Apply latest meta template, drop Python 3.8, add Python 3.14

.github/workflows/pre-commit.yml

@@ -15,19 +15,22 @@ env:
 
 jobs:
   pre-commit:
+    permissions:
+      contents: read
+      pull-requests: write
     name: linting
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
     - uses: actions/setup-python@v5
       with:
         python-version: 3.x
-    - uses: pre-commit/[email protected]
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  #v3.0.1
       with:
         extra_args: --all-files --show-diff-on-failure
       env:
         PRE_COMMIT_COLOR: always
-    - uses: pre-commit-ci/lite-action@v1.0.2
+    - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43  #v1.1.0
       if: always()
       with:
         msg: Apply pre-commit code formatting

.github/workflows/tests.yml

@@ -30,7 +30,7 @@
 # native support. It works, but is slow.
 #
 # Another major downside: You can't just re-run the job for one part
-# of the matrix. So if there's a transient test failure that hit, say, 3.8,
+# of the matrix. So if there's a transient test failure that hit, say, 3.11,
 # to get a clean run every version of Python runs again. That's bad.
 # https://github.community/t/ability-to-rerun-just-a-single-job-in-a-workflow/17234/65
 
@@ -97,12 +97,12 @@ jobs:
       matrix:
         python-version:
           - "pypy-3.10"
-          - "3.8"
           - "3.9"
           - "3.10"
           - "3.11"
           - "3.12"
           - "3.13"
+          - "3.14"
         os: [ubuntu-latest, macos-latest, windows-latest]
         exclude:
           - os: macos-latest
@@ -111,6 +111,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
@@ -152,12 +154,16 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-pip-
 
+      - name: Install Build Dependencies (3.14)
+        if: matrix.python-version == '3.14'
+        run: |
+          pip install -U pip
+          pip install -U "setuptools <= 75.6.0" wheel twine
       - name: Install Build Dependencies
+        if: matrix.python-version != '3.14'
         run: |
           pip install -U pip
-          pip install -U "setuptools <74" wheel twine
-          pip install cffi
-          pip install -U zope.proxy
+          pip install -U "setuptools <= 75.6.0" wheel twine
 
       - name: Build zope.security (macOS x86_64)
         if: >
@@ -195,7 +201,15 @@ jobs:
           python setup.py build_ext -i
           python setup.py bdist_wheel
 
+      - name: Install zope.security and dependencies (3.14)
+        if: matrix.python-version == '3.14'
+        run: |
+          # Install to collect dependencies into the (pip) cache.
+          # Use "--pre" here because dependencies with support for this future
+          # Python release may only be available as pre-releases
+          pip install --pre .[test]
       - name: Install zope.security and dependencies
+        if: matrix.python-version != '3.14'
         run: |
           # Install to collect dependencies into the (pip) cache.
           pip install .[test]
@@ -238,6 +252,7 @@ jobs:
           && startsWith(github.ref, 'refs/tags')
           && !startsWith(runner.os, 'Linux')
           && !startsWith(matrix.python-version, 'pypy')
+          && !startsWith(matrix.python-version, '3.14')
         env:
           TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
         run: |
@@ -251,12 +266,12 @@ jobs:
       matrix:
         python-version:
           - "pypy-3.10"
-          - "3.8"
           - "3.9"
           - "3.10"
           - "3.11"
           - "3.12"
           - "3.13"
+          - "3.14"
         os: [ubuntu-latest, macos-latest, windows-latest]
         exclude:
           - os: macos-latest
@@ -265,6 +280,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
@@ -311,15 +328,32 @@ jobs:
         with:
           name: zope.security-${{ runner.os }}-${{ matrix.python-version }}.whl
           path: dist/
+      - name: Install zope.security ${{ matrix.python-version }}
+        if: matrix.python-version == '3.14'
+        run: |
+          pip install -U wheel "setuptools <= 75.6.0"
+          # coverage might have a wheel on PyPI for a future python version which is
+          # not ABI compatible with the current one, so build it from sdist:
+          pip install -U --no-binary :all: coverage[toml]
+          # Unzip into src/ so that testrunner can find the .so files
+          # when we ask it to load tests from that directory. This
+          # might also save some build time?
+          ls -l dist/
+          unzip -n dist/*.whl -d src
+          # Use "--pre" here because dependencies with support for this future
+          # Python release may only be available as pre-releases
+          pip install --pre -e .[test]
       - name: Install zope.security
+        if: matrix.python-version != '3.14'
         run: |
-          pip install -U wheel "setuptools <74"
+          pip install -U wheel "setuptools <= 75.6.0"
           pip install -U coverage[toml]
           pip install -U 'cffi; platform_python_implementation == "CPython"'
           # Unzip into src/ so that testrunner can find the .so files
           # when we ask it to load tests from that directory. This
           # might also save some build time?
-          unzip -n dist/zope.security-*whl -d src
+          ls -l dist/
+          unzip -n dist/*.whl -d src
           pip install -e .[test]
       - name: Run tests with C extensions
         if: ${{ !startsWith(matrix.python-version, 'pypy') }}
@@ -362,6 +396,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
@@ -412,14 +448,84 @@ jobs:
         run: |
           pip install -U wheel
           pip install -U coverage[toml]
-          pip install -U  "`ls dist/zope.security-*.whl`[docs]"
+          pip install -U  "`ls dist/*.whl`[docs]"
       - name: Build docs
         env:
           ZOPE_INTERFACE_STRICT_IRO: 1
         run: |
           sphinx-build -b html -d docs/_build/doctrees docs docs/_build/html
           sphinx-build -b doctest -d docs/_build/doctrees docs docs/_build/doctest
 
