ci: split publish-to-pypi and push-tag jobs

bluetech · bluetech · commit a250954723ed · 2025-11-04T20:42:14.000+02:00
This way each job only gets the permissions it needs.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -70,7 +70,7 @@ jobs:
         path: gh-release-notes.md
         retention-days: 1
 
-  deploy:
+  publish-to-pypi:
     if: github.repository == 'pytest-dev/pytest'
     # Need generate-gh-release-notes only for ordering.
     # Don't want to release to PyPI if generating GitHub release notes fails.
@@ -80,12 +80,7 @@ jobs:
     timeout-minutes: 30
     permissions:
       id-token: write
-      contents: write
     steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: true
-
     - name: Download Package
       uses: actions/download-artifact@v6
       with:
@@ -97,6 +92,18 @@ jobs:
       with:
         attestations: true
 
+  push-tag:
+    needs: [publish-to-pypi]
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+    steps:
+    - uses: actions/checkout@v5
+      with:
+        fetch-depth: 0
+        persist-credentials: true
+
     - name: Push tag
       env:
           VERSION: ${{ github.event.inputs.version }}
@@ -107,7 +114,7 @@ jobs:
         git push origin "$VERSION"
 
   create-github-release:
-    needs: [generate-gh-release-notes, deploy]
+    needs: [push-tag, generate-gh-release-notes]
     runs-on: ubuntu-latest
     timeout-minutes: 10
     permissions:
diff --git a/RELEASING.rst b/RELEASING.rst
@@ -133,7 +133,7 @@ Releasing
 
 Both automatic and manual processes described above follow the same steps from this point onward.
 
-#. After all tests pass and the PR has been approved, trigger the ``deploy`` job
+#. After all tests pass and the PR has been approved, trigger the ``deploy`` workflow
    in https://github.com/pytest-dev/pytest/actions/workflows/deploy.yml, using the ``release-MAJOR.MINOR.PATCH`` branch
    as source.
 
