Skip to content
Latchkey

CI/CD workflow (supabase/supabase-py)

The CI/CD workflow from supabase/supabase-py, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: supabase/supabase-py.github/workflows/ci.ymlLicense MITView source

What it does

This is the CI/CD workflow from the supabase/supabase-py repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: CI/CD

on:
  push:
    paths-ignore:
      - '.devcontainer/**'
      - 'CHANGELOG.md'
      - 'MAINTAINERS.md'
    branches:
      - main
  pull_request:
  workflow_dispatch:

permissions:
  contents: read
  id-token: write

jobs:
  test:
    name: py${{ matrix.python-version }} | ${{ matrix.package }} @ ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest]
        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
        package: ["functions", "realtime", "storage", "auth", "postgrest", "supabase"]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Clone Repository
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Install supabase cli latest
        uses: supabase/setup-cli@46f7f98c7f948ad727d22c1e67fab04c223a0520 # v3.0.0
        with:
          version: "latest"
          github-token: ${{ github.token }}

      - name: Install uv
        uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
        with:
          version: "0.8.2"
          python-version: ${{ matrix.python-version }}

      - name: Run Tests
        run: make ${{ matrix.package }}.tests

      - name: Upload coverage to Coveralls
        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          flag-name: run-${{ join(matrix.*, '-') }}
          parallel: true
          fail-on-error: false

  finish_tests:
    needs: test
    name: Upload tests coveralls results
    if: ${{ always() }}
    runs-on: ubuntu-latest
    steps:
      - name: Coveralls Finished
        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          parallel-finished: true
          fail-on-error: false

  release-please:
    needs: test
    if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' && github.repository_owner == 'supabase' }}
    runs-on: ubuntu-latest
    name: "Run release-please"
    outputs:
      should_publish: ${{ steps.release.outputs.release_created == 'true' }}
    permissions:
      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
      contents: write # needed for github actions bot to write to repo
      pull-requests: write
    steps:
      - name: Generate token
        id: app-token
        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
        id: release
        with:
          token: ${{ steps.app-token.outputs.token }}
          target-branch: ${{ github.ref_name }}
          config-file: release-please-config.json
          manifest-file: .release-please-manifest.json
  publish:
    needs: release-please
    if: ${{ needs.release-please.outputs.should_publish == 'true' }}
    runs-on: ubuntu-latest
    name: "Publish to PyPi"
    environment:
      name: pypi
      url: https://pypi.org/p/supabase
    permissions:
      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
      contents: write # needed for github actions bot to write to repo
    steps:
      - name: Clone Repository
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          ref: ${{ github.ref }}
          fetch-depth: 0

      - name: Install uv
        uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
        with:
          version: "0.8.2"
          python-version: "3.11"

      - name: Build all packages and publish
        run: make publish

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: CI/CD
 
on:
  push:
    paths-ignore:
      - '.devcontainer/**'
      - 'CHANGELOG.md'
      - 'MAINTAINERS.md'
    branches:
      - main
  pull_request:
  workflow_dispatch:
 
permissions:
  contents: read
  id-token: write
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  test:
    timeout-minutes: 30
    name: py${{ matrix.python-version }} | ${{ matrix.package }} @ ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest]
        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
        package: ["functions", "realtime", "storage", "auth", "postgrest", "supabase"]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Clone Repository
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
      - name: Install supabase cli latest
        uses: supabase/setup-cli@46f7f98c7f948ad727d22c1e67fab04c223a0520 # v3.0.0
        with:
          version: "latest"
          github-token: ${{ github.token }}
 
      - name: Install uv
        uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
        with:
          version: "0.8.2"
          python-version: ${{ matrix.python-version }}
 
      - name: Run Tests
        run: make ${{ matrix.package }}.tests
 
      - name: Upload coverage to Coveralls
        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          flag-name: run-${{ join(matrix.*, '-') }}
          parallel: true
          fail-on-error: false
 
  finish_tests:
    timeout-minutes: 30
    needs: test
    name: Upload tests coveralls results
    if: ${{ always() }}
    runs-on: latchkey-small
    steps:
      - name: Coveralls Finished
        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          parallel-finished: true
          fail-on-error: false
 
  release-please:
    timeout-minutes: 30
    needs: test
    if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' && github.repository_owner == 'supabase' }}
    runs-on: latchkey-small
    name: "Run release-please"
    outputs:
      should_publish: ${{ steps.release.outputs.release_created == 'true' }}
    permissions:
      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
      contents: write # needed for github actions bot to write to repo
      pull-requests: write
    steps:
      - name: Generate token
        id: app-token
        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
        id: release
        with:
          token: ${{ steps.app-token.outputs.token }}
          target-branch: ${{ github.ref_name }}
          config-file: release-please-config.json
          manifest-file: .release-please-manifest.json
  publish:
    timeout-minutes: 30
    needs: release-please
    if: ${{ needs.release-please.outputs.should_publish == 'true' }}
    runs-on: latchkey-small
    name: "Publish to PyPi"
    environment:
      name: pypi
      url: https://pypi.org/p/supabase
    permissions:
      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
      contents: write # needed for github actions bot to write to repo
    steps:
      - name: Clone Repository
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          ref: ${{ github.ref }}
          fetch-depth: 0
 
      - name: Install uv
        uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
        with:
          version: "0.8.2"
          python-version: "3.11"
 
      - name: Build all packages and publish
        run: make publish
 

What changed

This workflow runs 4 jobs (39 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow