From 4cb9768e25ae3b068bfabf7c3067d3f54935e2f3 Mon Sep 17 00:00:00 2001
From: Vlada Dusek <v.dusek96@gmail.com>
Date: Wed, 6 May 2026 09:52:01 +0200
Subject: [PATCH 1/4] fix: inline beta release jobs to fix PyPI Trusted
 Publishing

PyPI's Trusted Publishing rejects OIDC tokens issued from reusable workflows,
so the beta release jobs are inlined into on_master.yaml instead of being
invoked via `uses:` from manual_release_beta.yaml.
---
 .github/workflows/manual_release_beta.yaml |  7 +--
 .github/workflows/on_master.yaml           | 53 ++++++++++++++++++++--
 2 files changed, 53 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/manual_release_beta.yaml b/.github/workflows/manual_release_beta.yaml
index b820ac6..7e1996a 100644
--- a/.github/workflows/manual_release_beta.yaml
+++ b/.github/workflows/manual_release_beta.yaml
@@ -2,11 +2,12 @@ name: Beta release
 
 on:
   # Runs when manually triggered from the GitHub UI.
+  # Note: This workflow is intentionally NOT a reusable workflow (no `workflow_call`)
+  # because PyPI's Trusted Publishing does not currently support reusable workflows.
+  # The same jobs are duplicated in `on_master.yaml` for the automatic beta release on push to master.
+  # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
   workflow_dispatch:
 
-  # Runs when invoked by another workflow.
-  workflow_call:
-
 permissions:
   contents: read
 
diff --git a/.github/workflows/on_master.yaml b/.github/workflows/on_master.yaml
index e2dca8d..9941bbb 100644
--- a/.github/workflows/on_master.yaml
+++ b/.github/workflows/on_master.yaml
@@ -22,13 +22,58 @@ jobs:
     name: Tests
     uses: ./.github/workflows/_tests.yaml
 
-  beta_release:
+  # The beta release jobs are intentionally inlined here (instead of calling
+  # `manual_release_beta.yaml` via `uses:`) because PyPI's Trusted Publishing
+  # does not currently support reusable workflows.
+  # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
+  release_prepare:
     # Skip this for "ci", "docs" and "test" commits and for forks.
     if: "!startsWith(github.event.head_commit.message, 'ci') && !startsWith(github.event.head_commit.message, 'docs') && !startsWith(github.event.head_commit.message, 'test') && startsWith(github.repository, 'apify/')"
-    name: Beta release
+    name: Beta release / Release prepare
     needs: [code_checks, tests]
+    runs-on: ubuntu-latest
+    outputs:
+      version_number: ${{ steps.release_prepare.outputs.version_number }}
+      tag_name: ${{ steps.release_prepare.outputs.tag_name }}
+      changelog: ${{ steps.release_prepare.outputs.changelog }}
+    steps:
+      - uses: apify/workflows/git-cliff-release@main
+        id: release_prepare
+        name: Release prepare
+        with:
+          release_type: prerelease
+          existing_changelog_path: CHANGELOG.md
+
+  changelog_update:
+    name: Beta release / Changelog update
+    needs: [release_prepare]
     permissions:
       contents: write
-      id-token: write
-    uses: ./.github/workflows/manual_release_beta.yaml
+    uses: apify/workflows/.github/workflows/python_bump_and_update_changelog.yaml@main
+    with:
+      version_number: ${{ needs.release_prepare.outputs.version_number }}
+      changelog: ${{ needs.release_prepare.outputs.changelog }}
     secrets: inherit
+
+  pypi_publish:
+    name: Beta release / PyPI publish
+    needs: [release_prepare, changelog_update]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write # Required for OIDC authentication.
+    environment:
+      name: pypi
+      url: https://pypi.org/project/apify-shared
+    steps:
+      - name: Prepare distribution
+        uses: apify/workflows/prepare-pypi-distribution@main
+        with:
+          package_name: apify-shared
+          is_prerelease: "yes"
+          version_number: ${{ needs.release_prepare.outputs.version_number }}
+          ref: ${{ needs.changelog_update.outputs.changelog_commitish }}
+
+      # Publish the package to PyPI using PyPA official GitHub action with OIDC authentication.
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

