Skip to content
Latchkey

CI workflow (torchbox/wagtailmedia)

The CI workflow from torchbox/wagtailmedia, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get caching, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: torchbox/wagtailmedia.github/workflows/test.ymlLicense BSD-3-ClauseView source

What it does

This is the CI workflow from the torchbox/wagtailmedia repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions:
  contents: read # to fetch code (actions/checkout)

env:
  FORCE_COLOR: "1" # Make tools pretty.
  TOX_TESTENV_PASSENV: FORCE_COLOR
  PIP_DISABLE_PIP_VERSION_CHECK: "1"
  PIP_NO_PYTHON_VERSION_WARNING: "1"
  # Keep in sync with .pre-commit-config.yaml/default_language_version/python.
  PYTHON_LATEST: "3.14"  # because harden runner fails on the 3.14 download

jobs:
  tests:
    name: Python ${{ matrix.python-version }}
    runs-on: ubuntu-latest

    strategy:
      matrix:
        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]

    steps:
      - name: πŸ”’ Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411  # v2.19.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            objects.githubusercontent.com:443
            github.com:443
            pypi.org:443
            api.github.com:443
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false
      - name: 🐍 Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          python-version: ${{ matrix.python-version }}

      - name: ⬇️ Install dependencies
        run: |
          python -Im pip install --upgrade pip
          python -Im pip install flit tox tox-gh-actions

      - name: πŸ—οΈ Build wheel
        run: python -Im flit build --format wheel

      - name: πŸ§ͺ Run tox targets for Python ${{ matrix.python-version }}
        run: tox --installpkg ./dist/*.whl

      - name: ⬆️ Upload coverage data
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: coverage-data-${{ matrix.python-version }}
          path: .coverage.*
          if-no-files-found: ignore
          include-hidden-files: true
          retention-days: 1

  coverage:
    name: Combine & check coverage.
    runs-on: ubuntu-latest
    needs: tests

    steps:
      - name: πŸ”’ Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411  # v2.19.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443
            api.github.com:443
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 0
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          # Use latest Python, so it understands all syntax.
          python-version: ${{env.PYTHON_LATEST}}

      - run: python -Im pip install --upgrade coverage

      - name: Download coverage data
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
        with:
          pattern: coverage-data-*
          merge-multiple: true

      - name: οΌ‹  Combine coverage
        run: |
          python -Im coverage combine
          python -Im coverage html --skip-covered --skip-empty
          python -Im coverage report
          echo "## Coverage summary" >> $GITHUB_STEP_SUMMARY
          python -Im coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
      - name: πŸ“ˆ Upload HTML report if check failed.
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: html-report
          path: htmlcov

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: CI
 
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
 
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 
permissions:
  contents: read # to fetch code (actions/checkout)
 
env:
  FORCE_COLOR: "1" # Make tools pretty.
  TOX_TESTENV_PASSENV: FORCE_COLOR
  PIP_DISABLE_PIP_VERSION_CHECK: "1"
  PIP_NO_PYTHON_VERSION_WARNING: "1"
  # Keep in sync with .pre-commit-config.yaml/default_language_version/python.
  PYTHON_LATEST: "3.14"  # because harden runner fails on the 3.14 download
 
jobs:
  tests:
    timeout-minutes: 30
    name: Python ${{ matrix.python-version }}
    runs-on: latchkey-small
 
    strategy:
      matrix:
        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
 
    steps:
      - name: πŸ”’ Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411  # v2.19.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            objects.githubusercontent.com:443
            github.com:443
            pypi.org:443
            api.github.com:443
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false
      - name: 🐍 Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          cache: 'pip'
          python-version: ${{ matrix.python-version }}
 
      - name: ⬇️ Install dependencies
        run: |
          python -Im pip install --upgrade pip
          python -Im pip install flit tox tox-gh-actions
 
      - name: πŸ—οΈ Build wheel
        run: python -Im flit build --format wheel
 
      - name: πŸ§ͺ Run tox targets for Python ${{ matrix.python-version }}
        run: tox --installpkg ./dist/*.whl
 
      - name: ⬆️ Upload coverage data
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: coverage-data-${{ matrix.python-version }}
          path: .coverage.*
          if-no-files-found: ignore
          include-hidden-files: true
          retention-days: 1
 
  coverage:
    timeout-minutes: 30
    name: Combine & check coverage.
    runs-on: latchkey-small
    needs: tests
 
    steps:
      - name: πŸ”’ Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411  # v2.19.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443
            api.github.com:443
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 0
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          cache: 'pip'
          # Use latest Python, so it understands all syntax.
          python-version: ${{env.PYTHON_LATEST}}
 
      - run: python -Im pip install --upgrade coverage
 
      - name: Download coverage data
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
        with:
          pattern: coverage-data-*
          merge-multiple: true
 
      - name: οΌ‹  Combine coverage
        run: |
          python -Im coverage combine
          python -Im coverage html --skip-covered --skip-empty
          python -Im coverage report
          echo "## Coverage summary" >> $GITHUB_STEP_SUMMARY
          python -Im coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
      - name: πŸ“ˆ Upload HTML report if check failed.
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: html-report
          path: htmlcov
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 2 jobs (6 with the matrix expanded) per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow