Publish Python package to PyPI workflow (stanford-crfm/helm)
The Publish Python package to PyPI workflow from stanford-crfm/helm, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Publish Python package to PyPI workflow from the stanford-crfm/helm repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
# This workflow will upload a Python Package using Twine when a release is created
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
name: Publish Python package to PyPI
on:
release:
types: [published]
permissions:
contents: read
jobs:
pypi-publish:
name: Publish Python package to PyPI
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/crfm-helm
permissions:
id-token: write
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@v6
with:
version: "0.9.4"
- name: Build
run: uv build
- name: helm-run (wheel)
run: uv run --isolated --no-project --with dist/*.whl helm-run --run-entries simple1:model=simple/model1 --max-eval-instances 10 --suite test
- name: helm-summarize (wheel)
run: uv run --isolated --no-project --with dist/*.whl helm-summarize --suite test
- name: helm-server (wheel)
run: uv run --isolated --no-project --with dist/*.whl helm-server --help
- name: helm-run (source distribution)
run: uv run --isolated --no-project --with dist/*.tar.gz helm-run --run-entries simple1:model=simple/model1 --max-eval-instances 10 --suite test
- name: helm-summarize (source distribution)
run: uv run --isolated --no-project --with dist/*.tar.gz helm-summarize --suite test
- name: helm-server (source distribution)
run: uv run --isolated --no-project --with dist/*.tar.gz helm-server --help
- name: Publish package
uses: pypa/gh-action-pypi-publish@release/v1
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
# This workflow will upload a Python Package using Twine when a release is created # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries name: Publish Python package to PyPI on: release: types: [published] permissions: contents: read jobs: pypi-publish: timeout-minutes: 30 name: Publish Python package to PyPI runs-on: latchkey-small environment: name: pypi url: https://pypi.org/p/crfm-helm permissions: id-token: write steps: - name: Check out repository uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: cache: 'pip' python-version: "3.12" - name: Install uv uses: astral-sh/setup-uv@v6 with: version: "0.9.4" - name: Build run: uv build - name: helm-run (wheel) run: uv run --isolated --no-project --with dist/*.whl helm-run --run-entries simple1:model=simple/model1 --max-eval-instances 10 --suite test - name: helm-summarize (wheel) run: uv run --isolated --no-project --with dist/*.whl helm-summarize --suite test - name: helm-server (wheel) run: uv run --isolated --no-project --with dist/*.whl helm-server --help - name: helm-run (source distribution) run: uv run --isolated --no-project --with dist/*.tar.gz helm-run --run-entries simple1:model=simple/model1 --max-eval-instances 10 --suite test - name: helm-summarize (source distribution) run: uv run --isolated --no-project --with dist/*.tar.gz helm-summarize --suite test - name: helm-server (source distribution) run: uv run --isolated --no-project --with dist/*.tar.gz helm-server --help - name: Publish package uses: pypa/gh-action-pypi-publish@release/v1
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.