Only use 'environment: publish' on the 'publish' job

.github/workflows/publish.yml

@@ -15,11 +15,8 @@ jobs:
   Build:
     name: "Build"
     runs-on: "ubuntu-latest"
-    environment:
-      name: "publish"
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
-      pypi-token: ${{ steps.pypi-token.outputs.pypi-token }}
 
     steps:
     - name: "Checkout repository"
@@ -55,16 +52,6 @@ jobs:
         if-no-files-found: error
         retention-days: 5
 
-    # We forward here rather than add the 'publish' job
-    # to the 'publish' GitHub Environment to avoid needing
-    # to approve the execution twice. Since this job is
-    # depended on by the 'publish' job we get the same
-    # security gating.
-    - name: "Forward 'PYPI_TOKEN' to publish job"
-      id: "pypi-token"
-      run: |
-        echo "pypi-token=${{ secrets.PYPI_TOKEN }}" >> $GITHUB_OUTPUT
-
   Provenance:
     needs: ["Build"]
     uses: "slsa-framework/slsa-github-generator/.github/workflows/[email protected]"
@@ -83,6 +70,11 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     needs: ["Build", "Provenance"]
     runs-on: "ubuntu-latest"
+    # This environment gives access to 'secrets.PYPI_TOKEN'
+    # and must be approved by environment reviewers before running.
+    environment:
+      name: "publish"
+
     permissions:
       # contents: write is only needed to upload the
       # dists to the GitHub release.
@@ -107,4 +99,4 @@ jobs:
       uses: "pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc"
       with:
         user: __token__
-        password: "${{ needs.Build.outputs.pypi-token }}"
+        password: "${{ secrets.PYPI_TOKEN }}"