INTPYTHON-406 Add automated release workflows for Django-MongoDB

.github/dependabot.yml

@@ -9,3 +9,8 @@ updates:
       actions:
         patterns:
           - "*"
+  # Python
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/codeql.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main", "*" ]
+  pull_request:
+    branches: [ "main", "*" ]
+  schedule:
+    - cron: '35 23 * * 5'
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
+      actions: read
+      contents: read
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.ref }}
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: python
+        build-mode: none
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: security-extended
+        config: |
+          paths-ignore:
+            - '.github/**'
+            - 'tests/**'
+
+    - shell: bash
+      run: |
+        pip install -e .
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:python"

.github/workflows/dist.yml

@@ -0,0 +1,37 @@
+name: Python Dist
+
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+  push:
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+.post[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+[a-b][0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+rc[0-9]+"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.ref }}
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - name: Install dependencies
+      run: pip install build
+    - name: Create packages
+      run: python -m build .
+    - name: Store package artifacts
+      uses: actions/upload-artifact@v4
+      with:
+          name: all-dist-${{ github.run_id }}
+          path: "dist/*"

.github/workflows/release-python.yml

@@ -0,0 +1,95 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "The new version to set"
+        required: true
+      following_version:
+        description: "The post (dev) version to set"
+        required: false
+      dry_run:
+        description: "Dry Run?"
+        default: false
+        type: boolean
+
+env:
+  # Changes per repo
+  PRODUCT_NAME: django-mongodb
+  # Changes per branch
+  SILK_ASSET_GROUP: django-mongodb-main
+  EVERGREEN_PROJECT: django-mongodb
+
+defaults:
+  run:
+    shell: bash -eux {0}
+
+jobs:
+  pre-publish:
+    environment: release
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    outputs:
+      version: ${{ steps.pre-publish.outputs.version }}
+    steps:
+      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+      - uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
+      - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2
+        id: pre-publish
+        with:
+          version: ${{ inputs.version }}
+          dry_run: ${{ inputs.dry_run }}
+
+  build-dist:
+    needs: [pre-publish]
+    uses: ./.github/workflows/dist.yml
+    with:
+      ref: ${{ needs.pre-publish.outputs.version }}
+
+  static-scan:
+    needs: [pre-publish]
+    uses: ./.github/workflows/codeql.yml
+    with:
+      ref: ${{ needs.pre-publish.outputs.version }}
+
+  publish:
+    needs: [build-dist, static-scan]
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
+      security-events: write
+    steps:
+      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+      - uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
+      - uses: mongodb-labs/drivers-github-tools/python/publish@v2
+        with:
+          version: ${{ inputs.version }}
+          following_version: ${{ inputs.following_version }}
+          product_name: ${{ env.PRODUCT_NAME }}
+          silk_asset_group: ${{ env.SILK_ASSET_GROUP }}
+          evergreen_project: ${{ env.EVERGREEN_PROJECT }}
+          token: ${{ github.token }}
+          repository_url: https://test.pypi.org/legacy/
+          dry_run: ${{ inputs.dry_run }}

pyproject.toml

@@ -1,10 +1,10 @@
 [build-system]
-requires = ["setuptools>=65.0"]
-build-backend = "setuptools.build_meta"
+requires = ["hatchling", "hatch-requirements-txt>=0.4.1"]
+build-backend = "hatchling.build"
 
 [project]
 name = "django-mongodb"
-dynamic = ["version"]
+dynamic = ["version", "dependencies"]
 description = "MongoDB backend for Django"
 readme = "README.md"
 license = {file="LICENSE"}
@@ -31,10 +31,6 @@ classifiers = [
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
 ]
-dependencies = [
-    "django>=5.0,<5.1",
-    "pymongo>=4.6,<5.0",
-]
 
 [project.optional-dependencies]
 docs = [ "sphinx>=7"]
@@ -45,8 +41,12 @@ Documentation = "https://django-mongodb.readthedocs.io"
 Source = "https://github.com/mongodb-labs/django-mongodb"
 Tracker = "https://github.com/mongodb-labs/django-mongodb/issues"
 
-[tool.setuptools.dynamic]
-version = {attr = "django_mongodb.__version__"}
+[tool.hatch.version]
+path = "django_mongodb/__init__.py"
+validate-bump = false
+
+[tool.hatch.metadata.hooks.requirements_txt]
+files = ["requirements.txt"]
 
 [tool.mypy]
 strict = true

requirements.txt

@@ -0,0 +1,3 @@
+# NOTE: this needs to change per branch to track the django version.
+django>=5.0,<5.1
+pymongo>=4.6,<5.0