workflows: add trusted publishing release workflow (#231)

* workflows: add trusted publishing release workflow

Signed-off-by: William Woodruff <william@trailofbits.com>

* release: install build dependencies

Signed-off-by: William Woodruff <william@trailofbits.com>

* Update .github/workflows/release.yml

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

* release: allow workflow_dispatch

Signed-off-by: William Woodruff <william@trailofbits.com>

* release: use pypa/build for building

Signed-off-by: William Woodruff <william@trailofbits.com>

* Makefile: use pypa/build

Signed-off-by: William Woodruff <william@trailofbits.com>

* setup: remove `setup.py publish` subcommand

Invoking `setup.py` directly is discouraged, and the behavior
in this hacked subcommand is covered by the Makefile.

Signed-off-by: William Woodruff <william@trailofbits.com>

* release: drop `--upgrade`

Signed-off-by: William Woodruff <william@trailofbits.com>

* release: only install build

Signed-off-by: William Woodruff <william@trailofbits.com>

---------

Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

.github/workflows/release.yml

@@ -0,0 +1,53 @@
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "*.*.*"
+
+name: release
+
+jobs:
+  build:
+    name: Build distributions for PyPI
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Set up Python
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+
+      - name: Install build dependencies
+        run: python -m pip install build
+
+      - name: Build distributions
+        run: python -m build
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: certifi-dists
+          path: dist/
+
+  pypi:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment: release
+
+    needs:
+      - build
+
+    permissions:
+      # Used to authenticate to PyPI via OIDC.
+      id-token: write
+
+    steps:
+      - name: fetch dists
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: certifi-dists
+          path: dist/
+
+      - name: publish
+        if: github.event_name == 'push'
+        uses: pypa/gh-action-pypi-publish@f8c70e705ffc13c3b4d1221169b84f12a75d6ca8 # v1.8.8

Makefile

@@ -2,5 +2,5 @@ update:
 	curl https://mkcert.org/generate/ | ./strip-non-ascii > certifi/cacert.pem
 
 publish:
-	python setup.py sdist bdist_wheel
+	python -m build
 	twine upload --skip-existing --sign dist/*

setup.py

@@ -1,7 +1,5 @@
 #!/usr/bin/env python
 import re
-import os
-import sys
 
 # While I generally consider it an antipattern to try and support both
 # setuptools and distutils with a single setup.py, in this specific instance
@@ -16,7 +14,7 @@
 
 
 version_regex = r'__version__ = ["\']([^"\']*)["\']'
-with open('certifi/__init__.py') as f:
+with open("certifi/__init__.py") as f:
     text = f.read()
     match = re.search(version_regex, text)
 
@@ -25,44 +23,40 @@
     else:
         raise RuntimeError("No version number found!")
 
-if sys.argv[-1] == 'publish':
-    os.system('python setup.py sdist bdist_wheel upload')
-    sys.exit()
-
 setup(
-    name='certifi',
+    name="certifi",
     version=VERSION,
-    description='Python package for providing Mozilla\'s CA Bundle.',
-    long_description=open('README.rst').read(),
-    author='Kenneth Reitz',
-    author_email='me@kennethreitz.com',
-    url='https://github.com/certifi/python-certifi',
+    description="Python package for providing Mozilla's CA Bundle.",
+    long_description=open("README.rst").read(),
+    author="Kenneth Reitz",
+    author_email="me@kennethreitz.com",
+    url="https://github.com/certifi/python-certifi",
     packages=[
-        'certifi',
+        "certifi",
     ],
-    package_dir={'certifi': 'certifi'},
-    package_data={'certifi': ['*.pem', 'py.typed']},
+    package_dir={"certifi": "certifi"},
+    package_data={"certifi": ["*.pem", "py.typed"]},
     # data_files=[('certifi', ['certifi/cacert.pem'])],
     include_package_data=True,
     zip_safe=False,
-    license='MPL-2.0',
+    license="MPL-2.0",
     python_requires=">=3.6",
     classifiers=[
-        'Development Status :: 5 - Production/Stable',
-        'Intended Audience :: Developers',
-        'License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)',
-        'Natural Language :: English',
-        'Programming Language :: Python',
-        'Programming Language :: Python :: 3',
-        'Programming Language :: Python :: 3 :: Only',
-        'Programming Language :: Python :: 3.6',
-        'Programming Language :: Python :: 3.7',
-        'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
-        'Programming Language :: Python :: 3.10',
-        'Programming Language :: Python :: 3.11',
+        "Development Status :: 5 - Production/Stable",
+        "Intended Audience :: Developers",
+        "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)",
+        "Natural Language :: English",
+        "Programming Language :: Python",
+        "Programming Language :: Python :: 3",
+        "Programming Language :: Python :: 3 :: Only",
+        "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
+        "Programming Language :: Python :: 3.9",
+        "Programming Language :: Python :: 3.10",
+        "Programming Language :: Python :: 3.11",
     ],
     project_urls={
-        'Source': 'https://github.com/certifi/python-certifi',
+        "Source": "https://github.com/certifi/python-certifi",
     },
 )