Skip to content

ci: inline beta release jobs to fix PyPI trusted publishing#890

Open
vdusek wants to merge 1 commit intomasterfrom
ci/inline-beta-release-for-pypi
Open

ci: inline beta release jobs to fix PyPI trusted publishing#890
vdusek wants to merge 1 commit intomasterfrom
ci/inline-beta-release-for-pypi

Conversation

@vdusek
Copy link
Copy Markdown
Contributor

@vdusek vdusek commented May 6, 2026

Summary

PyPI's Trusted Publishing rejects OIDC tokens issued from reusable workflows:

The claims in this token suggest that the calling workflow is a reusable workflow. Reusable workflows are not currently supported by PyPI's Trusted Publishing.

on_master.yaml was invoking manual_release_beta.yaml via uses:, which made the OIDC token reflect a reusable workflow call. The same fix has already been applied in apify/apify-shared-python#63 and apify/crawlee-python#1875.

Changes

  • on_master.yaml: inline the four beta release jobs (release_prepare, changelog_update, pypi_publish, doc_release_post_publish) directly, instead of calling manual_release_beta.yaml as a reusable workflow.
  • manual_release_beta.yaml: remove the workflow_call trigger (no longer invoked from another workflow) and add a comment explaining why the duplication exists.
  • Drop the unused tag_name output from release_prepare in both files.

Follow-up

The PyPI Trusted Publisher for apify is currently configured for manual_release_beta.yaml. After this is merged, an entry for on_master.yaml needs to be added on PyPI so the automatic beta release passes verification.

See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github

@vdusek
ci: inline beta release jobs to fix PyPI trusted publishing
9d83182 
PyPI's Trusted Publishing rejects OIDC tokens issued from reusable workflows,
so the beta release jobs are inlined into on_master.yaml instead of being
invoked via `uses:` from manual_release_beta.yaml.
@vdusek vdusek added adhoc Ad-hoc unplanned task added during the sprint. t-tooling Issues with this label are in the ownership of the tooling team. labels May 6, 2026
@vdusek vdusek self-assigned this May 6, 2026
@vdusek vdusek requested a review from janbuchar May 6, 2026 08:09
@github-actions github-actions Bot added this to the 140th sprint - Tooling team milestone May 6, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 6, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.94%. Comparing base (6f82da9) to head (9d83182).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #890   +/-   ##
=======================================
  Coverage   86.94%   86.94%           
=======================================
  Files          48       48           
  Lines        2942     2942           
=======================================
  Hits         2558     2558           
  Misses        384      384
Flag Coverage Δ
e2e 37.72% <ø> (ø)
integration 59.04% <ø> (ø)
unit 75.69% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@janbuchar janbuchar Awaiting requested review from janbuchar

At least 1 approving review is required to merge this pull request.

Assignees

@vdusek vdusek

Labels

adhoc Ad-hoc unplanned task added during the sprint. t-tooling Issues with this label are in the ownership of the tooling team.

Projects

None yet

Milestone

140th sprint - Tooling team

Development

Successfully merging this pull request may close these issues.

2 participants

@vdusek @apify-service-account