ci: split publish-to-pypi and push-tag jobs

This way each job only gets the permissions it needs.

Author: bluetech

.github/workflows/deploy.yml

@@ -35,20 +35,15 @@ jobs:
       with:
         attest-build-provenance-github: 'true'
 
-  deploy:
+  publish-to-pypi:
     if: github.repository == 'pytest-dev/pytest'
     needs: [package]
     runs-on: ubuntu-latest
     environment: deploy
     timeout-minutes: 30
     permissions:
       id-token: write
-      contents: write
     steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: true
-
     - name: Download Package
       uses: actions/download-artifact@v6
       with:
@@ -60,6 +55,18 @@ jobs:
       with:
         attestations: true
 
+  push-tag:
+    needs: [publish-to-pypi]
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+    steps:
+    - uses: actions/checkout@v5
+      with:
+        fetch-depth: 0
+        persist-credentials: true
+
     - name: Push tag
       env:
           VERSION: ${{ github.event.inputs.version }}
@@ -105,7 +112,7 @@ jobs:
         retention-days: 1
 
   create-github-release:
-    needs: [generate-gh-release-notes, deploy]
+    needs: [push-tag, generate-gh-release-notes]
     runs-on: ubuntu-latest
     timeout-minutes: 10
     permissions:

RELEASING.rst

@@ -133,7 +133,7 @@ Releasing
 
 Both automatic and manual processes described above follow the same steps from this point onward.
 
-#. After all tests pass and the PR has been approved, trigger the ``deploy`` job
+#. After all tests pass and the PR has been approved, trigger the ``deploy`` workflow
    in https://github.com/pytest-dev/pytest/actions/workflows/deploy.yml, using the ``release-MAJOR.MINOR.PATCH`` branch
    as source.