ci: generate github release notes separately from creating github release

Since creating the github release is security sensitive, better to
isolate the part of generating the markdown release notes in its own
job, such that if e.g. pip/tox/pandoc is compromised it could not in
turn compromise the release files.

Author: bluetech

.github/workflows/deploy.yml

@@ -35,9 +35,47 @@ jobs:
       with:
         attest-build-provenance-github: 'true'
 
+  generate-gh-release-notes:
+    needs: [package]
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    steps:
+    - uses: actions/checkout@v5
+      with:
+        fetch-depth: 0
+        persist-credentials: false
+
+    - name: Set up Python
+      uses: actions/setup-python@v6
+      with:
+        python-version: "3.11"
+
+    - name: Install tox
+      run: |
+        python -m pip install --upgrade pip
+        pip install --upgrade tox
+
+    - name: Generate release notes
+      env:
+        VERSION: ${{ github.event.inputs.version }}
+      run: |
+        sudo apt-get install pandoc
+        tox -e generate-gh-release-notes -- "$VERSION" gh-release-notes.md
+
+    - name: Upload release notes
+      uses: actions/upload-artifact@v4
+      with:
+        name: release-notes
+        path: gh-release-notes.md
+        retention-days: 1
+
   deploy:
     if: github.repository == 'pytest-dev/pytest'
-    needs: [package]
+    # Need generate-gh-release-notes only for ordering.
+    # Don't want to release to PyPI if generating GitHub release notes fails.
+    needs: [package, generate-gh-release-notes]
     runs-on: ubuntu-latest
     environment: deploy
     timeout-minutes: 30
@@ -69,48 +107,28 @@ jobs:
         git tag --annotate --message=v"$VERSION" "$VERSION" ${{ github.sha }}
         git push origin "$VERSION"
 
-  release-notes:
-
-    # todo: generate the content in the build  job
-    #       the goal being of using a github action script to push the release data
-    #       after success instead of creating a complete python/tox env
-    needs: [deploy]
+  create-github-release:
+    needs: [generate-gh-release-notes, deploy]
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 10
     permissions:
       contents: write
     steps:
-    - uses: actions/checkout@v5
-      with:
-        fetch-depth: 0
-        persist-credentials: false
-
     - name: Download Package
       uses: actions/download-artifact@v6
       with:
         name: Packages
         path: dist
 
-    - name: Set up Python
-      uses: actions/setup-python@v6
+    - name: Download release notes
+      uses: actions/download-artifact@v6
       with:
-        python-version: "3.11"
-
-    - name: Install tox
-      run: |
-        python -m pip install --upgrade pip
-        pip install --upgrade tox
-
-    - name: Generate release notes
-      env:
-        VERSION: ${{ github.event.inputs.version }}
-      run: |
-        sudo apt-get install pandoc
-        tox -e generate-gh-release-notes -- "$VERSION" scripts/latest-release-notes.md
+        name: release-notes
+        path: .
 
     - name: Publish GitHub Release
       env:
         VERSION: ${{ github.event.inputs.version }}
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-        gh release create --notes-file scripts/latest-release-notes.md --verify-tag "$VERSION" dist/*
+        gh release create --notes-file gh-release-notes.md --verify-tag "$VERSION" dist/*