workflows: add trusted publishing release workflow (#231)

* workflows: add trusted publishing release workflow Signed-off-by: William Woodruff <[email protected]> * release: install build dependencies Signed-off-by: William Woodruff <[email protected]> * Update .github/workflows/release.yml Co-authored-by: Alex Gaynor <[email protected]> * release: allow workflow_dispatch Signed-off-by: William Woodruff <[email protected]> * release: use pypa/build for building Signed-off-by: William Woodruff <[email protected]> * Makefile: use pypa/build Signed-off-by: William Woodruff <[email protected]> * setup: remove `setup.py publish` subcommand Invoking `setup.py` directly is discouraged, and the behavior in this hacked subcommand is covered by the Makefile. Signed-off-by: William Woodruff <[email protected]> * release: drop `--upgrade` Signed-off-by: William Woodruff <[email protected]> * release: only install build Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: William Woodruff <[email protected]> Co-authored-by: Alex Gaynor <[email protected]>
certifi · Jul 26, 2023 · 0399a7c · 0399a7c
1 parent 2103453
commit 0399a7c
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 32 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,53 @@
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "*.*.*"
+
+name: release
+
+jobs:
+  build:
+    name: Build distributions for PyPI
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Set up Python
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+
+      - name: Install build dependencies
+        run: python -m pip install build
+
+      - name: Build distributions
+        run: python -m build
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: certifi-dists
+          path: dist/
+
+  pypi:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment: release
+
+    needs:
+      - build
+
+    permissions:
+      # Used to authenticate to PyPI via OIDC.
+      id-token: write
+
+    steps:
+      - name: fetch dists
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: certifi-dists
+          path: dist/
+
+      - name: publish
+        if: github.event_name == 'push'
+        uses: pypa/gh-action-pypi-publish@f8c70e705ffc13c3b4d1221169b84f12a75d6ca8 # v1.8.8
diff --git a/Makefile b/Makefile
@@ -2,5 +2,5 @@ update:
 	curl https://mkcert.org/generate/ | ./strip-non-ascii > certifi/cacert.pem
 
 publish:
-	python setup.py sdist bdist_wheel
+	python -m build
 	twine upload --skip-existing --sign dist/*
diff --git a/setup.py b/setup.py
@@ -1,7 +1,5 @@
 #!/usr/bin/env python
 import re
-import os
-import sys
 
 # While I generally consider it an antipattern to try and support both
 # setuptools and distutils with a single setup.py, in this specific instance
@@ -16,7 +14,7 @@
 
 
 version_regex = r'__version__ = ["\']([^"\']*)["\']'
-with open('certifi/__init__.py') as f:
+with open("certifi/__init__.py") as f:
     text = f.read()
     match = re.search(version_regex, text)
 
@@ -25,44 +23,40 @@
     else:
         raise RuntimeError("No version number found!")
 
-if sys.argv[-1] == 'publish':
-    os.system('python setup.py sdist bdist_wheel upload')
-    sys.exit()
-
 setup(
-    name='certifi',
+    name="certifi",
     version=VERSION,
-    description='Python package for providing Mozilla\'s CA Bundle.',
-    long_description=open('README.rst').read(),
-    author='Kenneth Reitz',
-    author_email='[email protected]',
-    url='https://github.com/certifi/python-certifi',
+    description="Python package for providing Mozilla's CA Bundle.",
+    long_description=open("README.rst").read(),
+    author="Kenneth Reitz",
+    author_email="[email protected]",
+    url="https://github.com/certifi/python-certifi",
     packages=[
-        'certifi',
+        "certifi",
     ],
-    package_dir={'certifi': 'certifi'},
-    package_data={'certifi': ['*.pem', 'py.typed']},
+    package_dir={"certifi": "certifi"},
+    package_data={"certifi": ["*.pem", "py.typed"]},
     # data_files=[('certifi', ['certifi/cacert.pem'])],
     include_package_data=True,
     zip_safe=False,
-    license='MPL-2.0',
+    license="MPL-2.0",
     python_requires=">=3.6",
     classifiers=[
-        'Development Status :: 5 - Production/Stable',
-        'Intended Audience :: Developers',
-        'License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)',
-        'Natural Language :: English',
-        'Programming Language :: Python',
-        'Programming Language :: Python :: 3',
-        'Programming Language :: Python :: 3 :: Only',
-        'Programming Language :: Python :: 3.6',
-        'Programming Language :: Python :: 3.7',
-        'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
-        'Programming Language :: Python :: 3.10',
-        'Programming Language :: Python :: 3.11',
+        "Development Status :: 5 - Production/Stable",
+        "Intended Audience :: Developers",
+        "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)",
+        "Natural Language :: English",
+        "Programming Language :: Python",
+        "Programming Language :: Python :: 3",
+        "Programming Language :: Python :: 3 :: Only",
+        "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
+        "Programming Language :: Python :: 3.9",
+        "Programming Language :: Python :: 3.10",
+        "Programming Language :: Python :: 3.11",
     ],
     project_urls={
-        'Source': 'https://github.com/certifi/python-certifi',
+        "Source": "https://github.com/certifi/python-certifi",
     },
 )