From 85c17de36a96dd08e7ac78ae77f166200d2db440 Mon Sep 17 00:00:00 2001
From: Vlada Dusek <v.dusek96@gmail.com>
Date: Wed, 6 May 2026 09:56:03 +0200
Subject: [PATCH 2/4] cleanup

---
 .github/workflows/manual_release_beta.yaml | 1 -
 .github/workflows/on_master.yaml           | 1 -
 2 files changed, 2 deletions(-)

diff --git a/.github/workflows/manual_release_beta.yaml b/.github/workflows/manual_release_beta.yaml
index 7e1996a..e17a6ef 100644
--- a/.github/workflows/manual_release_beta.yaml
+++ b/.github/workflows/manual_release_beta.yaml
@@ -17,7 +17,6 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       version_number: ${{ steps.release_prepare.outputs.version_number }}
-      tag_name: ${{ steps.release_prepare.outputs.tag_name }}
       changelog: ${{ steps.release_prepare.outputs.changelog }}
     steps:
       - uses: apify/workflows/git-cliff-release@main
diff --git a/.github/workflows/on_master.yaml b/.github/workflows/on_master.yaml
index 9941bbb..01d7765 100644
--- a/.github/workflows/on_master.yaml
+++ b/.github/workflows/on_master.yaml
@@ -34,7 +34,6 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       version_number: ${{ steps.release_prepare.outputs.version_number }}
-      tag_name: ${{ steps.release_prepare.outputs.tag_name }}
       changelog: ${{ steps.release_prepare.outputs.changelog }}
     steps:
       - uses: apify/workflows/git-cliff-release@main

From 0a67ff12be75d87e1e200cca87fcda492fef0bf2 Mon Sep 17 00:00:00 2001
From: Vlada Dusek <v.dusek96@gmail.com>
Date: Wed, 6 May 2026 10:05:52 +0200
Subject: [PATCH 3/4] style: reflow inlined comment to 120 char width

---
 .github/workflows/on_master.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/on_master.yaml b/.github/workflows/on_master.yaml
index 01d7765..69e8f29 100644
--- a/.github/workflows/on_master.yaml
+++ b/.github/workflows/on_master.yaml
@@ -22,9 +22,8 @@ jobs:
     name: Tests
     uses: ./.github/workflows/_tests.yaml
 
-  # The beta release jobs are intentionally inlined here (instead of calling
-  # `manual_release_beta.yaml` via `uses:`) because PyPI's Trusted Publishing
-  # does not currently support reusable workflows.
+  # The beta release jobs are intentionally inlined here (instead of calling `manual_release_beta.yaml` via `uses:`)
+  # because PyPI's Trusted Publishing does not currently support reusable workflows.
   # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
   release_prepare:
     # Skip this for "ci", "docs" and "test" commits and for forks.

From 470ad8610fdc531bc24e87b2af9d62bb60db1050 Mon Sep 17 00:00:00 2001
From: Vlada Dusek <v.dusek96@gmail.com>
Date: Thu, 7 May 2026 11:49:38 +0200
Subject: [PATCH 4/4] ci: dispatch beta release via execute-workflow instead of
 inlining

Use apify/workflows/execute-workflow@main to trigger manual_release_beta.yaml
as a separate workflow run (not a reusable workflow call), so PyPI's Trusted
Publishing accepts the OIDC token. This removes the duplication between
on_master.yaml and manual_release_beta.yaml introduced by the previous inline
approach.

