ci(release): run changelog extraction in build job to gate PyPI publish

Move the AWK-based changelog extraction from the post-publish
github-release job into the build job, so a missing or unrenamed
"## Unreleased" entry fails before any PyPI upload runs. Previously the
extraction lived after publish-to-pypi, meaning a forgotten rename
would happily ship the package and only then fail when trying to build
a GitHub Release — a state that required manual cleanup.

Since publish-to-pypi and publish-to-testpypi both depend on build,
failing the new step transitively blocks every downstream job. No
changes are needed in the PyPI jobs themselves.

Changes:
- build job gets two gated steps (if: startsWith(github.ref, 'refs/tags/')):
  "Extract changelog for tagged release" (runs AWK against CHANGELOG.md,
  fails fast on empty output) and "Upload release notes" (publishes
  release-notes.md as a dedicated artifact).
- github-release job drops the checkout step (no longer needs
  CHANGELOG.md on disk) and the duplicate extract step, and adds a
  "Download release notes" step to consume the new artifact.
- The gh release create invocation is unchanged —
  --notes-file release-notes.md works the same regardless of where the
  file comes from.

Author: oliverandrich

.github/workflows/release.yml

@@ -29,6 +29,29 @@ jobs:
       with:
         name: python-package-distributions
         path: dist/
+    - name: Extract changelog for tagged release
+      if: startsWith(github.ref, 'refs/tags/')
+      run: |
+        VERSION="${{ github.ref_name }}"
+        VERSION="${VERSION#v}"
+        awk "
+          /^## ${VERSION}/ { found=1; next }
+          found && /^## / { exit }
+          found { print }
+        " CHANGELOG.md > release-notes.md
+        if [[ ! -s release-notes.md ]]; then
+          echo "::error::No changelog section found for version ${VERSION}."
+          echo "::error::Did you forget to rename '## Unreleased' in CHANGELOG.md before tagging?"
+          exit 1
+        fi
+        echo "--- Extracted release notes ---"
+        cat release-notes.md
+    - name: Upload release notes
+      if: startsWith(github.ref, 'refs/tags/')
+      uses: actions/upload-artifact@v7
+      with:
+        name: release-notes
+        path: release-notes.md
 
   publish-to-pypi:
     name: >-
@@ -64,37 +87,21 @@ jobs:
       id-token: write  # IMPORTANT: mandatory for sigstore
 
     steps:
-    - name: Checkout repository at tag
-      uses: actions/checkout@v6
-      with:
-        ref: ${{ github.ref_name }}
     - name: Download all the dists
       uses: actions/download-artifact@v8
       with:
         name: python-package-distributions
         path: dist/
+    - name: Download release notes
+      uses: actions/download-artifact@v8
+      with:
+        name: release-notes
     - name: Sign the dists with Sigstore
       uses: sigstore/gh-action-sigstore-python@v3.3.0
       with:
         inputs: >-
           ./dist/*.tar.gz
           ./dist/*.whl
-    - name: Extract changelog for this version
-      run: |
-        VERSION="${{ github.ref_name }}"
-        VERSION="${VERSION#v}"
-        awk "
-          /^## ${VERSION}/ { found=1; next }
-          found && /^## / { exit }
-          found { print }
-        " CHANGELOG.md > release-notes.md
-        if [[ ! -s release-notes.md ]]; then
-          echo "::error::No changelog section found for version ${VERSION}."
-          echo "::error::Did you forget to rename '## Unreleased' in CHANGELOG.md before tagging?"
-          exit 1
-        fi
-        echo "--- Extracted release notes ---"
-        cat release-notes.md
     - name: Create GitHub Release
       env:
         GITHUB_TOKEN: ${{ github.token }}