ci: Refactor release workflows and secrets handling

Author: vdusek

.github/workflows/_check_docs.yaml

@@ -6,9 +6,13 @@ on:
 
   # Runs when invoked by another workflow.
   workflow_call:
+    secrets:
+      APIFY_SIGNING_TOKEN:
+        required: false
 
 jobs:
   doc_checks:
     name: Doc checks
     uses: apify/workflows/.github/workflows/python_docs_check.yaml@main
-    secrets: inherit
+    secrets:
+      APIFY_SIGNING_TOKEN: ${{ secrets.APIFY_SIGNING_TOKEN }}

.github/workflows/_release_docs.yaml

@@ -10,10 +10,18 @@ on:
       ref:
         required: true
         type: string
+    secrets:
+      APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN:
+        required: true
+      APIFY_SIGNING_TOKEN:
+        required: true
+      SEGMENT_TOKEN:
+        required: false
 
 env:
   NODE_VERSION: 22
   PYTHON_VERSION: 3.14
+  CHECKOUT_REF: ${{ github.event_name == 'workflow_call' && inputs.ref || github.ref }}
 
 jobs:
   release_docs:
@@ -31,7 +39,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           token: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
-          ref: ${{ github.event_name == 'workflow_call' && inputs.ref || github.ref }}
+          ref: ${{ env.CHECKOUT_REF }}
 
       - name: Set up Node
         uses: actions/setup-node@v6

.github/workflows/_release_pre.yaml

@@ -6,6 +6,11 @@ on:
 
   # Runs when invoked by another workflow.
   workflow_call:
+    secrets:
+      APIFY_HTTPBIN_TOKEN:
+        required: false
+      CODECOV_TOKEN:
+        required: false
 
 jobs:
   unit_tests:

.github/workflows/_tests.yaml

@@ -30,52 +30,52 @@ jobs:
     name: Code checks
     uses: ./.github/workflows/_check_code.yaml
 
-  release_metadata:
-    name: Prepare release metadata
+  release_prepare:
+    name: Release prepare
     needs: [code_checks]
     runs-on: ubuntu-latest
     outputs:
-      version_number: ${{ steps.release_metadata.outputs.version_number }}
-      tag_name: ${{ steps.release_metadata.outputs.tag_name }}
-      changelog: ${{ steps.release_metadata.outputs.changelog }}
-      release_notes: ${{ steps.release_metadata.outputs.release_notes }}
+      version_number: ${{ steps.release_prepare.outputs.version_number }}
+      tag_name: ${{ steps.release_prepare.outputs.tag_name }}
+      changelog: ${{ steps.release_prepare.outputs.changelog }}
+      release_notes: ${{ steps.release_prepare.outputs.release_notes }}
     steps:
       - uses: apify/workflows/git-cliff-release@main
-        name: Prepare release metadata
-        id: release_metadata
+        name: Release prepare
+        id: release_prepare
         with:
           release_type: ${{ inputs.release_type }}
           custom_version: ${{ inputs.custom_version }}
           existing_changelog_path: CHANGELOG.md
 
-  update_changelog:
-    name: Update changelog
-    needs: [release_metadata]
+  changelog_update:
+    name: Changelog update
+    needs: [release_prepare]
     uses: apify/workflows/.github/workflows/python_bump_and_update_changelog.yaml@main
     with:
-      version_number: ${{ needs.release_metadata.outputs.version_number }}
-      changelog: ${{ needs.release_metadata.outputs.changelog }}
+      version_number: ${{ needs.release_prepare.outputs.version_number }}
+      changelog: ${{ needs.release_prepare.outputs.changelog }}
     secrets:
       APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
 
-  create_github_release:
-    name: Create GitHub release
-    needs: [release_metadata, update_changelog]
+  github_release:
+    name: GitHub release
+    needs: [release_prepare, changelog_update]
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - name: Create release
+      - name: GitHub release
         uses: softprops/action-gh-release@v2
         with:
-          tag_name: ${{ needs.release_metadata.outputs.tag_name }}
-          name: ${{ needs.release_metadata.outputs.version_number }}
-          target_commitish: ${{ needs.update_changelog.outputs.changelog_commitish }}
-          body: ${{ needs.release_metadata.outputs.release_notes }}
+          tag_name: ${{ needs.release_prepare.outputs.tag_name }}
+          name: ${{ needs.release_prepare.outputs.version_number }}
+          target_commitish: ${{ needs.changelog_update.outputs.changelog_commitish }}
+          body: ${{ needs.release_prepare.outputs.release_notes }}
 
-  publish_to_pypi:
-    name: Publish to PyPI
-    needs: [release_metadata, update_changelog]
+  pypi_publish:
+    name: PyPI publish
+    needs: [release_prepare, changelog_update]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -89,8 +89,8 @@ jobs:
         with:
           package_name: crawlee
           is_prerelease: ""
-          version_number: ${{ needs.release_metadata.outputs.version_number }}
-          ref: ${{ needs.update_changelog.outputs.changelog_commitish }}
+          version_number: ${{ needs.release_prepare.outputs.version_number }}
+          ref: ${{ needs.changelog_update.outputs.changelog_commitish }}
       # Publishes the package to PyPI using PyPA official GitHub action with OIDC authentication.
       - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1

