CD workflow (wntrblm/nox)
The CD workflow from wntrblm/nox, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the CD workflow from the wntrblm/nox repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: CD
on:
push:
branches: [main]
pull_request:
workflow_dispatch:
release:
types: [published]
env:
FORCE_COLOR: "1"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
dist:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0
with:
persist-credentials: false
- uses: hynek/build-and-inspect-python-package@v2
deploy:
needs: [dist]
environment:
name: pypi
url: https://pypi.org/project/nox
permissions:
id-token: write
attestations: write
runs-on: ubuntu-latest
if: github.event_name == 'release' && github.event.action == 'published'
steps:
- uses: actions/download-artifact@v8
with:
name: Packages
path: dist
- name: Generate artifact attestation for sdist and wheel
uses: actions/attest@v4.1.0
with:
subject-path: "dist/*"
- uses: pypa/gh-action-pypi-publish@release/v1
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: CD on: push: branches: [main] pull_request: workflow_dispatch: release: types: [published] env: FORCE_COLOR: "1" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: {} jobs: dist: timeout-minutes: 30 runs-on: latchkey-small steps: - uses: actions/checkout@v7.0.0 with: persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 deploy: timeout-minutes: 30 needs: [dist] environment: name: pypi url: https://pypi.org/project/nox permissions: id-token: write attestations: write runs-on: latchkey-small if: github.event_name == 'release' && github.event.action == 'published' steps: - uses: actions/download-artifact@v8 with: name: Packages path: dist - name: Generate artifact attestation for sdist and wheel uses: actions/attest@v4.1.0 with: subject-path: "dist/*" - uses: pypa/gh-action-pypi-publish@release/v1
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.