Use separate GitHub environment for deploy workflows

[bluetech]

Reading this page https://docs.pypi.org/trusted-publishers/security-model/#considerations they mention:

Use a dedicated environment: GitHub Actions supports "environments," which can be used to isolate secrets to specific workflows. OIDC publishing doesn't use any pre-configured secrets, but a dedicated publish or deploy environment is a general best practice.

Dedicated environments allow for additional protections like required reviewers, which can be used to require manual approval for a workflow using the environment.

Seems like a good idea to segregate the deployment secrets to their own environment and add required reviewers (probably pytest core?) to better protect our releases.

I can try to set it up before the next release (#10869) if we agree.

[RonnyPfannschmidt]

Absolutely

[nicoddemus]

Definitely, thanks @bluetech!

[bluetech]

I created the "deploy" environment with the following protection rules:

1. Review required by pytest-dev/core
2. Can only deploy from x.y.z branches.

Unfortunately I forgot that in order to add a new environment secret I need to be able to generate a new PyPI API token, for which I don't have access. If one of the maintainers with PyPI access can add a PYPI_TOKEN secret to the "deploy" environment, that'd be great. That would require going to pytest's PyPI setting and adding an API token there.

[RonnyPfannschmidt]

@bluetech @nicoddemus i think its going to be practical to solve #10870 at the same time by configuring a publisher for the environment instead of creating a token - if everyone agrees i'll add the config to pytest

[bluetech]

👍

[RonnyPfannschmidt]

@bluetech the publisher is created, as far as i understand, the next steps involve configuring the environment of the deploy workflow as well as adding the correct id permissions for openid-connect