From 60136c822f21664b0eb8c3b83eb230d26ac20ac1 Mon Sep 17 00:00:00 2001
From: Vlada Dusek <v.dusek96@gmail.com>
Date: Wed, 6 May 2026 10:09:13 +0200
Subject: [PATCH] ci: inline beta release jobs to fix PyPI trusted publishing

PyPI's Trusted Publishing rejects OIDC tokens issued from reusable workflows,
so the beta release jobs are inlined into on_master.yaml instead of being
invoked via `uses:` from manual_release_beta.yaml.
---
 .github/workflows/manual_release_beta.yaml |  8 +--
 .github/workflows/on_master.yaml           | 63 ++++++++++++++++++++--
 2 files changed, 63 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/manual_release_beta.yaml b/.github/workflows/manual_release_beta.yaml
index 5c83bfb4..ce552e36 100644
--- a/.github/workflows/manual_release_beta.yaml
+++ b/.github/workflows/manual_release_beta.yaml
@@ -2,11 +2,12 @@ name: Beta release
 
 on:
   # Runs when manually triggered from the GitHub UI.
+  # Note: This workflow is intentionally NOT a reusable workflow (no `workflow_call`) because PyPI's Trusted Publishing
+  # does not currently support reusable workflows. The same jobs are duplicated in `on_master.yaml` for the automatic
+  # beta release on push to master.
+  # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
   workflow_dispatch:
 
-  # Runs when invoked by another workflow.
-  workflow_call:
-
 permissions:
   contents: read
 
@@ -16,7 +17,6 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       version_number: ${{ steps.release_prepare.outputs.version_number }}
-      tag_name: ${{ steps.release_prepare.outputs.tag_name }}
       changelog: ${{ steps.release_prepare.outputs.changelog }}
     steps:
       - uses: apify/workflows/git-cliff-release@main
diff --git a/.github/workflows/on_master.yaml b/.github/workflows/on_master.yaml
index 02c7449a..87b716bf 100644
--- a/.github/workflows/on_master.yaml
+++ b/.github/workflows/on_master.yaml
@@ -49,7 +49,10 @@ jobs:
     uses: ./.github/workflows/_tests.yaml
     secrets: inherit
 
-  beta_release:
+  # The beta release jobs are intentionally inlined here (instead of calling `manual_release_beta.yaml` via `uses:`)
+  # because PyPI's Trusted Publishing does not currently support reusable workflows.
+  # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
+  release_prepare:
     # Run this only for "feat", "fix", "perf", "refactor" and "style" commits.
     if: >-
       startsWith(github.event.head_commit.message, 'feat') ||
@@ -57,11 +60,63 @@ jobs:
       startsWith(github.event.head_commit.message, 'perf') ||
       startsWith(github.event.head_commit.message, 'refactor') ||
       startsWith(github.event.head_commit.message, 'style')
-    name: Beta release
+    name: Beta release / Release prepare
     needs: [code_checks, docstrings_checks, tests]
+    runs-on: ubuntu-latest
+    outputs:
+      version_number: ${{ steps.release_prepare.outputs.version_number }}
+      changelog: ${{ steps.release_prepare.outputs.changelog }}
+    steps:
+      - uses: apify/workflows/git-cliff-release@main
+        id: release_prepare
+        name: Release prepare
+        with:
+          release_type: prerelease
+          existing_changelog_path: CHANGELOG.md
+
+  changelog_update:
+    name: Beta release / Changelog update
+    needs: [release_prepare]
+    permissions:
+      contents: write
+    uses: apify/workflows/.github/workflows/python_bump_and_update_changelog.yaml@main
+    with:
+      version_number: ${{ needs.release_prepare.outputs.version_number }}
+      changelog: ${{ needs.release_prepare.outputs.changelog }}
+    secrets: inherit
+
+  pypi_publish:
+    name: Beta release / PyPI publish
+    needs: [release_prepare, changelog_update]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write # Required for OIDC authentication.
+    environment:
+      name: pypi
+      url: https://pypi.org/project/apify-client
+    steps:
+      - name: Prepare distribution
+        uses: apify/workflows/prepare-pypi-distribution@main
+        with:
+          package_name: apify-client
+          is_prerelease: "yes"
+          version_number: ${{ needs.release_prepare.outputs.version_number }}
+          ref: ${{ needs.changelog_update.outputs.changelog_commitish }}
+
+      # Publish the package to PyPI using PyPA official GitHub action with OIDC authentication.
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  doc_release_post_publish:
+    name: Beta release / Doc release post publish
+    needs: [changelog_update, pypi_publish]
     permissions:
       contents: write
-      id-token: write
       pages: write
-    uses: ./.github/workflows/manual_release_beta.yaml
+      id-token: write
+    uses: ./.github/workflows/manual_release_docs.yaml
+    with:
+      # Use the ref from the changelog update to include the updated changelog.
+      ref: ${{ needs.changelog_update.outputs.changelog_commitish }}
     secrets: inherit