Clarify (c) ownership

* Download artifacts and publish to PyPI

* Comment out enviroment

* Add comment to permissions

---------

Co-authored-by: Hynek Schlawack <hs@ox.cx>

.git_archival.txt

@@ -0,0 +1,3 @@
+node: $Format:%H$
+node-date: $Format:%cI$
+describe-name: $Format:%(describe:tags=true,match=*[0-9]*)$

.github/CODE_OF_CONDUCT.md

@@ -1,133 +1,16 @@
+# Code of Conduct
 
-# Contributor Covenant Code of Conduct
+While not being a [Python Software Foundation](https://www.python.org/psf-landing/) project, everyone interacting in this project is expected to follow the [PSF Code of Conduct](https://policies.python.org/python.org/code-of-conduct/).
 
-## Our Pledge
+In general, this means that everyone is expected to be **open**, **considerate**, and **respectful** of others no matter what their position is within the project.
 
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, caste, color, religion, or sexual
-identity and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall
-  community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or advances of
-  any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email address,
-  without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-<mailto:hs@ox.cx>.
-All complaints will be reviewed and investigated promptly and fairly.
+We take Code of Conduct violations seriously, and will act to ensure our spaces are welcoming, inclusive, and professional environments to communicate in.
 
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
+If you need to raise a Code of Conduct report, you may do so privately by email to [Hynek Schlawack](mailto:hs@ox.cx).
 
-## Enforcement Guidelines
+Reports will be treated confidentially.
 
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series of
-actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or permanent
-ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior, harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within the
-community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.1, available at
-[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
-
-Community Impact Guidelines were inspired by
-[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
-
-For answers to common questions about this code of conduct, see the FAQ at
-[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
-[https://www.contributor-covenant.org/translations][translations].
-
-[homepage]: https://www.contributor-covenant.org
-[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
-[Mozilla CoC]: https://github.com/mozilla/diversity
-[FAQ]: https://www.contributor-covenant.org/faq
-[translations]: https://www.contributor-covenant.org/translations
+Alternately you can make a [report to the Python Software Foundation](https://policies.python.org/python.org/code-of-conduct/Procedures-for-Reporting-Incidents/).

.github/CONTRIBUTING.md

@@ -30,21 +30,30 @@ Please report any harm to [Hynek Schlawack] in any way you find appropriate.
 
 You can (and should) run our test suite using [*tox*].
 However, you’ll probably want a more traditional environment as well.
-We highly recommend to develop using the latest Python release because we try to take advantage of modern features whenever possible.
 
-First create a [virtual environment](https://virtualenv.pypa.io/) so you don't break your system-wide Python installation.
-It’s out of scope for this document to list all the ways to manage virtual environments in Python, but if you don’t already have a pet way, take some time to look at tools like [*direnv*](https://hynek.me/til/python-project-local-venvs/), [*virtualfish*](https://virtualfish.readthedocs.io/), and [*virtualenvwrapper*](https://virtualenvwrapper.readthedocs.io/).
+First, create a [virtual environment](https://virtualenv.pypa.io/) so you don't break your system-wide Python installation.
+We recommend using the Python version from the `.python-version-default` file in project's root directory.
 
-Next, get an up to date checkout of the *argon2-cffi-bindings* repository:
+If you're using [*direnv*](https://direnv.net), you can automate the creation of a virtual environment with the correct Python version by adding the following `.envrc` to the project root after you've cloned it to your computer:
+
+```bash
+layout python python$(cat .python-version-default)
+```
+
+If you're using tools that understand `.python-version` files like [*pyenv*](https://github.com/pyenv/pyenv) does, you can make it a link to the `.python-version-default` file.
+
+---
+
+Next, fork the repository on GitHub and get an up-to-date checkout:
 
 ```console
-$ git clone git@github.com:hynek/argon2-cffi-bindings.git
+$ git clone git@github.com:<your-username>/argon2-cffi-bindings.git
 ```
 
 or if you want to use git via `https`:
 
 ```console
-$ git clone https://github.com/hynek/argon2-cffi-bindings.git
+$ git clone https://github.com/<your-username>/argon2-cffi-bindings.git
 ```
 
