Update the GHA workflow for publishing to PyPI and eliminate discouraged practices

[webknjaz]

Hey, I noticed you're using my action for uploading to the PyPI, but its version is outdated — it was deprecated 2 years ago (https://github.com/pypa/gh-action-pypi-publish/commit/1bbe3c9) and doesn't contain modern features. I noticed that other actions referenced in the workflow also use deprecated versions that may stop working anytime now.

Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ to get it up-to-date. The GH doc is not as detailed: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow.

Action items:

• [ ] Update the action version to the recent one (use release/v1 for stable rolling updates, or concrete tags/commit SHAs + dependabot)
• [ ] Drop the use of API tokens and any args in with:
• [ ] Delete the PYPI_PASSWORD secret from the repository settings on GitHub
• [ ] Add attestations: true under with: (this is a new, experimental digital signing feature of the action)
• [x] Set up a GitHub environment called pypi with required reviews in the repo settings
• [ ] Set up OIDC on the PyPI and in the GH workflow job privileges
• [ ] Replace the deprecated direct calls to setup.py with python -Im build — this will build an sdist and a wheel out of that sdist (as a smoke test) if you don't pass unnecessary CLI args that would change this behavior
• [ ] Keep the jobs for building and uploading separate, having different privileges for security reasons
• [ ] Could even merge the workflows and make use of https://github.com/re-actors/checkout-python-sdist, testing what's about to be uploaded
• [ ] Delete the API token from the PyPI

~P.S. If you ever decide you want to host this project under @aio-libs (which would make sense for us given that aiohttp depends on it, but no pressure!) — let me know and I can make this happen.~

Moving aiodns under the @aio-libs umbrella:

• [x] Transfer under the GitHub org
• [x] Transfer under the PyPI org

[saghul]

Thank you!

The project doesn't need much maintenance but since I'm not using Python at work I think it would make sense to find a new home for it and @aio-libs makes perfect sense.

I'd be happy to move it there and continue maintaining it there.

[webknjaz]

Your call but I've gone ahead and invited you to the org! Whenever you're ready, give me the owner permission so I could do the transfer. You'll be free to set up accesses as you see fit and I typically help out with CI/CD/packaging/RTD/docs subdomain when needed, even though I don't normally maintain each project under the @aio-libs umbrella.

[webknjaz]

Hey @saghul, I've found an invitation to join the repository in my inbox that I missed in April… Would you mind re-sending it?

[webknjaz]

@saghul ^

[saghul]

Hey! Sure thing!

[webknjaz]

@saghul thanks, finally we're in sync :) Could you make sure to give me "Owner" so I could move it? I can't see the repo settings page for some reason...

[saghul]

Not sure how I can do that, WTF? Since this is my personal account I can only add you as a collaborator.

[webknjaz]

Oh… I forgot this is how it works. We need a “mule” account in between. So you probably need to transfer it to me, and I'd transfer it to the org then.

[webknjaz]

GH will keep the redirects on the HTTP and Git levels even with such a double move, by the way.

[webknjaz]

@saghul so I've got an idea of a mule-org and made one. Let's test using it as a trampoline instead...

[saghul]

Done!

[webknjaz]

I looked at the new "repo transfer" interface and realized that they seem to have a direct transfer possibility now... So I was probably overengineering here :)

[webknjaz]

@saghul now that it's in, could you give me “Owner” on PyPI, so I could transfer it over there and configure tokenless publishing for the later GHA->PyPI integration?

[saghul]

Same username there?

[webknjaz]

yep

[webknjaz]

@saghul plz let me know when you do that and I'll cross that item off my list ;) Everything else does not strictly require my involvement (or yours for that matter), so maybe @Dreamsorcerer or @bdraco would have a minute to pick up those items.

[webknjaz]

I've updated the checklist in the initial post.

[saghul]

Invited you to pypi!

[webknjaz]

Thanks! I moved it and adjusted the privileges (the org is the only owner, others are maintainers so they show up in the UI on the project page).

[webknjaz]

Configured trust on the PyPI side similar to other projects. Ideally, the unified workflow should move into ci-cd.yml.

[saghul]

Feel free to go ahead!