions/upload-artifact@v7 if: ${{ (success() || failure()) }} with: name: ${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}-mypy-junit-xml path: test_reports/${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}-mypy-junit.xml - uses: actions/upload-artifact@v7 if: ${{ (success() || failure()) }} with: name: ${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}-pytest-junit-xml path: test_reports/${{ matrix.python-version }}-${{ matrix.os }}${{matrix.suffix}}-pytest-junit.xml extra-tasks: timeout-minutes: 30 permissions: contents: read runs-on: latchkey-small strategy: fail-fast: false matrix: include: - task: "gha:lint" python-version: 3.8 steps: - uses: actions/checkout@v7 - name: Cache XDG_CACHE_HOME uses: actions/cache@v6 with: path: ${{ env.XDG_CACHE_HOME }} key: ${{ github.job }}-xdg-v1-${{ matrix.os }}-${{ matrix.python-version }}-${{ hashFiles('**/pyproject.toml', '**/poetry.lock', '**/with-fuseki.sh', '**/*requirements*.txt', '**/*requirements*.in') }} restore-keys: | ${{ github.job }}-xdg-v1-${{ matrix.os }}-${{ matrix.python-version }}- ${{ github.job }}-xdg-v1-${{ matrix.os }}- - name: Set up Python ${{env.DEFAULT_PYTHON}} uses: actions/setup-python@v6 with: cache: 'pip' python-version: ${{ matrix.python-version }} - name: Install poetry run: | pip install -r devtools/requirements-poetry.in - name: Install Task uses: go-task/setup-task@v2 with: version: 3.x - name: Run task shell: bash run: | task ${{ matrix.task }} finish: timeout-minutes: 30 permissions: contents: read needs: validate runs-on: latchkey-small steps: - name: Coveralls Finished uses: coverallsapp/github-action@master with: github-token: ${{ secrets.GITHUB_TOKEN }} parallel-finished: true
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 3 jobs (23 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.