 Change into the newly created directory and **activate your virtual environment**
@@ -60,14 +69,14 @@ $ git submodule update   # update the vendored Argon2 C library to the version w
 Now an editable version of *argon2-cffi-bindings* along with its test requirements can be installed as usual:
 
 ```console
-$ python -m pip install --upgrade pip setuptools cffi  # PLEASE don't skip this step
-$ python -m pip install -e '.[dev]'
+$ python -Im pip install --upgrade pip  # PLEASE don't skip this step
+$ python -Im pip install -e . --group dev
 ```
 
 At this point,
 
 ```console
-$ python -m pytest
+$ python -Im pytest
 ```
 
 should work and pass.
@@ -78,7 +87,7 @@ When working on `src/_argons_cffi_bindings/_ffi_build.py`, it makes sense to reg
 
 ---
 
-To avoid committing code that violates our style guide, we strongly advise you to install [*pre-commit*] [^dev] hooks:
+To avoid committing code that violates our style guide, we strongly encourage you to install [*pre-commit*] [^dev] hooks:
 
 ```console
 $ pre-commit install
@@ -90,8 +99,8 @@ You can also run them anytime (as our tox does) using:
 $ pre-commit run --all-files
 ```
 
-[^dev]: *pre-commit* should have been installed into your virtualenv automatically when you ran `pip install -e '.[dev]'` above.
-        If *pre-commit* is missing, your probably need to run `pip install -e '.[dev]'` again.
+[^dev]: *pre-commit* should have been installed into your virtualenv automatically when you ran `python -Im pip install -e . --group dev` above.
+        If *pre-commit* is missing, your probably need to run `python -Im pip install -e . --group dev` again.
 