Add a concurrency group to manual_release_beta.yaml so two rapid pushes to
master cannot race on the version bump and PyPI publish.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/manual_release_beta.yaml | 12 +++--
 .github/workflows/on_master.yaml           | 51 +++-------------------
 2 files changed, 15 insertions(+), 48 deletions(-)

diff --git a/.github/workflows/manual_release_beta.yaml b/.github/workflows/manual_release_beta.yaml
index e17a6ef..f56b8ee 100644
--- a/.github/workflows/manual_release_beta.yaml
+++ b/.github/workflows/manual_release_beta.yaml
@@ -1,13 +1,17 @@
 name: Beta release
 
 on:
-  # Runs when manually triggered from the GitHub UI.
-  # Note: This workflow is intentionally NOT a reusable workflow (no `workflow_call`)
-  # because PyPI's Trusted Publishing does not currently support reusable workflows.
-  # The same jobs are duplicated in `on_master.yaml` for the automatic beta release on push to master.
+  # Runs when manually triggered from the GitHub UI, or dispatched from `on_master.yaml`
+  # via the `apify/workflows/execute-workflow` action for the automatic beta release on push to master.
+  # Note: This workflow is intentionally NOT a reusable workflow (no `workflow_call`) because PyPI's
+  # Trusted Publishing does not currently support reusable workflows.
   # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
   workflow_dispatch:
 
+concurrency:
+  group: release
+  cancel-in-progress: false
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/on_master.yaml b/.github/workflows/on_master.yaml
index 69e8f29..1e7c549 100644
--- a/.github/workflows/on_master.yaml
+++ b/.github/workflows/on_master.yaml
@@ -22,56 +22,19 @@ jobs:
     name: Tests
     uses: ./.github/workflows/_tests.yaml
 
-  # The beta release jobs are intentionally inlined here (instead of calling `manual_release_beta.yaml` via `uses:`)
+  # The beta release is dispatched as a separate workflow run (instead of calling `manual_release_beta.yaml` via `uses:`)
   # because PyPI's Trusted Publishing does not currently support reusable workflows.
   # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
-  release_prepare:
+  beta_release:
     # Skip this for "ci", "docs" and "test" commits and for forks.
     if: "!startsWith(github.event.head_commit.message, 'ci') && !startsWith(github.event.head_commit.message, 'docs') && !startsWith(github.event.head_commit.message, 'test') && startsWith(github.repository, 'apify/')"
-    name: Beta release / Release prepare
+    name: Beta release
     needs: [code_checks, tests]
     runs-on: ubuntu-latest
-    outputs:
-      version_number: ${{ steps.release_prepare.outputs.version_number }}
-      changelog: ${{ steps.release_prepare.outputs.changelog }}
-    steps:
-      - uses: apify/workflows/git-cliff-release@main
-        id: release_prepare
-        name: Release prepare
-        with:
-          release_type: prerelease
-          existing_changelog_path: CHANGELOG.md
-
-  changelog_update:
-    name: Beta release / Changelog update
-    needs: [release_prepare]
     permissions:
-      contents: write
-    uses: apify/workflows/.github/workflows/python_bump_and_update_changelog.yaml@main
-    with:
-      version_number: ${{ needs.release_prepare.outputs.version_number }}
-      changelog: ${{ needs.release_prepare.outputs.changelog }}
-    secrets: inherit
-
-  pypi_publish:
-    name: Beta release / PyPI publish
-    needs: [release_prepare, changelog_update]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      id-token: write # Required for OIDC authentication.
-    environment:
-      name: pypi
-      url: https://pypi.org/project/apify-shared
+      actions: write # Required by execute-workflow.
     steps:
-      - name: Prepare distribution
-        uses: apify/workflows/prepare-pypi-distribution@main
+      - name: Dispatch beta release workflow
+        uses: apify/workflows/execute-workflow@main
         with:
-          package_name: apify-shared
-          is_prerelease: "yes"
-          version_number: ${{ needs.release_prepare.outputs.version_number }}
-          ref: ${{ needs.changelog_update.outputs.changelog_commitish }}
-
-      # Publish the package to PyPI using PyPA official GitHub action with OIDC authentication.
-      - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+          workflow: manual_release_beta.yaml