Release (build + verify + publish) workflow (XTraceAI/xtrace-sdk)
The Release (build + verify + publish) workflow from XTraceAI/xtrace-sdk, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Release (build + verify + publish) workflow from the XTraceAI/xtrace-sdk repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Release (build + verify + publish)
on:
push:
branches:
- main
- staging
tags:
- "v*"
workflow_dispatch:
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: true
jobs:
qa:
name: Quality gates (lint, type-check, tests)
runs-on: ubuntu-latest
timeout-minutes: 20
strategy:
fail-fast: false
matrix:
python-version: ["3.12"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- uses: astral-sh/setup-uv@v4
with:
enable-cache: true
- name: Install package + all dev dependencies
run: uv sync --all-groups
- name: Ruff lint
run: uv run ruff check src/xtrace_sdk/ --output-format=github
- name: Mypy
run: uv run mypy src/xtrace_sdk/
- name: Pytest (lookup encryption)
run: uv run pytest tests/x_vec/test_paillier_lookup_encryption.py
- name: Pytest (paillier encryption)
run: uv run pytest tests/x_vec/test_paillier_encryption.py
build:
name: Build sdist + wheel
runs-on: ubuntu-latest
needs: qa
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- uses: astral-sh/setup-uv@v4
with:
enable-cache: true
- name: Resolve version from git tag
run: |
if git describe --tags --exact-match HEAD 2>/dev/null; then
VER=$(git describe --tags --exact-match HEAD)
echo "SETUPTOOLS_SCM_PRETEND_VERSION=${VER#v}" >> "$GITHUB_ENV"
fi
- name: Build artifacts
run: uv build
- uses: actions/upload-artifact@v4
with:
name: dist-artifacts
path: dist
verify:
name: Verify wheel is installable
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/download-artifact@v4
with:
name: dist-artifacts
path: dist
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- uses: astral-sh/setup-uv@v4
- name: Install from wheel and import
run: |
uv pip install --system dist/*.whl
python -c "import xtrace_sdk; print('Imported:', xtrace_sdk.__name__)"
publish-testpypi:
name: Publish to TestPyPI
runs-on: ubuntu-latest
needs: verify
if: github.ref == 'refs/heads/staging'
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v4
with:
name: dist-artifacts
path: dist
- name: Publish (TestPyPI via OIDC)
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
verbose: true
packages-dir: dist
skip-existing: true
publish-pypi:
name: Publish to PyPI
runs-on: ubuntu-latest
needs: verify
if: startsWith(github.ref, 'refs/tags/v')
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v4
with:
name: dist-artifacts
path: dist
- name: Publish (PyPI via OIDC)
uses: pypa/gh-action-pypi-publish@release/v1
with:
verbose: true
packages-dir: dist
skip-existing: true
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Release (build + verify + publish) on: push: branches: - main - staging tags: - "v*" workflow_dispatch: concurrency: group: release-${{ github.ref }} cancel-in-progress: true jobs: qa: name: Quality gates (lint, type-check, tests) runs-on: latchkey-small timeout-minutes: 20 strategy: fail-fast: false matrix: python-version: ["3.12"] steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: cache: 'pip' python-version: ${{ matrix.python-version }} - uses: astral-sh/setup-uv@v4 with: enable-cache: true - name: Install package + all dev dependencies run: uv sync --all-groups - name: Ruff lint run: uv run ruff check src/xtrace_sdk/ --output-format=github - name: Mypy run: uv run mypy src/xtrace_sdk/ - name: Pytest (lookup encryption) run: uv run pytest tests/x_vec/test_paillier_lookup_encryption.py - name: Pytest (paillier encryption) run: uv run pytest tests/x_vec/test_paillier_encryption.py build: timeout-minutes: 30 name: Build sdist + wheel runs-on: latchkey-small needs: qa steps: - uses: actions/checkout@v4 with: fetch-depth: 0 fetch-tags: true - uses: actions/setup-python@v5 with: cache: 'pip' python-version: "3.12" - uses: astral-sh/setup-uv@v4 with: enable-cache: true - name: Resolve version from git tag run: | if git describe --tags --exact-match HEAD 2>/dev/null; then VER=$(git describe --tags --exact-match HEAD) echo "SETUPTOOLS_SCM_PRETEND_VERSION=${VER#v}" >> "$GITHUB_ENV" fi - name: Build artifacts run: uv build - uses: actions/upload-artifact@v4 with: name: dist-artifacts path: dist verify: timeout-minutes: 30 name: Verify wheel is installable runs-on: latchkey-small needs: build steps: - uses: actions/download-artifact@v4 with: name: dist-artifacts path: dist - uses: actions/setup-python@v5 with: cache: 'pip' python-version: "3.12" - uses: astral-sh/setup-uv@v4 - name: Install from wheel and import run: | uv pip install --system dist/*.whl python -c "import xtrace_sdk; print('Imported:', xtrace_sdk.__name__)" publish-testpypi: timeout-minutes: 30 name: Publish to TestPyPI runs-on: latchkey-small needs: verify if: github.ref == 'refs/heads/staging' permissions: id-token: write steps: - uses: actions/download-artifact@v4 with: name: dist-artifacts path: dist - name: Publish (TestPyPI via OIDC) uses: pypa/gh-action-pypi-publish@release/v1 with: repository-url: https://test.pypi.org/legacy/ verbose: true packages-dir: dist skip-existing: true publish-pypi: timeout-minutes: 30 name: Publish to PyPI runs-on: latchkey-small needs: verify if: startsWith(github.ref, 'refs/tags/v') permissions: id-token: write steps: - uses: actions/download-artifact@v4 with: name: dist-artifacts path: dist - name: Publish (PyPI via OIDC) uses: pypa/gh-action-pypi-publish@release/v1 with: verbose: true packages-dir: dist skip-existing: true
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 5 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.