chore(ci): split test, build, and publish to separate jobs

Mostly for better targeted permissions.

Author: scop

.github/workflows/main.yml

@@ -18,7 +18,7 @@ jobs:
         with:
           python-version: 3.13
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
-  build:
+  test:
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -37,24 +37,28 @@ jobs:
         uses: fedora-python/tox-github-action@807f27871410c7391018dc9a245c8cffdced15e9 # v41.0
         with:
           tox_env: ${{ matrix.tox_env }}
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-        with:
-          cache: pip
-          cache-dependency-path: |
-            requirements-dev.txt
-            setup.py
-  deploy:
-    name: Build and publish to PyPI
+  build:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       - run: python -m pip install --upgrade build
       - run: python -m build
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        with:
+          name: dist
+          path: dist/
+  publish:
+    runs-on: ubuntu-latest
+    needs: build
+    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
         with:
-          skip-existing: true
-        if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0