Switch to using the official PyPA action for uploading to PyPI

.github/requirements/uv-requirements.txt

@@ -0,0 +1,21 @@
+# This file was autogenerated by uv via the following command:
+#    uv pip compile --universal -p 3.8 --generate-hashes -
+uv==0.4.7 \
+    --hash=sha256:00aa7299edefcc4069d73b988a7331d590e3fedd29f5695b1680905af1ccba04 \
+    --hash=sha256:0fef80011c96dc8e284f4895b7ca92945e450fb517872115a557e72789c0e2c5 \
+    --hash=sha256:106fc5449a63137da6b3c4fd25775e3eeda3b11c8cea12439d95201237a95484 \
+    --hash=sha256:1357fb27047cff94422bb82cf9a82d7285ce8341a204fc1925b0b89c8d108249 \
+    --hash=sha256:23283699e6035ef536b204f9094e7297093a527f958b86d4ce26613c603f564c \
+    --hash=sha256:2ab5f6701046b373cdedca7334e20a8dc7726eb4c3e2f6e18297dbbda09afba9 \
+    --hash=sha256:319a585f53c0b63b989526206383716e1d7c0f3483425058b94bf47402a81841 \
+    --hash=sha256:54c3dde3c01d96fba484c2728e020c7c867e05a88de143ddb6df1091d1ffdfb7 \
+    --hash=sha256:63b59e0cfa303a97ce5ba19fa8fc27a6339516561bc4b821cca52ed15721cbdb \
+    --hash=sha256:904763380be165f5213dcbacb8d6c17d5cf138ea4bd24b4a37a1b6046b5650a1 \
+    --hash=sha256:9356449439d4fa42419d17736d775cd1701b1b4a054ab445faf1477a6920a505 \
+    --hash=sha256:a1850d93f78eeb6d0ace3dc0335e1bf141a4b6a26844ab75f00055de2a4817cd \
+    --hash=sha256:ab7308c0604268f21b1a5bce4e1b61bcf56831f4aef59bee93c2b5815f4bc6a8 \
+    --hash=sha256:bfbd6e28b0543b774db7d97d61963c384c70284e95056004c8f74252e69616c7 \
+    --hash=sha256:d6c8e43bbdfa2f7910245335acb93fcb5a4e34995b7ce60de4e814071690b3c5 \
+    --hash=sha256:e1f3285bebfeab6e076e651ec47f6adf7a83a4f014dd9d7e73efc034e77d42cd \
+    --hash=sha256:e8bc35e30f2bb03f0e1812f1c0dce0e73d8ab01e90392d39f334da9d75e522b0 \
+    --hash=sha256:ec49a00317799226d33135bf40e8da44262f44e3980a5bb9e6dae7250523c963

.github/workflows/ci.yml

@@ -46,8 +46,8 @@ jobs:
           - {VERSION: "3.12", NOXSESSION: "tests-randomorder"}
           # Latest commit on the BoringSSL master branch, as of Sep 07, 2024.
           - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "01e1ae3687e391a076fe470471f096db1f6d6bb4"}}
-          # Latest commit on the OpenSSL master branch, as of Sep 07, 2024.
-          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c82588173d33222b33693f698bc9c7614675e9f"}}
+          # Latest commit on the OpenSSL master branch, as of Sep 09, 2024.
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7845ff7692ac3a2bc1f8bf1eb9fa1ec1119f9b79"}}
           # Builds with various Rust versions. Includes MSRV and next
           # potential future MSRV.
           - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"}

.github/workflows/pypi-publish.yml

@@ -35,65 +35,29 @@ jobs:
       - run: echo "$EVENT_CONTEXT"
         env:
           EVENT_CONTEXT: ${{ toJson(github.event) }}
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
-        with:
-          python-version: "3.11"
-      - name: Get publish-requirements.txt from repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          sparse-checkout: |
-            ${{ env.PUBLISH_REQUIREMENTS_PATH }}
-          sparse-checkout-cone-mode: false
-          persist-credentials: false
-      - name: Install Python dependencies
-        run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }}
-
-      - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
-        with:
-          path: dist/
-          run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }}
 
