Cirrus CI: upload build artifacts to Github and (test) PyPI

[nicoonoclaste]

• requirements-upload.txt taken from pursuedpybear;
• .ci/upload-build.sh inspired by Cirrus CI's documentation;
• upload task uses account pursuedpybear on Github and test.pypi.org.

[nicoonoclaste]

• @pursuedpybot needs to be invited to @ppb and granted write access to ppb-vector (or at least its release artifacts).
• pursuedpybot needs to be granted upload access to ppb-vector (on test.pypi.org)

[AstraLuma]

• Let's convert pursuedpybot into an app under the ppb organization
• API keys are coming down the PyPI pipeline, per Add support for API keys pypi/warehouse#994 (comment)

[nicoonoclaste]

@astronouth7303 I do not believe I have the required level of access to create an app under the PPB organisation.

[nicoonoclaste]

Re: PyPI API keys

per-user API keys as an alternative form of multifactor authentication

🙀
I hope they misspoke and didn't mean that API keys will be needed in addition to username/password (and instead of a 2FA method).

• Each user who has upload permissions for a specific project will be able to generate API tokens via the Warehouse web UI with upload permissions for that specific project.
• Each user will be able to view, manage, revoke, and delete their own previously generated API tokens via the Warehouse web UI.

API tokens will still be owned by specific users, so we will still need a PyPI user for the organisation.

[AstraLuma]

Implement support for per-User and per-Project API Keys as PyPI API authentication tokens

[nicoonoclaste]

So, any feedback on whether we want this, and whether the 2 pursuedpybot machine users have the necessary access? If so, I'd like to merge and cut a release candidate so we can:

1. test the latest changes work in PPB itself, before comiting to 1.0;
2. test the release automation (against test.pypi.org) for a pre-release.

Per the discussion on Discord, we cannot currently avoid having a machine user for PyPI, and it's not obvious it is possible for a Github App; it might be possible by registering an app and manually acquiring an OAuth token, but that will require some thought and development effort.

[AstraLuma]

Ok, after discussions.

Yes, this is a thing we want.

The current incarnation is fine. A full github app would require infra and no thanks right now.

Let's try to use this for the current release cycle.

[AstraLuma]

bors r+

[bors]

Build succeeded

• docs
• FreeBSD PYTHON:3.6
• FreeBSD PYTHON:3.7
• lint
• Linux python:3.6-slim
• Linux python:3.7-slim
• macOS PYTHON:3.6.8
• macOS PYTHON:3.7.2
• Windows python:3.6-windowsservercore-1809
• Windows python:3.7-windowsservercore-1809