ci: Gate manual release workflows on wait-for-checks (#907)

## Summary

Ports the CI consolidation and `wait-for-checks` adoption from
`crawlee-python` to `apify-sdk-python`. See
[apify/crawlee-python#1913](apify/crawlee-python#1913)
for the original rationale and PR description; the follow-up permission
fixes from [#1914](apify/crawlee-python#1914)
and [#1915](apify/crawlee-python#1915) are baked
in here.

Two commits:

1. **Consolidate check workflows into a single Checks workflow** —
merges `_check_code.yaml`, `_check_docs.yaml`, `_check_package.yaml`,
and `_tests.yaml` into a single `_checks.yaml`. Every check now carries
the shared `Checks /` prefix. `unit_tests`, `integration_tests`, and
`e2e_tests` are gated on a `run_tests` input so `on_master.yaml` can
keep skipping tests for docs-only commits.
2. **Gate manual release workflows on wait-for-checks** — replaces the
inline `code_checks` step in `manual_release_stable.yaml` /
`manual_release_beta.yaml` / `manual_release_docs.yaml` /
`manual_version_docs.yaml` with an
`apify/actions/wait-for-checks@v1.2.0` step that verifies the `Checks`
workflow already passed on the dispatch commit (it runs via
`on_master.yaml` on every push). Every reusable-workflow caller that
ends up requesting `checks: read` (docs jobs in `on_master.yaml`,
`version_docs` / `doc_release` in `manual_release_stable.yaml`,
`doc_release_post_publish` in `manual_release_beta.yaml`) explicitly
grants the permission, since reusable workflows are capped at the
caller's permission set.

Author: vdusek

.github/workflows/_check_code.yaml

@@ -1,18 +1,61 @@
-name: Tests
+name: Checks
 
 on:
   # Runs when manually triggered from the GitHub UI.
   workflow_dispatch:
+    inputs:
+      run_tests:
+        description: Whether to run the test suites (unit, integration, E2E).
+        required: false
+        type: boolean
+        default: true
 
   # Runs when invoked by another workflow.
   workflow_call:
+    inputs:
+      run_tests:
+        description: Whether to run the test suites (unit, integration, E2E).
+        required: false
+        type: boolean
+        default: true
 
 permissions:
   contents: read
 
 jobs:
+  actions_lint_check:
+    name: Actions lint check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Run actionlint
+        uses: rhysd/actionlint@v1.7.11
+
+  spell_check:
+    name: Spell check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Check spelling with typos
+        uses: crate-ci/typos@v1
+
+  lint_check:
+    name: Lint check
+    uses: apify/workflows/.github/workflows/python_lint_check.yaml@main
+    with:
+      python_versions: '["3.10", "3.11", "3.12", "3.13", "3.14"]'
+
+  type_check:
+    name: Type check
+    uses: apify/workflows/.github/workflows/python_type_check.yaml@main
+    with:
+      python_versions: '["3.10", "3.11", "3.12", "3.13", "3.14"]'
+
   unit_tests:
     name: Unit tests
+    if: inputs.run_tests
     uses: apify/workflows/.github/workflows/python_unit_tests.yaml@main
     secrets: inherit
     with:
@@ -27,9 +70,11 @@ jobs:
 
     if: >-
       ${{
-        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.owner.login == 'apify') ||
-        (github.event_name == 'push' && github.ref == 'refs/heads/master') ||
-        github.event_name == 'workflow_dispatch'
+        inputs.run_tests && (
+          (github.event_name == 'pull_request' && github.event.pull_request.head.repo.owner.login == 'apify') ||
+          (github.event_name == 'push' && github.ref == 'refs/heads/master') ||
+          github.event_name == 'workflow_dispatch'
+        )
       }}
 
     strategy:
@@ -85,9 +130,11 @@ jobs:
 
     if: >-
       ${{
-        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.owner.login == 'apify') ||
-        (github.event_name == 'push' && github.ref == 'refs/heads/master') ||
-        github.event_name == 'workflow_dispatch'
+        inputs.run_tests && (
+          (github.event_name == 'pull_request' && github.event.pull_request.head.repo.owner.login == 'apify') ||
+          (github.event_name == 'push' && github.ref == 'refs/heads/master') ||
+          github.event_name == 'workflow_dispatch'
+        )
       }}
 
     strategy:
@@ -137,3 +184,33 @@ jobs:
           token: ${{ env.CODECOV_TOKEN }}
           files: coverage-e2e.xml
           flags: e2e
+
+  package_check:
+    name: Package check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up uv package manager
+        uses: astral-sh/setup-uv@v8.1.0
+        with:
+          python-version: "3.14"
+
+      - name: Build sdist and wheel
+        run: uv run poe build
+
+      - name: Verify built package
+        uses: apify/actions/python-package-check@v1.1.0
+        with:
+          package_name: apify
+          dist_dir: dist
+          python_version: "3.14"
+          smoke_code: |
+            from apify import Actor, Configuration, ProxyConfiguration
+            Configuration()
+            ProxyConfiguration()
+
+  doc_check:
+    name: Doc check
+    uses: apify/workflows/.github/workflows/python_docs_check.yaml@main