       - run: |
-          echo "OIDC_AUDIENCE=pypi" >> $GITHUB_ENV
-          echo "PYPI_DOMAIN=pypi.org" >> $GITHUB_ENV
-          echo "TWINE_REPOSITORY=pypi" >> $GITHUB_ENV
-          echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV
+          echo "PYPI_URL=https://pypi.org/legacy/" >> $GITHUB_ENV
         if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi')
       - run: |
-          echo "OIDC_AUDIENCE=testpypi" >> $GITHUB_ENV
-          echo "PYPI_DOMAIN=test.pypi.org" >> $GITHUB_ENV
-          echo "TWINE_REPOSITORY=testpypi" >> $GITHUB_ENV
-          echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV
+          echo "PYPI_URL=https://test.pypi.org/legacy/" >> $GITHUB_ENV
         if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'
 
+      - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
+        with:
+          path: tmpdist/
+          run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }}
+      - run: mkdir dist/
       - run: |
-          import os
-
-          import requests
-
-          response = requests.get(
-              os.environ["ACTIONS_ID_TOKEN_REQUEST_URL"],
-              params={"audience": os.environ["OIDC_AUDIENCE"]},
-              headers={"Authorization": f"bearer {os.environ['ACTIONS_ID_TOKEN_REQUEST_TOKEN']}"}
-          )
-          response.raise_for_status()
-          token = response.json()["value"]
-
-          response = requests.post(f"https://{os.environ['PYPI_DOMAIN']}/_/oidc/mint-token", json={"token": token})
-          response.raise_for_status()
-          pypi_token = response.json()["token"]
-
-          with open(os.environ["GITHUB_ENV"], "a") as f:
-              print(f"::add-mask::{pypi_token}")
-              f.write(f"TWINE_PASSWORD={pypi_token}\n")
-        shell: python
-
-      - run: find dist/ -type f -name 'cryptography*' -print0 | xargs -0 twine upload --skip-existing
+          find tmpdist/ -type f -name 'cryptography*' -exec mv {} dist/ \;
 
-      # Do not perform attestation for things for TestPyPI. This is because
-      # there's nothing that would prevent a malicious PyPI from serving a
-      # signed TestPyPI asset in place of a release intended for PyPI.
-      - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c  # v1.4.3
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241  # v1.10.1
         with:
-          subject-path: 'dist/**/cryptography*'
-        if: env.TWINE_REPOSITORY == 'pypi'
+          repository-url: ${{ env.PYPI_URL }}
+          skip-existing: true
+          # Do not perform attestation for things for TestPyPI. This is
+          # because there's nothing that would prevent a malicious PyPI from
+          # serving a signed TestPyPI asset in place of a release intended for'
+          # PyPI.
+          attestations: ${{ env.PYPI_URL == 'https://pypi.org/legacy/' }}

.github/workflows/wheel-builder.yml

@@ -21,6 +21,7 @@ on:
 
 env:
   BUILD_REQUIREMENTS_PATH: .github/requirements/build-requirements.txt
+  UV_REQUIREMENTS_PATH: .github/requirements/uv-requirements.txt
 
 jobs:
   sdist:
@@ -33,7 +34,7 @@ jobs:
           ref: ${{ github.event.inputs.version || github.ref }}
           persist-credentials: false
 
-      - run: python -m pip install uv
+      - run: python -m pip install -r $UV_REQUIREMENTS_PATH
 