.github/workflows/manual_release_stable.yaml

@@ -1,38 +1,108 @@
 name: CI (master)
 
 on:
-  # Runs on every push to the master branch.
   push:
     branches:
       - master
     tags-ignore:
-      - "**"  # Ignore all tags to avoid duplicate executions triggered by tag pushes.
+      - "**" # Ignore all tags to avoid duplicate executions triggered by tag pushes.
+
+concurrency:
+  group: release
+  cancel-in-progress: false
 
 jobs:
   doc_checks:
     name: Doc checks
     uses: ./.github/workflows/_check_docs.yaml
-    secrets: inherit
+    secrets:
+      APIFY_SIGNING_TOKEN: ${{ secrets.APIFY_SIGNING_TOKEN }}
+
+  doc_release:
+    # Skip this for non-docs commits and forks.
+    if: "startsWith(github.event.head_commit.message, 'docs') && startsWith(github.repository, 'apify/')"
+    name: Doc release
+    needs: [doc_checks]
+    uses: ./.github/workflows/_release_docs.yaml
+    with:
+      # Use the same ref as the one that triggered the workflow.
+      ref: ${{ github.ref }}
+    secrets:
+      APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
+      APIFY_SIGNING_TOKEN: ${{ secrets.APIFY_SIGNING_TOKEN }}
+      SEGMENT_TOKEN: ${{ secrets.SEGMENT_TOKEN }}
 
   code_checks:
     name: Code checks
     uses: ./.github/workflows/_check_code.yaml
 
   tests:
+    # Skip this for "ci" and "docs" commits.
+    if: "!startsWith(github.event.head_commit.message, 'ci') && !startsWith(github.event.head_commit.message, 'docs')"
     name: Tests
     uses: ./.github/workflows/_tests.yaml
-    secrets: inherit
+    secrets:
+      APIFY_HTTPBIN_TOKEN: ${{ secrets.APIFY_HTTPBIN_TOKEN }}
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-  pre_release:
-    name: Pre-release
+  release_prepare:
+    # Skip this for "ci", "docs" and "test" commits and for forks.
+    if: "!startsWith(github.event.head_commit.message, 'ci') && !startsWith(github.event.head_commit.message, 'docs') && !startsWith(github.event.head_commit.message, 'test') && startsWith(github.repository, 'apify/')"
+    name: Release prepare
     needs: [code_checks, tests]
-    uses: ./.github/workflows/_release_pre.yaml
-    secrets: inherit
+    runs-on: ubuntu-latest
+    outputs:
+      version_number: ${{ steps.release_prepare.outputs.version_number }}
+      tag_name: ${{ steps.release_prepare.outputs.tag_name }}
+      changelog: ${{ steps.release_prepare.outputs.changelog }}
+    steps:
+      - uses: apify/workflows/git-cliff-release@main
+        id: release_prepare
+        name: Release prepare
+        with:
+          release_type: prerelease
+          existing_changelog_path: CHANGELOG.md
 
-  release_docs:
-    name: Doc release
-    needs: [doc_checks, pre_release]
+  changelog_update:
+    name: Changelog update
+    needs: [release_prepare]
+    uses: apify/workflows/.github/workflows/python_bump_and_update_changelog.yaml@main
+    with:
+      version_number: ${{ needs.release_prepare.outputs.version_number }}
+      changelog: ${{ needs.release_prepare.outputs.changelog }}
+    secrets:
+      APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
+
+  pypi_publish:
+    name: PyPI publish
+    needs: [release_prepare, changelog_update]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write # Required for OIDC authentication.
+    environment:
+      name: pypi
+      url: https://pypi.org/project/crawlee
+    steps:
+      - name: Prepare distribution
+        uses: apify/workflows/prepare-pypi-distribution@main
+        with:
+          package_name: crawlee
+          is_prerelease: "yes"
+          version_number: ${{ needs.release_prepare.outputs.version_number }}
+          ref: ${{ needs.changelog_update.outputs.changelog_commitish }}
+
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  doc_release_post_publish:
+    name: Doc release post publish
+    needs: [changelog_update, pypi_publish]
     uses: ./.github/workflows/_release_docs.yaml
     with:
-      ref: ${{ needs.pre_release.outputs.changelog_commitish }}
-    secrets: inherit
+      # Use the ref from the changelog update to include the updated changelog.
+      ref: ${{ needs.changelog_update.outputs.changelog_commitish }}
+    secrets:
+      APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
+      APIFY_SIGNING_TOKEN: ${{ secrets.APIFY_SIGNING_TOKEN }}
+      SEGMENT_TOKEN: ${{ secrets.SEGMENT_TOKEN }}

.github/workflows/on_master.yaml

@@ -5,8 +5,8 @@ on:
   pull_request:
 
 jobs:
-  check_pr_title:
-    name: Check PR title
+  pr_title_check:
+    name: PR title check
     runs-on: ubuntu-latest
     steps:
       - uses: amannn/[email protected]
@@ -16,7 +16,8 @@ jobs:
   doc_checks:
     name: Doc checks
     uses: ./.github/workflows/_check_docs.yaml
-    secrets: inherit
+    secrets:
+      APIFY_SIGNING_TOKEN: ${{ secrets.APIFY_SIGNING_TOKEN }}
 
   code_checks:
     name: Code checks
@@ -25,4 +26,6 @@ jobs:
   tests:
     name: Tests
     uses: ./.github/workflows/_tests.yaml
-    secrets: inherit
+    secrets:
+      APIFY_HTTPBIN_TOKEN: ${{ secrets.APIFY_HTTPBIN_TOKEN }}
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/on_pull_request.yaml

@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: '0 6 * * *'
 
+concurrency:
+  group: scheduled-tests
+  cancel-in-progress: false
+
 env:
   NODE_VERSION: 22
   PYTHON_VERSION: 3.14