Skip to content
Latchkey

Publish workflow (ultimate-notion/ultimate-notion)

The Publish workflow from ultimate-notion/ultimate-notion, explained and optimized by Latchkey.

B

CI health: B - good

Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: ultimate-notion/ultimate-notion.github/workflows/publish-pkg.ymlLicense MITView source

What it does

This is the Publish workflow from the ultimate-notion/ultimate-notion repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
# This workflows will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries

name: Publish

on:
  push:
    tags:
      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
    branches:
      - main

concurrency:
  group: build-${{ github.head_ref || github.ref_name }}
  cancel-in-progress: true

env:
  PIP_VERSION: "pip < 25.3"

jobs:
  pure-python-wheel:
    name: Build a pure Python wheel
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v6
        with:
          # Fetch all tags
          fetch-depth: 0

      - name: Setup environment requirements
        uses: ./.github/actions/setup-venv-reqs

      - name: Build distributions
        run: hatch build

      - uses: actions/upload-artifact@v7
        with:
          name: artifacts
          path: dist/*
          if-no-files-found: error

  publish:
    name: Publish on PyPI
    needs:
      - pure-python-wheel
    runs-on: ubuntu-latest
    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
    permissions:
      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
    defaults:
      run:
        shell: bash -l {0}

    steps:
      - uses: actions/download-artifact@v8
        with:
          name: artifacts
          path: dist

      - name: Push artifacts to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          skip-existing: true

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

# This workflows will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
 
name: Publish
 
on:
  push:
    tags:
      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
    branches:
      - main
 
concurrency:
  group: build-${{ github.head_ref || github.ref_name }}
  cancel-in-progress: true
 
env:
  PIP_VERSION: "pip < 25.3"
 
jobs:
  pure-python-wheel:
    timeout-minutes: 30
    name: Build a pure Python wheel
    runs-on: latchkey-small
 
    steps:
      - uses: actions/checkout@v6
        with:
          # Fetch all tags
          fetch-depth: 0
 
      - name: Setup environment requirements
        uses: ./.github/actions/setup-venv-reqs
 
      - name: Build distributions
        run: hatch build
 
      - uses: actions/upload-artifact@v7
        with:
          name: artifacts
          path: dist/*
          if-no-files-found: error
 
  publish:
    timeout-minutes: 30
    name: Publish on PyPI
    needs:
      - pure-python-wheel
    runs-on: latchkey-small
    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
    permissions:
      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
    defaults:
      run:
        shell: bash -l {0}
 
    steps:
      - uses: actions/download-artifact@v8
        with:
          name: artifacts
          path: dist
 
      - name: Push artifacts to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          skip-existing: true
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow