chore(ci): bump package version after release via pull request

.github/workflows/release.yml

@@ -51,7 +51,7 @@ jobs:
   build:
     runs-on: aws-lambda-powertools_ubuntu-latest_4-core
     permissions:
-      contents: write
+      contents: read
     outputs:
       RELEASE_VERSION: ${{ steps.release_version.outputs.RELEASE_VERSION }}
     env:
@@ -79,13 +79,6 @@ jobs:
       - name: Run all tests, linting and baselines
         if: ${{ !inputs.skip_code_quality }}
         run: make pr
-      - name: Git client setup and refresh tip
-        run: |
-          git config user.name "Release bot"
-          git config user.email "aws-devax-open-source@amazon.com"
-          git config pull.rebase true
-          git config remote.origin.url >&- || git remote add origin https://github.com/"${ORIGIN}" # Git Detached mode (release notes) doesn't have origin
-          git pull origin "${BRANCH}"
       - name: Bump package version
         id: versioning
         run: poetry version "${RELEASE_VERSION}"
@@ -105,16 +98,6 @@ jobs:
           # and also future-proof for when we switch to protected branch and update via PR
           key: ${{ runner.os }}-${{ env.RELEASE_VERSION }}-${{ hashFiles('**/poetry.lock') }}
 
-      - name: Update version in trunk
-        if: steps.versioning.outcome == 'success'
-        run: |
-          HAS_CHANGE=$(git status --porcelain)
-          test -z "${HAS_CHANGE}" && echo "Nothing to update" && exit 0
-          git add pyproject.toml
-          git commit -m "bump version to ${RELEASE_VERSION}" --no-verify
-          git pull origin "${BRANCH}" # prevents concurrent branch update failing push
-          git push origin HEAD:refs/heads/"${BRANCH}"
-
   release:
     needs: build
     environment: release
@@ -143,12 +126,6 @@ jobs:
       #   with:
       #     repository-url: https://test.pypi.org/legacy/
 
-  changelog:
-    needs: release
-    permissions:
-      contents: write
-    uses: ./.github/workflows/reusable_publish_changelog.yml
-
   # NOTE: Watch out for the depth limit of 4 nested workflow_calls.
   # publish_layer -> publish_v2_layer -> reusable_deploy_v2_layer_stack -> reusable_update_v2_layer_arn_docs
   publish_layer:
@@ -163,6 +140,28 @@ jobs:
       latest_published_version: ${{ needs.build.outputs.RELEASE_VERSION }}
       pre_release: ${{ inputs.pre_release }}
 
+  bump_version:
+    needs: [build, release]
+    permissions:
+      contents: write  # create-pr action creates a temporary branch
+      pull-requests: write # create-pr action creates a PR using the temporary branch
+    runs-on: ubuntu-latest
+    env:
+      RELEASE_VERSION: ${{ needs.build.outputs.RELEASE_VERSION }}
+    steps:
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
+      - name: Bump package version
+        id: versioning
+        run: poetry version "${RELEASE_VERSION}"
+      - name: Create PR
+        id: create-pr
+        uses: ./.github/actions/create-pr
+        with:
+          files: "pyproject.toml"
+          temp_branch_prefix: "ci-bump"
+          pull_request_title: "chore(ci): bump version to ${{ env.RELEASE_VERSION }}"
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
   post_release:
     needs: [build, release, publish_layer]
     permissions: