CI/CD workflow (supabase/supabase-py)
The CI/CD workflow from supabase/supabase-py, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the CI/CD workflow from the supabase/supabase-py repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: CI/CD
on:
push:
paths-ignore:
- '.devcontainer/**'
- 'CHANGELOG.md'
- 'MAINTAINERS.md'
branches:
- main
pull_request:
workflow_dispatch:
permissions:
contents: read
id-token: write
jobs:
test:
name: py${{ matrix.python-version }} | ${{ matrix.package }} @ ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
package: ["functions", "realtime", "storage", "auth", "postgrest", "supabase"]
runs-on: ${{ matrix.os }}
steps:
- name: Clone Repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Install supabase cli latest
uses: supabase/setup-cli@46f7f98c7f948ad727d22c1e67fab04c223a0520 # v3.0.0
with:
version: "latest"
github-token: ${{ github.token }}
- name: Install uv
uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
with:
version: "0.8.2"
python-version: ${{ matrix.python-version }}
- name: Run Tests
run: make ${{ matrix.package }}.tests
- name: Upload coverage to Coveralls
uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
flag-name: run-${{ join(matrix.*, '-') }}
parallel: true
fail-on-error: false
finish_tests:
needs: test
name: Upload tests coveralls results
if: ${{ always() }}
runs-on: ubuntu-latest
steps:
- name: Coveralls Finished
uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
parallel-finished: true
fail-on-error: false
release-please:
needs: test
if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' && github.repository_owner == 'supabase' }}
runs-on: ubuntu-latest
name: "Run release-please"
outputs:
should_publish: ${{ steps.release.outputs.release_created == 'true' }}
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
contents: write # needed for github actions bot to write to repo
pull-requests: write
steps:
- name: Generate token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
- uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
id: release
with:
token: ${{ steps.app-token.outputs.token }}
target-branch: ${{ github.ref_name }}
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
publish:
needs: release-please
if: ${{ needs.release-please.outputs.should_publish == 'true' }}
runs-on: ubuntu-latest
name: "Publish to PyPi"
environment:
name: pypi
url: https://pypi.org/p/supabase
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
contents: write # needed for github actions bot to write to repo
steps:
- name: Clone Repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.ref }}
fetch-depth: 0
- name: Install uv
uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2
with:
version: "0.8.2"
python-version: "3.11"
- name: Build all packages and publish
run: make publish
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: CI/CD on: push: paths-ignore: - '.devcontainer/**' - 'CHANGELOG.md' - 'MAINTAINERS.md' branches: - main pull_request: workflow_dispatch: permissions: contents: read id-token: write concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: test: timeout-minutes: 30 name: py${{ matrix.python-version }} | ${{ matrix.package }} @ ${{ matrix.os }} strategy: matrix: os: [ubuntu-latest] python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] package: ["functions", "realtime", "storage", "auth", "postgrest", "supabase"] runs-on: ${{ matrix.os }} steps: - name: Clone Repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install supabase cli latest uses: supabase/setup-cli@46f7f98c7f948ad727d22c1e67fab04c223a0520 # v3.0.0 with: version: "latest" github-token: ${{ github.token }} - name: Install uv uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 with: version: "0.8.2" python-version: ${{ matrix.python-version }} - name: Run Tests run: make ${{ matrix.package }}.tests - name: Upload coverage to Coveralls uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 with: github-token: ${{ secrets.GITHUB_TOKEN }} flag-name: run-${{ join(matrix.*, '-') }} parallel: true fail-on-error: false finish_tests: timeout-minutes: 30 needs: test name: Upload tests coveralls results if: ${{ always() }} runs-on: latchkey-small steps: - name: Coveralls Finished uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 with: github-token: ${{ secrets.GITHUB_TOKEN }} parallel-finished: true fail-on-error: false release-please: timeout-minutes: 30 needs: test if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' && github.repository_owner == 'supabase' }} runs-on: latchkey-small name: "Run release-please" outputs: should_publish: ${{ steps.release.outputs.release_created == 'true' }} permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing contents: write # needed for github actions bot to write to repo pull-requests: write steps: - name: Generate token id: app-token uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 id: release with: token: ${{ steps.app-token.outputs.token }} target-branch: ${{ github.ref_name }} config-file: release-please-config.json manifest-file: .release-please-manifest.json publish: timeout-minutes: 30 needs: release-please if: ${{ needs.release-please.outputs.should_publish == 'true' }} runs-on: latchkey-small name: "Publish to PyPi" environment: name: pypi url: https://pypi.org/p/supabase permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing contents: write # needed for github actions bot to write to repo steps: - name: Clone Repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ github.ref }} fetch-depth: 0 - name: Install uv uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 with: version: "0.8.2" python-version: "3.11" - name: Build all packages and publish run: make publish
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 4 jobs (39 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.