split deploy step into 3 to manage permissions

* the build step builds using baipp
* the deploy step does only the pypi upload
* the release-notes step udpdates the release notes

## needed followups

* [ ] upstream release from artifact to pypi-publish
* [ ] generate content of release notes in baipp step

.github/workflows/deploy.yml

@@ -13,39 +13,55 @@ on:
 permissions: {}
 
 jobs:
-
-  deploy:
-    if: github.repository == 'pytest-dev/pytest'
-
+  build:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 10
     environment: deploy
-    permissions:
-      contents: write
-      id-token: write # for pypi oidc publish
-
     steps:
     - uses: actions/checkout@v3
       with:
         fetch-depth: 0
         persist-credentials: false
-
     - name: Build and Check Package
       uses: hynek/build-and-inspect-python-package@v1.5
 
+  deploy:
+    if: github.repository == 'pytest-dev/pytest'
+    needs: [build]
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment: deploy
+    permissions:
+      id-token: write # for pypi oidc publish
+    steps:
     - name: Download Package
       uses: actions/download-artifact@v3
       with:
         name: Packages
         path: dist
-
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
 
+  release-notes:
+
+    # todo: generate the content in the build  job
+    #       the goal being of using a github action script to push the release data
+    #       after success instead of creating a complete python/tox env
+    needs: [deploy]
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment: deploy
+    permissions:
+      contents: write
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v4
       with:
-        python-version: "3.7"
+        python-version: "3.8"
 
     - name: Install tox
       run: |