Consolidate check-release and publish-release jobs

To avoid setting `GITHUB_TOKEN` where not needed, this defines it
in `env:` for each individual step that needs it, as elsewhere.
This is more awkward than in the other jobs, since half the steps
use it here, but this may be okay.

Author: EliahKagan

.github/workflows/release.yml

@@ -292,23 +292,25 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-  check-release:
-    name: check-release
+  publish-release:
+    name: publish-release
 
     runs-on: ubuntu-latest
 
     needs: [ create-release, build-release, build-macos-universal2-release ]
 
+    env:
+      REPOSITORY: ${{ github.repository }}
+      VERSION: ${{ needs.create-release.outputs.version }}
+
     steps:
       - name: Discover assets
         run: |
           gh release --repo="$REPOSITORY" view "$VERSION" --json assets --jq '.assets.[].name' > assets.txt
         env:
-          REPOSITORY: ${{ github.repository }}
-          VERSION: ${{ needs.create-release.outputs.version }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Show all asset names
+      - name: Show all individual asset names
         run: cat assets.txt
 
       # The `features` array is repeated because GHA doen't support YAML anchors.
@@ -326,34 +328,33 @@ jobs:
           diff -- <(mask aarch64) <(mask universal)
           diff -- <(mask x86_64) <(mask universal)
 
-  publish-release:
-    name: publish-release
-
-    runs-on: ubuntu-latest
-
-    needs: [ create-release, check-release ]
-
-    env:
-      REPOSITORY: ${{ github.repository }}
-      VERSION: ${{ needs.create-release.outputs.version }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Clean up local temporary macOS asset list files
+        run: rm {assets,aarch64,x86_64,universal}.txt
 
-    steps:
-      - name: Retrieve individual checksums
+      - name: Retrieve all individual checksums
         run: gh release --repo="$REPOSITORY" download "$VERSION" --pattern='gitoxide-*.sha256'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Concatenate checksums into one file
         run: cat gitoxide-*.sha256 > hashes.sha256
 
       - name: Upload the combined checksum file
         run: gh release --repo="$REPOSITORY" upload "$VERSION" hashes.sha256
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Discard the individual checksum files
+      # If any step of any job fails before this, the draft still has the individual checksum files.
+      - name: Remove the individual checksum file assets
         run: |
           for sumfile in gitoxide-*.sha256; do
             gh release --repo="$REPOSITORY" delete-asset "$VERSION" "$sumfile" --yes
           done
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish the release
         if: false
         run: gh release --repo="$REPOSITORY" edit "$VERSION" --draft=false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}