Publish workflow (ultimate-notion/ultimate-notion)
The Publish workflow from ultimate-notion/ultimate-notion, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Publish workflow from the ultimate-notion/ultimate-notion repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
# This workflows will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
name: Publish
on:
push:
tags:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
branches:
- main
concurrency:
group: build-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true
env:
PIP_VERSION: "pip < 25.3"
jobs:
pure-python-wheel:
name: Build a pure Python wheel
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
# Fetch all tags
fetch-depth: 0
- name: Setup environment requirements
uses: ./.github/actions/setup-venv-reqs
- name: Build distributions
run: hatch build
- uses: actions/upload-artifact@v7
with:
name: artifacts
path: dist/*
if-no-files-found: error
publish:
name: Publish on PyPI
needs:
- pure-python-wheel
runs-on: ubuntu-latest
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
defaults:
run:
shell: bash -l {0}
steps:
- uses: actions/download-artifact@v8
with:
name: artifacts
path: dist
- name: Push artifacts to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
skip-existing: true
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
# This workflows will upload a Python Package using Twine when a release is created # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries name: Publish on: push: tags: - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 branches: - main concurrency: group: build-${{ github.head_ref || github.ref_name }} cancel-in-progress: true env: PIP_VERSION: "pip < 25.3" jobs: pure-python-wheel: timeout-minutes: 30 name: Build a pure Python wheel runs-on: latchkey-small steps: - uses: actions/checkout@v6 with: # Fetch all tags fetch-depth: 0 - name: Setup environment requirements uses: ./.github/actions/setup-venv-reqs - name: Build distributions run: hatch build - uses: actions/upload-artifact@v7 with: name: artifacts path: dist/* if-no-files-found: error publish: timeout-minutes: 30 name: Publish on PyPI needs: - pure-python-wheel runs-on: latchkey-small if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags') permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing defaults: run: shell: bash -l {0} steps: - uses: actions/download-artifact@v8 with: name: artifacts path: dist - name: Push artifacts to PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: skip-existing: true
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.