+  release-check:
+    needs: build-package
+    runs-on: "ubuntu-latest"
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+        os: [ubuntu-latest]
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          allow-prereleases: true
+      ###
+      # Caching.
+      # This actually *restores* a cache and schedules a cleanup action
+      # to save the cache. So it must come before the thing we want to use
+      # the cache.
+      ###
+      - name: Get pip cache dir (default)
+        id: pip-cache-default
+        if: ${{ !startsWith(runner.os, 'Windows') }}
+        run: |
+          echo "dir=$(pip cache dir)" >>$GITHUB_OUTPUT
+
+      - name: Get pip cache dir (Windows)
+        id: pip-cache-windows
+        if: ${{ startsWith(runner.os, 'Windows') }}
+        run: |
+          echo "dir=$(pip cache dir)" >> $Env:GITHUB_OUTPUT
+
+      - name: pip cache (default)
+        uses: actions/cache@v4
+        if: ${{ !startsWith(runner.os, 'Windows') }}
+        with:
+          path: ${{ steps.pip-cache-default.outputs.dir }}
+          key: ${{ runner.os }}-pip-${{ matrix.python-version }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: pip cache (Windows)
+        uses: actions/cache@v4
+        if: ${{ startsWith(runner.os, 'Windows') }}
+        with:
+          path: ${{ steps.pip-cache-windows.outputs.dir }}
+          key: ${{ runner.os }}-pip-${{ matrix.python-version }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Download zope.security wheel
+        uses: actions/download-artifact@v4
+        with:
+          name: zope.security-${{ runner.os }}-${{ matrix.python-version }}.whl
+          path: dist/
+      - name: Install zope.security
+        run: |
+          pip install -U wheel
+          pip install -U tox
+          pip install -U  "`ls dist/*.whl`[docs]"
+      - name: Run release check
+        env:
+          ZOPE_INTERFACE_STRICT_IRO: 1
+        run: |
+          tox -e release-check
+
   manylinux:
     runs-on: ubuntu-latest
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
@@ -432,6 +538,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
@@ -507,6 +615,8 @@ jobs:
           name: manylinux_${{ matrix.image }}_wheels.zip
       - name: Restore pip cache permissions
         run: sudo chown -R $(whoami) ${{ steps.pip-cache-default.outputs.dir }}
+      - name: Prevent publishing wheels for unreleased Python versions
+        run: VER=$(echo '3.14' | tr -d .) && ls -al wheelhouse && sudo rm -f wheelhouse/*-cp${VER}*.whl && ls -al wheelhouse
       - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         if: >

