From 2a0bd2ebc21878c7ddb14ab79e91216dd3a8154b Mon Sep 17 00:00:00 2001 From: Vlada Dusek Date: Wed, 6 May 2026 10:02:16 +0200 Subject: [PATCH 1/2] fix: inline beta release jobs to fix PyPI Trusted Publishing PyPI's Trusted Publishing rejects OIDC tokens issued from reusable workflows, so the beta release jobs are inlined into on_master.yaml instead of being invoked via `uses:` from manual_release_beta.yaml. --- .github/workflows/manual_release_beta.yaml | 8 +-- .github/workflows/on_master.yaml | 64 ++++++++++++++++++++-- 2 files changed, 64 insertions(+), 8 deletions(-) diff --git a/.github/workflows/manual_release_beta.yaml b/.github/workflows/manual_release_beta.yaml index 373200a831..2f6b79966b 100644 --- a/.github/workflows/manual_release_beta.yaml +++ b/.github/workflows/manual_release_beta.yaml @@ -2,11 +2,12 @@ name: Beta release on: # Runs when manually triggered from the GitHub UI. + # Note: This workflow is intentionally NOT a reusable workflow (no `workflow_call`) + # because PyPI's Trusted Publishing does not currently support reusable workflows. + # The same jobs are duplicated in `on_master.yaml` for the automatic beta release on push to master. + # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github workflow_dispatch: - # Runs when invoked by another workflow. - workflow_call: - permissions: contents: read @@ -16,7 +17,6 @@ jobs: runs-on: ubuntu-latest outputs: version_number: ${{ steps.release_prepare.outputs.version_number }} - tag_name: ${{ steps.release_prepare.outputs.tag_name }} changelog: ${{ steps.release_prepare.outputs.changelog }} steps: - uses: apify/workflows/git-cliff-release@main diff --git a/.github/workflows/on_master.yaml b/.github/workflows/on_master.yaml index ddb4bd8a21..ce245a2569 100644 --- a/.github/workflows/on_master.yaml +++ b/.github/workflows/on_master.yaml @@ -45,7 +45,11 @@ jobs: uses: ./.github/workflows/_tests.yaml secrets: inherit - beta_release: + # The beta release jobs are intentionally inlined here (instead of calling + # `manual_release_beta.yaml` via `uses:`) because PyPI's Trusted Publishing + # does not currently support reusable workflows. + # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github + release_prepare: # Run this only for "feat", "fix", "perf", "refactor" and "style" commits. if: >- startsWith(github.event.head_commit.message, 'feat') || @@ -53,11 +57,63 @@ jobs: startsWith(github.event.head_commit.message, 'perf') || startsWith(github.event.head_commit.message, 'refactor') || startsWith(github.event.head_commit.message, 'style') - name: Beta release + name: Beta release / Release prepare needs: [code_checks, tests] + runs-on: ubuntu-latest + outputs: + version_number: ${{ steps.release_prepare.outputs.version_number }} + changelog: ${{ steps.release_prepare.outputs.changelog }} + steps: + - uses: apify/workflows/git-cliff-release@main + id: release_prepare + name: Release prepare + with: + release_type: prerelease + existing_changelog_path: CHANGELOG.md + + changelog_update: + name: Beta release / Changelog update + needs: [release_prepare] + permissions: + contents: write + uses: apify/workflows/.github/workflows/python_bump_and_update_changelog.yaml@main + with: + version_number: ${{ needs.release_prepare.outputs.version_number }} + changelog: ${{ needs.release_prepare.outputs.changelog }} + secrets: inherit + + pypi_publish: + name: Beta release / PyPI publish + needs: [release_prepare, changelog_update] + runs-on: ubuntu-latest + permissions: + contents: write + id-token: write # Required for OIDC authentication. + environment: + name: pypi + url: https://pypi.org/project/crawlee + steps: + - name: Prepare distribution + uses: apify/workflows/prepare-pypi-distribution@main + with: + package_name: crawlee + is_prerelease: "yes" + version_number: ${{ needs.release_prepare.outputs.version_number }} + ref: ${{ needs.changelog_update.outputs.changelog_commitish }} + + # Publish the package to PyPI using PyPA official GitHub action with OIDC authentication. + - name: Publish package to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + + doc_release_post_publish: + name: Beta release / Doc release post publish + needs: [changelog_update, pypi_publish] permissions: contents: write - id-token: write pages: write - uses: ./.github/workflows/manual_release_beta.yaml + id-token: write + uses: ./.github/workflows/manual_release_docs.yaml + with: + # Use the ref from the changelog update to include the updated changelog. + ref: ${{ needs.changelog_update.outputs.changelog_commitish }} secrets: inherit From 5b702f5307ea4a8cd3a5555156170385c6b3dd72 Mon Sep 17 00:00:00 2001 From: Vlada Dusek Date: Wed, 6 May 2026 10:05:57 +0200 Subject: [PATCH 2/2] style: reflow inlined comment to 120 char width --- .github/workflows/on_master.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/on_master.yaml b/.github/workflows/on_master.yaml index ce245a2569..aa578b1cae 100644 --- a/.github/workflows/on_master.yaml +++ b/.github/workflows/on_master.yaml @@ -45,9 +45,8 @@ jobs: uses: ./.github/workflows/_tests.yaml secrets: inherit - # The beta release jobs are intentionally inlined here (instead of calling - # `manual_release_beta.yaml` via `uses:`) because PyPI's Trusted Publishing - # does not currently support reusable workflows. + # The beta release jobs are intentionally inlined here (instead of calling `manual_release_beta.yaml` via `uses:`) + # because PyPI's Trusted Publishing does not currently support reusable workflows. # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github release_prepare: # Run this only for "feat", "fix", "perf", "refactor" and "style" commits.