Modernize Python CI and packaging

[richdawe-cio]

Similar to customerio/customerio-python#116 , modernise the build and packaging for cdp-analytics-python.

This is the first in a series of changes to allow us to publish new versions of this package using trusted publishing from GitHub Actions.

Changes:

• Remove support for Python 3.8, since it's too old to support the version of setuptools that we need.
• Switch from the old mock package to the core package unittest.mock.
• Add a workflow to verify that builds work.

I've verified that a package built with make build is installable in a venv using e.g.: pip install /path/to/cdp-analytics-python/dist/customerio_cdp_analytics-1.0.1.dev8-py2.py3-none-any.whl, and that it can send traffic through CDP EU.

---

Note

Medium Risk
Dropping Python 3.8 and changing how versions are produced affects install compatibility and release artifacts, though application runtime code is largely unchanged.

Overview
Modernizes build and release plumbing ahead of trusted PyPI publishing from GitHub Actions: metadata and dependencies move into pyproject.toml, versions come from git tags via setuptools-scm, and setup.py is reduced to package discovery only.

Python 3.8 is dropped (requires-python >=3.9); CI tests 3.9–3.14. Tests switch from the mock dependency to unittest.mock.

CI gains a Build workflow (python -m build + twine check), Dependabot for Actions and pip, and lint/test workflows now trigger on PRs/main, use pyproject.toml for pip cache, and install via pip install -e ".[dev]" / pip install -e .. The Makefile adds build / clean targets and routes commands through $(PYTHON) -m.

README only updates the data-center docs URL.

^{Reviewed by Cursor Bugbot for commit c555131. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​setuptools@​82.0.1
	pypi/​pylint@​4.0.6
	pypi/​build@​1.5.0
	pypi/​twine@​6.2.0
	pypi/​wheel@​0.47.0
	pypi/​flake8@​7.3.0
	pypi/​setuptools-scm@​10.2.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: pypi id under Apache-2.0 Location: Package overview From: ? → pypi/twine@6.2.0 → pypi/id@1.6.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/id@1.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi pylint under GPL-2.0-or-later Location: Package overview From: pyproject.toml → pypi/pylint@4.0.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/pylint@4.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi pylint Location: Package overview From: pyproject.toml → pypi/pylint@4.0.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/pylint@4.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi setuptools Location: Package overview From: pyproject.toml → pypi/setuptools@82.0.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/setuptools@82.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi setuptools Location: Package overview From: pyproject.toml → pypi/setuptools@82.0.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/setuptools@82.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[jatinn]

feel like deps or install-deps might be more clear name than realclean

[richdawe-cio]

I'll rename it to clean-venv, since that's what it does. Thanks!

[jatinn]

build.yml used 3.14 any reason for them to be different? if so might be worth a comment

[richdawe-cio]

No, I'll make lint use the same version. Thanks!

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c555131. Configure here.}