Add immutable releases with automated PyPI publishing

[wscourge]

Summary

• Rewrite .github/workflows/release.yml to run the full lint+test matrix on v* tag push, build sdist+wheel, create a GitHub Release with attached distribution files, and publish to PyPI via OIDC trusted publishing with build attestations
• Add RELEASING.md with release process (version bump via PR, tag, automated publish), pre-release handling, and security documentation
• Add bin/release.sh to automate the entire release flow end-to-end
• Add pyproject.toml with PEP 517/518 build-system declaration
• Replace CHANGELOG.md contents with a link to the GitHub Releases page, where release notes are now auto-generated from merged PR titles
• Clean up stale CI references (Code Climate workflow name, Travis CI badge, orphaned coverage XML, outdated manual release instructions in README)
• Fix Python version classifiers (drop untested 3.9, add tested 3.14)
• Remove legacy setup.py publish command

bin/release.sh

bin/release.sh <patch|minor|major>

The script automates the full release process:

1. Checks prerequisites (git, gh, jq, python3)
2. Verifies CI is green on main, exits with a link to the failed run if not
3. Lists open PRs targeting main and asks for confirmation to continue
4. Lists PRs merged since the last tag (what's being released) and asks for confirmation
5. Bumps chartmogul/version.py
6. Stashes uncommitted work, creates a release branch, commits, pushes, and opens a PR
7. Polls for the PR to be merged (every 10s)
8. Tags the merge commit and pushes the tag
9. Polls for the release workflow to complete (every 10s)
10. Restores stashed work and prints links to the GitHub Release and PyPI package

If interrupted (Ctrl-C) during either polling step, it prints the remaining manual steps and links needed to finish the release by hand.

Pre-merge admin setup

• Immutable Releases
  • Settings > General > Releases > Enable "Immutable releases"
• Tag Protection Ruleset
  • Settings > Rules > Rulesets > New ruleset targeting tags matching v*
  • Enable deletion prevention
  • Enable force-push prevention
  • Enable update prevention
• GitHub Actions Environment
  • Settings > Environments > New environment named pypi
  • Optionally configure required reviewers for an approval gate on publish
• PyPI Trusted Publishing
  • On pypi.org go to Trusted Publisher Management
  • Add a trusted publisher with repository chartmogul/chartmogul-python, workflow release.yml, environment pypi (I didn't want to save it w/o GHA env in place)

Post-merge steps

• Verify automated publishing
  • Tag a pre-release (vX.Y.Z-rc1) and confirm the full pipeline runs
  • If the previous item is OK, run bin/release.sh patch and confirm it works end to end
• Remove manual PyPI access
  • Remove publish permissions for human accounts on pypi.org (CI is now the sole publisher)

Test plan

• Run python3 -m build locally and verify both sdist and wheel are produced with expected contents
• Push a test pre-release tag to exercise the full workflow (lint → test → build → publish → release)
• Verify the GitHub Release is created with distribution files attached
• Verify the package appears on PyPI with correct version and attestations
• Run bin/release.sh patch against a sandbox/fork to validate the interactive flow

[pkopac]

Settings updated ✅

[pkopac]

Zizmor points out that the branch name itself could potentially contain injection, I am not sure about that 😅 but if you put it into env it should not be evaluated, therefore nullify injection danger.

[pkopac]

trusted publishing set up ✅