ci: dispatch beta release via execute-workflow instead of inlining (#890)

Replaces the inlined beta release jobs in `on_master.yaml` with a single
job that dispatches `manual_release_beta.yaml` via
`apify/workflows/execute-workflow@main`. The dispatched run is a regular
`workflow_dispatch` (not a reusable workflow call), so PyPI's Trusted
Publishing accepts the OIDC token, and the duplication is gone.

Also adds a `concurrency: release` group to `manual_release_beta.yaml`
so two rapid pushes to master cannot race on the version bump and PyPI
publish.

Same pattern as `apify-client-js`, `apify-sdk-js`, `apify-cli`, and
`crawlee`.

Author: vdusek

.github/workflows/manual_release_beta.yaml

@@ -1,11 +1,16 @@
 name: Beta release
 
 on:
-  # Runs when manually triggered from the GitHub UI.
+  # Runs when manually triggered from the GitHub UI, or dispatched from `on_master.yaml`
+  # via the `apify/workflows/execute-workflow` action for the automatic beta release on push to master.
+  # Note: This workflow is intentionally NOT a reusable workflow (no `workflow_call`) because PyPI's
+  # Trusted Publishing does not currently support reusable workflows.
+  # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
   workflow_dispatch:
 
-  # Runs when invoked by another workflow.
-  workflow_call:
+concurrency:
+  group: release
+  cancel-in-progress: false
 
 permissions:
   contents: read
@@ -16,7 +21,6 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       version_number: ${{ steps.release_prepare.outputs.version_number }}
-      tag_name: ${{ steps.release_prepare.outputs.tag_name }}
       changelog: ${{ steps.release_prepare.outputs.changelog }}
     steps:
       - uses: apify/workflows/git-cliff-release@main

.github/workflows/on_master.yaml

@@ -45,6 +45,9 @@ jobs:
     uses: ./.github/workflows/_tests.yaml
     secrets: inherit
 
+  # The beta release is dispatched as a separate workflow run (instead of calling `manual_release_beta.yaml` via `uses:`)
+  # because PyPI's Trusted Publishing does not currently support reusable workflows.
+  # See: https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
   beta_release:
     # Run this only for "feat", "fix", "perf", "refactor" and "style" commits.
     if: >-
@@ -55,9 +58,11 @@ jobs:
       startsWith(github.event.head_commit.message, 'style')
     name: Beta release
     needs: [code_checks, tests]
+    runs-on: ubuntu-latest
     permissions:
-      contents: write
-      id-token: write
-      pages: write
-    uses: ./.github/workflows/manual_release_beta.yaml
-    secrets: inherit
+      actions: write # Required by execute-workflow.
+    steps:
+      - name: Dispatch beta release workflow
+        uses: apify/workflows/execute-workflow@main
+        with:
+          workflow: manual_release_beta.yaml