Skip to content
Latchkey

Publish to PyPI workflow (torchbox/wagtailmedia)

The Publish to PyPI workflow from torchbox/wagtailmedia, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get caching, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: torchbox/wagtailmedia.github/workflows/publish.ymlLicense BSD-3-ClauseView source

What it does

This is the Publish to PyPI workflow from the torchbox/wagtailmedia repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Publish to PyPI

on:
  release:
    types: [published]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions: {}

jobs:
  # https://docs.pypi.org/trusted-publishers/using-a-publisher/
  release:
    name: Publish to PyPI
    runs-on: ubuntu-latest
    if: github.repository_owner == 'torchbox' && github.event.action == 'published'
    environment:
      name: 'release'
      url: https://pypi.org/p/wagtailmedia
    permissions:
      contents: read # to fetch code (actions/checkout)
      id-token: write  # Mandatory for trusted publishing
    steps:
      - name: πŸ”’ Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411  # v2.19.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            github.com:443
            api.github.com:443
            ghcr.io:443
            pkg-containers.githubusercontent.com:443
            pypi.org:443
            upload.pypi.org:443
            files.pythonhosted.org:443
            fulcio.sigstore.dev:443
            rekor.sigstore.dev:443
            tuf-repo-cdn.sigstore.dev:443

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 0

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          python-version: '3.14'

      - name: ⬇️ Install build dependencies
        run: |
          python -Im pip install -U flit

      - name: πŸ—οΈ Build
        run: python -Im flit build

      - name: πŸš€ Publish package distributions to PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: Publish to PyPI
 
on:
  release:
    types: [published]
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
permissions: {}
 
jobs:
  # https://docs.pypi.org/trusted-publishers/using-a-publisher/
  release:
    timeout-minutes: 30
    name: Publish to PyPI
    runs-on: latchkey-small
    if: github.repository_owner == 'torchbox' && github.event.action == 'published'
    environment:
      name: 'release'
      url: https://pypi.org/p/wagtailmedia
    permissions:
      contents: read # to fetch code (actions/checkout)
      id-token: write  # Mandatory for trusted publishing
    steps:
      - name: πŸ”’ Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411  # v2.19.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            github.com:443
            api.github.com:443
            ghcr.io:443
            pkg-containers.githubusercontent.com:443
            pypi.org:443
            upload.pypi.org:443
            files.pythonhosted.org:443
            fulcio.sigstore.dev:443
            rekor.sigstore.dev:443
            tuf-repo-cdn.sigstore.dev:443
 
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 0
 
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          cache: 'pip'
          python-version: '3.14'
 
      - name: ⬇️ Install build dependencies
        run: |
          python -Im pip install -U flit
 
      - name: πŸ—οΈ Build
        run: python -Im flit build
 
      - name: πŸš€ Publish package distributions to PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow