ci: Gate manual release workflows on wait-for-checks

vdusek · claude · vdusek · commit 02a3f03fc844 · 2026-05-26T09:08:12.000+02:00
Replace each release workflow's inline `code_checks` with a `wait-for-checks`
step that verifies the `Checks` workflow already passed on the dispatch
commit (it runs via `on_master.yaml` on every push). Adds the gate to the
stable, beta, docs release, and docs versioning workflows that previously
had none or rebuilt the code checks. Every caller that invokes a workflow
requesting `checks: read` (reusable workflows are capped at the caller's
permissions) explicitly grants it: doc_release in on_master.yaml,
version_docs and doc_release in manual_release_stable.yaml, and
doc_release_post_publish in manual_release_beta.yaml.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/manual_release_beta.yaml b/.github/workflows/manual_release_beta.yaml
@@ -16,8 +16,22 @@ permissions:
   contents: read
 
 jobs:
+  wait_for_checks:
+    # Gate the release on the `Checks` workflow already succeeding on this commit (run by `on_master.yaml`).
+    name: Wait for required checks
+    runs-on: ubuntu-latest
+    permissions:
+      checks: read
+    steps:
+      - name: Wait for checks
+        uses: apify/actions/wait-for-checks@v1.2.0
+        with:
+          ref: ${{ github.sha }}
+          check-regexp: '^Checks'
+
   release_prepare:
     name: Release prepare
+    needs: [wait_for_checks]
     runs-on: ubuntu-latest
     outputs:
       version_number: ${{ steps.release_prepare.outputs.version_number }}
@@ -82,5 +96,6 @@ jobs:
       contents: write
       pages: write
       id-token: write
+      checks: read
     uses: ./.github/workflows/manual_release_docs.yaml
     secrets: inherit
diff --git a/.github/workflows/manual_release_docs.yaml b/.github/workflows/manual_release_docs.yaml
@@ -23,9 +23,19 @@ jobs:
       contents: write
       pages: write
       id-token: write
+      checks: read
     runs-on: ubuntu-latest
 
     steps:
+      # Gate manual dispatches on the `Checks` workflow already succeeding on this commit (run by `on_master.yaml`);
+      # skipped when called from another workflow.
+      - name: Wait for checks
+        if: github.event_name == 'workflow_dispatch'
+        uses: apify/actions/wait-for-checks@v1.2.0
+        with:
+          ref: ${{ github.sha }}
+          check-regexp: '^Checks'
+
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
diff --git a/.github/workflows/manual_release_stable.yaml b/.github/workflows/manual_release_stable.yaml
@@ -29,13 +29,22 @@ permissions:
   contents: read
 
 jobs:
-  code_checks:
-    name: Code checks
-    uses: ./.github/workflows/_check_code.yaml
+  wait_for_checks:
+    # Gate the release on the `Checks` workflow already succeeding on this commit (run by `on_master.yaml`).
+    name: Wait for required checks
+    runs-on: ubuntu-latest
+    permissions:
+      checks: read
+    steps:
+      - name: Wait for checks
+        uses: apify/actions/wait-for-checks@v1.2.0
+        with:
+          ref: ${{ github.sha }}
+          check-regexp: '^Checks'
 
   release_prepare:
     name: Release prepare
-    needs: [code_checks]
+    needs: [wait_for_checks]
     runs-on: ubuntu-latest
     outputs:
       version_number: ${{ steps.release_prepare.outputs.version_number }}
@@ -118,6 +127,7 @@ jobs:
     needs: [release_prepare, changelog_update, pypi_publish]
     permissions:
       contents: write
+      checks: read
     uses: ./.github/workflows/manual_version_docs.yaml
     with:
       # Pass the bumped version explicitly — the job's checkout uses the dispatch ref (pre-bump),
@@ -132,5 +142,6 @@ jobs:
       contents: write
       pages: write
       id-token: write
+      checks: read
     uses: ./.github/workflows/manual_release_docs.yaml
     secrets: inherit
diff --git a/.github/workflows/manual_version_docs.yaml b/.github/workflows/manual_version_docs.yaml
@@ -36,8 +36,18 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      checks: read
 
     steps:
+      # Gate manual dispatches on the `Checks` workflow already succeeding on this commit (run by `on_master.yaml`);
+      # skipped when called from another workflow.
+      - name: Wait for checks
+        if: github.event_name == 'workflow_dispatch'
+        uses: apify/actions/wait-for-checks@v1.2.0
+        with:
+          ref: ${{ github.sha }}
+          check-regexp: '^Checks'
+
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
