Let's put `aiosmtpd` under the `aio-libs` org on PyPI

[webknjaz]

See the details @ https://github.com/orgs/aio-libs/discussions/26.

For this, we'll need somebody with Owner privileges to either give me access on PyPI (the username there is the same — webknjaz) or be invited to the org by me (for that I'd need the username of such an individual).

As a bonus, this will also allow us to set up secretless publishing from GHA to PyPI and get rid of the in-repo secrets: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.

cc @warsaw @pepoluan @waynew @ericvsmith

P.S. Also, is any of you willing to process vulnerability reports? I got one to the org-global security email (the one I maintain for https://github.com/aio-libs/aiosmtpd/security/policy), because the GH reporting was turned off in the repo. I have turned it on now.

[webknjaz]

@pepoluan I can also offer plugging an aiosmtpd.aio-libs.org domain to RTD. I see you have enough privileges to make that happen.

[warsaw]

Invites sent!

P.S. Also, is any of you willing to process vulnerability reports?

Not me unfortunately.

[webknjaz]

Thanks, Barry!

Updates:

• The PyPI project is now under the aio-libs org there — https://pypi.org/org/aio-libs/. The maintainers of the PyPI project are preserved as non-owners and will remain listed on the project page.
• The RTD site is now accessible via https://aiosmtpd.aio-libs.org (somebody will need to update the links in the package metadata (setup.cfg / pyproject.toml / README.rst) and docs/ — I only updated it in the repo metadata / sidebar.

[webknjaz]

The last action item

Here's examples of some other pure-python repo CI/CD setups: https://github.com/aio-libs/aiomonitor/blob/main/.github/workflows/ci-cd.yml / https://github.com/aio-libs/aiomysql/blob/master/.github/workflows/ci-cd.yml. I recommend following these examples. Make sure to integrate re-actors/alls-green and maybe re-actors/checkout-python-sdist. Use the same workflow filename ci-cd.yml — it's standardized across the org. There's also examples of publishing to (Test)PyPI in those repos that you can reproduce.

I set up the trust to the workflow named ci-cd.yml (which doesn't yet exist) and the environment called pypi on the PyPI side. If the above examples are followed, it'll just magically work.. I've added protection to the pypi environment so that the actual releases require a button click.

Now, the rest of the GHA configuration still need to be done. Close this issue, once that's complete.

@pepoluan since you were the last to release this project, I figured you'd want to understand the automation. So I'm leaving this for you to complete. If you have any questions or need help with something — feel free to ask me.

[webknjaz]

@Dreamsorcerer deployment will likely fail because the trusted environment is supposed to be pypi