.manylinux-install.sh

@@ -28,27 +28,32 @@ yum -y install libffi-devel
 
 tox_env_map() {
     case $1 in
-        *"cp38"*) echo 'py38';;
         *"cp39"*) echo 'py39';;
         *"cp310"*) echo 'py310';;
         *"cp311"*) echo 'py311';;
         *"cp312"*) echo 'py312';;
         *"cp313"*) echo 'py313';;
+        *"cp314"*) echo 'py314';;
         *) echo 'py';;
     esac
 }
 
 # Compile wheels
 for PYBIN in /opt/python/*/bin; do
     if \
-       [[ "${PYBIN}" == *"cp38/"* ]] || \
        [[ "${PYBIN}" == *"cp39/"* ]] || \
        [[ "${PYBIN}" == *"cp310/"* ]] || \
        [[ "${PYBIN}" == *"cp311/"* ]] || \
        [[ "${PYBIN}" == *"cp312/"* ]] || \
-       [[ "${PYBIN}" == *"cp313/"* ]] ; then
-        "${PYBIN}/pip" install -e /io/
-        "${PYBIN}/pip" wheel /io/ -w wheelhouse/
+       [[ "${PYBIN}" == *"cp313/"* ]] || \
+       [[ "${PYBIN}" == *"cp314/"* ]] ; then
+        if [[ "${PYBIN}" == *"cp314/"* ]] ; then
+            "${PYBIN}/pip" install --pre -e /io/
+            "${PYBIN}/pip" wheel /io/ --pre -w wheelhouse/
+        else
+            "${PYBIN}/pip" install -e /io/
+            "${PYBIN}/pip" wheel /io/ -w wheelhouse/
+        fi
         if [ `uname -m` == 'aarch64' ]; then
           cd /io/
           ${PYBIN}/pip install tox

.meta.toml

@@ -2,20 +2,20 @@
 # https://github.com/zopefoundation/meta/tree/master/config/c-code
 [meta]
 template = "c-code"
-commit-id = "d8a8b5ed"
+commit-id = "2d8bba0c"
 
 [python]
 with-windows = true
 with-pypy = true
-with-future-python = false
+with-future-python = true
 with-docs = true
 with-sphinx-doctests = true
 with-macos = false
 
 [tox]
 use-flake8 = true
 additional-envlist = [
-    "py38-watch, py311-watch",
+    "py39-watch, py313-watch",
     ]
 testenv-setenv = [
     "ZOPE_INTERFACE_STRICT_IRO=1",
@@ -53,12 +53,6 @@ additional-config = [
 
 [github-actions]
 additional-config = [
-    "- [\"3.8\",   \"py38-watch\"]",
-    "- [\"3.11\",  \"py311-watch\"]",
+    "- [\"3.9\",   \"py39-watch\"]",
+    "- [\"3.13\",  \"py313-watch\"]",
     ]
-additional-build-dependencies = [
-    "zope.proxy",
-    ]
-
-[c-code]
-require-cffi = true

.pre-commit-config.yaml

@@ -3,19 +3,19 @@
 minimum_pre_commit_version: '3.6'
 repos:
   - repo: https://github.com/pycqa/isort
-    rev: "5.13.2"
+    rev: "6.0.0"
     hooks:
     - id: isort
   - repo: https://github.com/hhatto/autopep8
-    rev: "v2.3.1"
+    rev: "v2.3.2"
     hooks:
     - id: autopep8
       args: [--in-place, --aggressive, --aggressive]
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.17.0
+    rev: v3.19.1
     hooks:
     - id: pyupgrade
-      args: [--py38-plus]
+      args: [--py39-plus]
   - repo: https://github.com/isidentical/teyit
     rev: 0.4.3
     hooks:

CHANGES.rst

@@ -5,6 +5,10 @@
 7.4 (unreleased)
 ----------------
 
+- Drop support for Python 3.8.
+
+- Add preliminary support for Python 3.14.
+
 
 7.3 (2024-10-02)
 ----------------

CONTRIBUTING.md

@@ -1,7 +1,7 @@
 <!--
 Generated from:
 https://github.com/zopefoundation/meta/tree/master/config/c-code
---> 
+-->
 # Contributing to zopefoundation projects
 
 The projects under the zopefoundation GitHub organization are open source and