.github/workflows/_check_docs.yaml

@@ -16,8 +16,22 @@ permissions:
   contents: read
 
 jobs:
+  wait_for_checks:
+    # Gate the release on the `Checks` workflow already succeeding on this commit (run by `on_master.yaml`).
+    name: Wait for required checks
+    runs-on: ubuntu-latest
+    permissions:
+      checks: read
+    steps:
+      - name: Wait for checks
+        uses: apify/actions/wait-for-checks@v1.2.0
+        with:
+          ref: ${{ github.sha }}
+          check-regexp: '^Checks'
+
   release_prepare:
     name: Release prepare
+    needs: [wait_for_checks]
     runs-on: ubuntu-latest
     outputs:
       version_number: ${{ steps.release_prepare.outputs.version_number }}
@@ -82,5 +96,6 @@ jobs:
       contents: write
       pages: write
       id-token: write
+      checks: read
     uses: ./.github/workflows/manual_release_docs.yaml
     secrets: inherit

.github/workflows/_check_package.yaml

@@ -23,9 +23,19 @@ jobs:
       contents: write
       pages: write
       id-token: write
+      checks: read
     runs-on: ubuntu-latest
 
     steps:
+      # Gate manual dispatches on the `Checks` workflow already succeeding on this commit (run by `on_master.yaml`);
+      # skipped when called from another workflow.
+      - name: Wait for checks
+        if: github.event_name == 'workflow_dispatch'
+        uses: apify/actions/wait-for-checks@v1.2.0
+        with:
+          ref: ${{ github.sha }}
+          check-regexp: '^Checks'
+
       - name: Checkout repository
         uses: actions/checkout@v6
         with:

.github/workflows/_tests.yaml .github/workflows/_checks.yaml.github/workflows/_tests.yaml renamed to .github/workflows/_checks.yaml

@@ -29,13 +29,22 @@ permissions:
   contents: read
 
 jobs:
-  code_checks:
-    name: Code checks
-    uses: ./.github/workflows/_check_code.yaml
+  wait_for_checks:
+    # Gate the release on the `Checks` workflow already succeeding on this commit (run by `on_master.yaml`).
+    name: Wait for required checks
+    runs-on: ubuntu-latest
+    permissions:
+      checks: read
+    steps:
+      - name: Wait for checks
+        uses: apify/actions/wait-for-checks@v1.2.0
+        with:
+          ref: ${{ github.sha }}
+          check-regexp: '^Checks'
 
   release_prepare:
     name: Release prepare
-    needs: [code_checks]
+    needs: [wait_for_checks]
     runs-on: ubuntu-latest
     outputs:
       version_number: ${{ steps.release_prepare.outputs.version_number }}
@@ -118,6 +127,7 @@ jobs:
     needs: [release_prepare, changelog_update, pypi_publish]
     permissions:
       contents: write
+      checks: read
     uses: ./.github/workflows/manual_version_docs.yaml
     with:
       # Pass the bumped version explicitly — the job's checkout uses the dispatch ref (pre-bump),
@@ -132,6 +142,7 @@ jobs:
       contents: write
       pages: write
       id-token: write
+      checks: read
     uses: ./.github/workflows/manual_release_docs.yaml
     secrets: inherit
 

.github/workflows/manual_release_beta.yaml

@@ -36,12 +36,22 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      checks: read
 
     defaults:
       run:
         working-directory: website
 
     steps:
+      # Gate manual dispatches on the `Checks` workflow already succeeding on this commit (run by `on_master.yaml`);
+      # skipped when called from another workflow.
+      - name: Wait for checks
+        if: github.event_name == 'workflow_dispatch'
+        uses: apify/actions/wait-for-checks@v1.2.0
+        with:
+          ref: ${{ github.sha }}
+          check-regexp: '^Checks'
+
       - name: Checkout repository
         uses: actions/checkout@v6
         with:

.github/workflows/manual_release_docs.yaml

@@ -11,33 +11,27 @@ permissions:
   contents: read
 
 jobs:
-  doc_checks:
-    name: Doc checks
-    uses: ./.github/workflows/_check_docs.yaml
+  checks:
+    name: Checks
+    uses: ./.github/workflows/_checks.yaml
+    with:
+      # Skip the test suites for docs-only commits — they don't change runtime behavior.
+      run_tests: ${{ !startsWith(github.event.head_commit.message, 'docs') }}
+    secrets: inherit
 
   doc_release:
     # Skip this for non-"docs" commits.
     if: startsWith(github.event.head_commit.message, 'docs')
     name: Doc release
-    needs: [doc_checks]
+    needs: [checks]
     permissions:
       contents: write
       pages: write
       id-token: write
+      checks: read
     uses: ./.github/workflows/manual_release_docs.yaml
     secrets: inherit
 
-  code_checks:
-    name: Code checks
-    uses: ./.github/workflows/_check_code.yaml
-
-  tests:
-    # Skip this for "docs" commits.
-    if: "!startsWith(github.event.head_commit.message, 'docs')"
-    name: Tests
-    uses: ./.github/workflows/_tests.yaml
-    secrets: inherit
-
   # The beta release is dispatched as a separate workflow run (instead of calling `manual_release_beta.yaml` via `uses:`)
   # because PyPI's Trusted Publishing does not currently support reusable workflows.
   # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
@@ -50,7 +44,7 @@ jobs:
       startsWith(github.event.head_commit.message, 'refactor') ||
       startsWith(github.event.head_commit.message, 'style')
     name: Beta release
-    needs: [code_checks, tests]
+    needs: [checks]
     runs-on: ubuntu-latest
     permissions:
       actions: write # Required by execute-workflow.