 
 ## Code
@@ -110,7 +119,8 @@ $ pre-commit run --all-files
       """
   ```
 - If you add or change public APIs, tag the docstring using `..  versionadded:: 16.0.0 WHAT` or `..  versionchanged:: 16.2.0 WHAT`.
-- We use [*isort*](https://github.com/PyCQA/isort) to sort our imports, and we use [*Black*](https://github.com/psf/black) with line length of 79 characters to format our code.
+
+- We use [Ruff](https://ruff.rs/) to sort our imports and format our code with a line length of 79 characters.
   As long as you run our full [*tox*] suite before committing, or install our [*pre-commit*] hooks (ideally you'll do both – see [*Local Development Environment*](#local-development-environment) above), you won't have to spend any time on formatting your code at all.
   If you don't, [CI] will catch it for you – but that seems like a waste of your time!
 

.github/FUNDING.yml

@@ -1,3 +1,5 @@
 ---
 github: hynek
-ko_fi: the_hynek
+tidelift: pypi/argon2-cffi-bindings
+thanks_dev: u/gh/hynek
+custom: https://hynek.me/say-thanks/

.github/SECURITY.md

@@ -2,14 +2,11 @@
 
 ## Supported Versions
 
-We are following [CalVer](https://calver.org) with generous backward-compatibility guarantees.
+We are following [CalVer](https://calver.org) with generous backwards-compatibility guarantees.
 Therefore we only support the latest version.
 
 
 ## Reporting a Vulnerability
 
-If you think you found a Vulnerability, please contact Hynek Schlawack at <hs@ox.cx>.
-
-If you insist on using PGP, you can use the key `0xAE2536227F69F181`.
-The fingerprint must be `C2A0 4F86 ACE2 8ADC F817 DBB7 AE25 3622 7F69 F181`.
-You can also find it on [Keybase](https://keybase.io/hynek).
+To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.

.github/dependabot.yml

@@ -0,0 +1,14 @@
+---
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      default-days: 7
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/ci.yml

@@ -0,0 +1,185 @@
+---
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+env:
+  FORCE_COLOR: "1" # Make tools pretty.
+  PIP_DISABLE_PIP_VERSION_CHECK: 1
+  PIP_NO_PYTHON_VERSION_WARNING: 1
+  SETUPTOOLS_SCM_PRETEND_VERSION: "1.0" # avoid warnings about shallow checkout
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  build-package:
+    name: Build & verify package
+    runs-on: ubuntu-latest
+    env:
+      BUILD_PYTHON: "3.14"
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+          persist-credentials: false
+      - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0
+        id: baipp
+        with:
+          include-free-threaded: 'true'
+          python-version:  ${{ env.BUILD_PYTHON }}
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          cache: pip
+          python-version: ${{ env.BUILD_PYTHON }}
+
+      # Smoke-check the wheel against argon2-cffi.
+      - run: python -Im pip install $DIST/*.whl
+        env:
+          DIST: ${{ steps.baipp.outputs.dist }}
+      - run: python -Im pip install --no-deps git+https://github.com/hynek/argon2-cffi.git
+      - run: python -Im argon2 -n 1 -t 1 -m 8 -p 1
+
+    outputs:
+      # Used to define the matrix for tests below. The value is based on
+      # packaging metadata (trove classifiers).
+      python-versions: ${{ steps.baipp.outputs.supported_python_classifiers_json_array }}
+
+  tests:
+    name: Tests on ${{ matrix.python-version }}
+    needs: build-package
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # Created by the build-and-inspect-python-package action above.
+        python-version: ${{ fromJson(needs.build-package.outputs.python-versions) }}
+    env:
+      PYTHON: ${{ matrix.python-version }}
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          allow-prereleases: true
+          cache: pip
+      - run: python -Im pip install tox
+      - run: python -Im tox run -e $PYTHON
+
+  tests-pypy:
+    name: Tests against latest PyPy
+    runs-on: ubuntu-latest
+    env:
+      PYTHON: pypy3.11
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ env.PYTHON }}
+          allow-prereleases: true
+          cache: pip
+      - run: python -Im pip install tox
+      - run: python -Im tox run -e $PYTHON
+
+  system-package:
+    runs-on: ubuntu-latest
+    name: Install and test with system package of Argon2
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: .python-version-default
+          cache: pip
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get install libargon2-1 libargon2-dev
+          # Ensure we cannot use our own Argon2 by accident.
+          rm -rf extras
+      - run: python -Im pip install tox
+      - run: python -Im tox run -e system-argon2
+
+  install-dev:
+    name: Verify dev env
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: .python-version-default
