CI workflow (torchbox/wagtailmedia)
The CI workflow from torchbox/wagtailmedia, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the CI workflow from the torchbox/wagtailmedia repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read # to fetch code (actions/checkout)
env:
FORCE_COLOR: "1" # Make tools pretty.
TOX_TESTENV_PASSENV: FORCE_COLOR
PIP_DISABLE_PIP_VERSION_CHECK: "1"
PIP_NO_PYTHON_VERSION_WARNING: "1"
# Keep in sync with .pre-commit-config.yaml/default_language_version/python.
PYTHON_LATEST: "3.14" # because harden runner fails on the 3.14 download
jobs:
tests:
name: Python ${{ matrix.python-version }}
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
steps:
- name: π Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
objects.githubusercontent.com:443
github.com:443
pypi.org:443
api.github.com:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: π Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: β¬οΈ Install dependencies
run: |
python -Im pip install --upgrade pip
python -Im pip install flit tox tox-gh-actions
- name: ποΈ Build wheel
run: python -Im flit build --format wheel
- name: π§ͺ Run tox targets for Python ${{ matrix.python-version }}
run: tox --installpkg ./dist/*.whl
- name: β¬οΈ Upload coverage data
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: coverage-data-${{ matrix.python-version }}
path: .coverage.*
if-no-files-found: ignore
include-hidden-files: true
retention-days: 1
coverage:
name: Combine & check coverage.
runs-on: ubuntu-latest
needs: tests
steps:
- name: π Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
pypi.org:443
api.github.com:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 0
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
# Use latest Python, so it understands all syntax.
python-version: ${{env.PYTHON_LATEST}}
- run: python -Im pip install --upgrade coverage
- name: Download coverage data
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: coverage-data-*
merge-multiple: true
- name: οΌ Combine coverage
run: |
python -Im coverage combine
python -Im coverage html --skip-covered --skip-empty
python -Im coverage report
echo "## Coverage summary" >> $GITHUB_STEP_SUMMARY
python -Im coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
- name: π Upload HTML report if check failed.
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: html-report
path: htmlcov
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: CI on: push: branches: [main] pull_request: branches: [main] concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true permissions: contents: read # to fetch code (actions/checkout) env: FORCE_COLOR: "1" # Make tools pretty. TOX_TESTENV_PASSENV: FORCE_COLOR PIP_DISABLE_PIP_VERSION_CHECK: "1" PIP_NO_PYTHON_VERSION_WARNING: "1" # Keep in sync with .pre-commit-config.yaml/default_language_version/python. PYTHON_LATEST: "3.14" # because harden runner fails on the 3.14 download jobs: tests: timeout-minutes: 30 name: Python ${{ matrix.python-version }} runs-on: latchkey-small strategy: matrix: python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] steps: - name: π Harden Runner uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: true egress-policy: block allowed-endpoints: > files.pythonhosted.org:443 objects.githubusercontent.com:443 github.com:443 pypi.org:443 api.github.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: π Set up Python ${{ matrix.python-version }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: cache: 'pip' python-version: ${{ matrix.python-version }} - name: β¬οΈ Install dependencies run: | python -Im pip install --upgrade pip python -Im pip install flit tox tox-gh-actions - name: ποΈ Build wheel run: python -Im flit build --format wheel - name: π§ͺ Run tox targets for Python ${{ matrix.python-version }} run: tox --installpkg ./dist/*.whl - name: β¬οΈ Upload coverage data uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: coverage-data-${{ matrix.python-version }} path: .coverage.* if-no-files-found: ignore include-hidden-files: true retention-days: 1 coverage: timeout-minutes: 30 name: Combine & check coverage. runs-on: latchkey-small needs: tests steps: - name: π Harden Runner uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: true egress-policy: block allowed-endpoints: > files.pythonhosted.org:443 github.com:443 pypi.org:443 api.github.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: cache: 'pip' # Use latest Python, so it understands all syntax. python-version: ${{env.PYTHON_LATEST}} - run: python -Im pip install --upgrade coverage - name: Download coverage data uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: coverage-data-* merge-multiple: true - name: οΌ Combine coverage run: | python -Im coverage combine python -Im coverage html --skip-covered --skip-empty python -Im coverage report echo "## Coverage summary" >> $GITHUB_STEP_SUMMARY python -Im coverage report --format=markdown >> $GITHUB_STEP_SUMMARY - name: π Upload HTML report if check failed. uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: html-report path: htmlcov
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 2 jobs (6 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.