Update GHA release logic to use the correct permissions

We now lock down perms to read-only by default, so this is required to
ensure we can still create & add files to releases. In a separate step
for isolation.

Author: pimterry

.github/workflows/ci.yml

@@ -32,9 +32,22 @@ jobs:
           path: build/libs/*-dist.jar
           if-no-files-found: error
 
+  release:
+    name: Publish Release
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: write
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: distributables
+          path: build/libs
+
       - name: Publish tagged release
         uses: svenstaro/upload-release-action@v2
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: build/libs/*-dist.jar