       - name: Make sdist (cryptography)
         run: uv build --build-constraint=$BUILD_REQUIREMENTS_PATH --require-hashes --sdist
@@ -195,6 +196,7 @@ jobs:
           persist-credentials: false
           sparse-checkout: |
             ${{ env.BUILD_REQUIREMENTS_PATH }}
+            ${{ env.UV_REQUIREMENTS_PATH }}
           sparse-checkout-cone-mode: false
       - name: Setup python
         run: |
@@ -222,46 +224,41 @@ jobs:
           toolchain: stable
           # Add the arm64 target in addition to the native arch (x86_64)
           target: aarch64-apple-darwin
-      - run: ${{ matrix.PYTHON.BIN_PATH }} -m venv venv
-      - name: Install Python dependencies
-        run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }}
-
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: cryptography-sdist
+
+      - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install -r ${{ env.UV_REQUIREMENTS_PATH }}
       - run: mkdir wheelhouse
       - name: Build the wheel
         run: |
           if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then
-              PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation"
+              PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }}"
           fi
 
-          # `maturin` has a binary that needs to be on the $PATH, so we
-          # activate the venv.
-          source venv/bin/activate
           OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \
               OPENSSL_STATIC=1 \
-              venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/
-          mv dist/cryptography*.whl wheelhouse
+              uv build --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH $PY_LIMITED_API cryptography*.tar.gz -o wheelhouse/
         env:
           MACOSX_DEPLOYMENT_TARGET: ${{ matrix.PYTHON.DEPLOYMENT_TARGET }}
           ARCHFLAGS: ${{ matrix.PYTHON.ARCHFLAGS }}
           _PYTHON_HOST_PLATFORM: ${{ matrix.PYTHON._PYTHON_HOST_PLATFORM }}
-      - run: venv/bin/pip install -f wheelhouse/ --no-index cryptography
+
+      - run: uv venv
+      - run: uv pip install --require-hashes -r $BUILD_REQUIREMENTS_PATH
+      - run: uv pip install cryptography --no-index -f wheelhouse/
       - name: Show the wheel's minimum macOS SDK and architectures
         run: |
-          find venv/lib/*/site-packages/cryptography/hazmat/bindings -name '*.so' -exec vtool -show {} \;
+          find .venv/lib/*/site-packages/cryptography/hazmat/bindings -name '*.so' -exec vtool -show {} \;
       - run: |
-          venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
+          echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run -
 
-      - run: mkdir cryptography-wheelhouse
-      - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/
       - run: |
-          echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV
+          echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls wheelhouse/cryptography*.whl))" >> $GITHUB_ENV
       - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}"
-          path: cryptography-wheelhouse/
+          path: wheelhouse/
 
   windows:
     needs: [sdist]
@@ -290,6 +287,7 @@ jobs:
           persist-credentials: false
           sparse-checkout: |
             ${{ env.BUILD_REQUIREMENTS_PATH }}
+            ${{ env.UV_REQUIREMENTS_PATH }}
           sparse-checkout-cone-mode: false
 
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -320,25 +318,25 @@ jobs:
             echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV
             echo "OPENSSL_STATIC=1" >> $GITHUB_ENV
         shell: bash
-      - name: Install Python dependencies
-        run: python -m pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }}
+
+      - run: pip install -r ${{ env.UV_REQUIREMENTS_PATH }}
       - run: mkdir wheelhouse
       - run: |
           if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then
-              PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation"
+              PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }}"
           fi
 
-          python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/
-          mv dist/cryptography*.whl wheelhouse/
+          uv build --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH cryptography*.tar.gz $PY_LIMITED_API -o wheelhouse/
         shell: bash
-      - run: pip install -f wheelhouse --no-index cryptography
+
+      - run: uv venv
+      - run: uv pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }}
+      - run: uv pip install cryptography --no-index -f wheelhouse/
       - name: Print the OpenSSL we built and linked against
         run: |
-            python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
+            echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run -
 
-      - run: mkdir cryptography-wheelhouse
-      - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\
       - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}"
-          path: cryptography-wheelhouse\
+          path: wheelhouse\