ci: Gate manual release workflows on wait-for-checks (#826)

## Summary

Ports the CI consolidation and `wait-for-checks` adoption from
`crawlee-python` to `apify-client-python`. See
[apify/crawlee-python#1913](apify/crawlee-python#1913)
for the original rationale and PR description; the follow-up permission
fixes from [#1914](apify/crawlee-python#1914)
and [#1915](apify/crawlee-python#1915) are baked
in here.

Two commits:

1. **Consolidate check workflows into a single Checks workflow** —
merges `_check_code.yaml`, `_check_docs.yaml`, `_check_docstrings.yaml`,
`_check_package.yaml`, and `_tests.yaml` into a single `_checks.yaml`.
Every check now carries the shared `Checks /` prefix. `unit_tests` and
`integration_tests` are gated on a `run_tests` input so `on_master.yaml`
can keep skipping tests for docs-only commits.
2. **Gate manual release workflows on wait-for-checks** — replaces the
inline `code_checks` step in `manual_release_stable.yaml` /
`manual_release_beta.yaml` / `manual_release_docs.yaml` /
`manual_version_docs.yaml` with an
`apify/actions/wait-for-checks@v1.2.0` step that verifies the `Checks`
workflow already passed on the dispatch commit (it runs via
`on_master.yaml` on every push). Every reusable-workflow caller that
ends up requesting `checks: read` (docs jobs in `on_master.yaml`,
`version_docs` / `doc_release` in `manual_release_stable.yaml`,
`doc_release_post_publish` in `manual_release_beta.yaml`) explicitly
grants the permission, since reusable workflows are capped at the
caller's permission set.

Author: vdusek

.github/workflows/_check_code.yaml

@@ -0,0 +1,182 @@
+name: Checks
+
+on:
+  # Runs when manually triggered from the GitHub UI.
+  workflow_dispatch:
+    inputs:
+      run_tests:
+        description: Whether to run the test suites (unit, integration).
+        required: false
+        type: boolean
+        default: true
+
+  # Runs when invoked by another workflow.
+  workflow_call:
+    inputs:
+      run_tests:
+        description: Whether to run the test suites (unit, integration).
+        required: false
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+
+env:
+  PYTHON_VERSION: 3.14
+
+jobs:
+  actions_lint_check:
+    name: Actions lint check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Run actionlint
+        uses: rhysd/actionlint@v1.7.11
+
+  spell_check:
+    name: Spell check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Check spelling with typos
+        uses: crate-ci/typos@v1
+
+  lint_check:
+    name: Lint check
+    uses: apify/workflows/.github/workflows/python_lint_check.yaml@main
+    with:
+      python_versions: '["3.11", "3.12", "3.13", "3.14"]'
+
+  type_check:
+    name: Type check
+    uses: apify/workflows/.github/workflows/python_type_check.yaml@main
+    with:
+      python_versions: '["3.11", "3.12", "3.13", "3.14"]'
+
+  docstrings_check:
+    name: Docstrings check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Set up uv package manager
+        uses: astral-sh/setup-uv@v7
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install dependencies
+        run: uv run poe install-dev
+
+      - name: Async docstrings check
+        run: uv run poe check-docstrings
+
+  unit_tests:
+    name: Unit tests
+    if: inputs.run_tests
+    uses: apify/workflows/.github/workflows/python_unit_tests.yaml@main
+    secrets: inherit
+    with:
+      python_versions: '["3.11", "3.12", "3.13", "3.14"]'
+      operating_systems: '["ubuntu-latest", "windows-latest"]'
+      python_version_for_codecov: "3.14"
+      operating_system_for_codecov: ubuntu-latest
+      tests_concurrency: "16"
+
+  # Integration tests are inlined (not calling the reusable workflow) to avoid GitHub's compile-time secret
+  # validation for nested reusable workflows, which fails on fork PRs where repo secrets are not available.
+  integration_tests:
+    name: Integration tests (${{ matrix.python-version }}, ${{ matrix.os }})
+    if: >-
+      ${{
+        inputs.run_tests && (
+          (github.event_name == 'pull_request' && github.event.pull_request.head.repo.owner.login == 'apify') ||
+          (github.event_name == 'push' && github.ref == 'refs/heads/master') ||
+          github.event_name == 'workflow_dispatch'
+        )
+      }}
+
+    strategy:
+      matrix:
+        os: ["ubuntu-latest"]
+        python-version: ["3.11", "3.14"]
+
+    runs-on: ${{ matrix.os }}
+
+    env:
+      TESTS_CONCURRENCY: "16"
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Set up uv package manager
+        uses: astral-sh/setup-uv@v7
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install Python dependencies
+        run: uv run poe install-dev
+
+      - name: Run integration tests
+        run: uv run poe integration-tests-cov
+        env:
+          APIFY_TEST_USER_API_TOKEN: ${{ secrets.APIFY_TEST_USER_PYTHON_SDK_API_TOKEN }}
+          APIFY_TEST_USER_2_API_TOKEN: ${{ secrets.APIFY_TEST_USER_2_API_TOKEN }}
+
+      - name: Upload integration test coverage
+        if: >-
+          ${{
+            matrix.os == 'ubuntu-latest' &&
+            matrix.python-version == '3.14' &&
+            env.CODECOV_TOKEN != ''
+          }}
+        uses: codecov/codecov-action@v6
+        with:
+          token: ${{ env.CODECOV_TOKEN }}
+          files: coverage-integration.xml
+          flags: integration
+
+  package_check:
+    name: Package check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up uv package manager
+        uses: astral-sh/setup-uv@v8.1.0
+        with:
+          python-version: "3.14"
+
+      - name: Build sdist and wheel
+        run: uv run poe build
+
+      - name: Verify built package
+        uses: apify/actions/python-package-check@v1.1.0
+        with:
+          package_name: apify_client
+          dist_dir: dist
+          python_version: "3.14"
+          smoke_code: |
+            from apify_client import ApifyClient, ApifyClientAsync
+            ApifyClient(token='x')
+            ApifyClientAsync(token='x')
+
+  doc_check:
+    name: Doc check
+    uses: apify/workflows/.github/workflows/python_docs_check.yaml@main