+      - run: python -Im pip install -e . --group dev
+
+      - name: Import package
+        run: python -c 'from _argon2_cffi_bindings import ffi, lib; print(lib.ARGON2_VERSION_NUMBER)'
+      - run: otool -L src/_argon2_cffi_bindings/_ffi.abi3.so
+        if: startsWith(matrix.os , 'macos')
+      - run: ldd src/_argon2_cffi_bindings/_ffi.abi3.so
+        if: startsWith(matrix.os , 'ubuntu')
+
+      - name: Check presence of pytest
+        run: pytest --version
+
+  cog-check:
+    name: Ensure cogified files are up-to-date
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          cache: pip
+          python-version: "3.x"
+
+      - run: python -Im pip install tox
+
+      - run: python -Im tox run -e cog-check
+
+  required-checks-pass:
+    name: Ensure everything required is passing for branch protection
+    if: always()
+
+    needs:
+      - build-package
+      - tests
+      - tests-pypy
+      - install-dev
+      - system-package
+      - cog-check
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,42 @@
+---
+name: CodeQL
+
+on:
+  schedule:
+    - cron: "41 3 * * 6"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # necessary according to docs
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [python]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3

.github/workflows/main.yml

@@ -1,113 +0,0 @@
----
-name: CI
-
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-  workflow_dispatch:
-
-env:
-  FORCE_COLOR: "1"  # Make tools pretty.
-  TOX_TESTENV_PASSENV: "FORCE_COLOR"
-  PYTHON_LATEST: "3.10"
-
-
-jobs:
-  tests:
-    name: "tox on ${{ matrix.python-version }}"
-    runs-on: "ubuntu-latest"
-    strategy:
-      matrix:
-        python-version: ["3.6", "3.7", "3.8", "3.9", "3.10", "pypy-3.7"]
-
-    steps:
-      - uses: "actions/checkout@v2"
-        with:
-          submodules: "recursive"
-      - uses: "actions/setup-python@v2"
-        with:
-          python-version: "${{ matrix.python-version }}"
-      - name: "Install dependencies"
-        run: |
-          python -VV
-          python -m site
-          python -m pip install --upgrade pip setuptools wheel
-          python -m pip install --upgrade virtualenv tox tox-gh-actions
-
-      - name: "Run tox targets for ${{ matrix.python-version }}"
-        run: "python -m tox"
-
-
-  system-package:
-    runs-on: "ubuntu-latest"
-    name: "Install and test with system package of Argon2."
-
-    steps:
-      - uses: "actions/checkout@v2"
-      - uses: "actions/setup-python@v2"
-        with:
-          python-version: ${{env.PYTHON_LATEST}}
-      - name: "Install dependencies"
-        run: |
-          sudo apt-get install libargon2-0 libargon2-0-dev
-          # Ensure we cannot use our own Argon2 by accident.
-          rm -rf extras
-          python -VV
-          python -m site
-          python -m pip install --upgrade pip setuptools wheel
-          python -m pip install --upgrade virtualenv tox
-
-      - run: "python -m tox -e system-argon2"
-
-
-  package:
-    name: "Build & verify package"
-    runs-on: "ubuntu-latest"
-
-    steps:
-      - uses: "actions/checkout@v2"
-        with:
-          submodules: "recursive"
-      - uses: "actions/setup-python@v2"
-        with:
-          python-version: ${{env.PYTHON_LATEST}}
-
-      - run: "python -m pip install build twine check-wheel-contents"
-      - run: "python -m build --sdist --wheel ."
-      - run: "ls -l dist"
-      - run: "check-wheel-contents dist/*.whl"
-      - name: "Check long_description"
-        run: "python -m twine check dist/*"
-      # Smoke-check the wheel against argon2-cffi.
-      - run: "python -m pip install dist/*.whl"
-      - run: "python -m pip install --no-deps git+https://github.com/hynek/argon2-cffi.git"
-      - run: "python -m argon2 -n 1 -t 1 -m 8 -p 1"
-
-
-  install-dev:
-    name: "Verify dev env"
-    runs-on: "${{ matrix.os }}"
-    strategy:
-      fail-fast: false
-      matrix:
-        os: ["ubuntu-latest", "windows-latest", "macos-latest"]
-
-    steps:
-      - uses: "actions/checkout@v2"
-        with:
-          submodules: "recursive"
-      - uses: "actions/setup-python@v2"
-        with:
-          python-version: ${{env.PYTHON_LATEST}}
-      - run: python -m pip install --upgrade pip
-      - run: python -m pip install -e .[dev]
-      - name: "Import package"
-        run: "python -c 'from _argon2_cffi_bindings import ffi, lib; print(lib.ARGON2_VERSION_NUMBER)'"
-      - run: "otool -L src/_argon2_cffi_bindings/_ffi.abi3.so"
-        if: startsWith(matrix.os , 'macos')
-      - run: "ldd src/_argon2_cffi_bindings/_ffi.abi3.so"
-        if: startsWith(matrix.os , 'ubuntu')
-
-...

.github/workflows/wheels.yml

@@ -4,8 +4,17 @@ name: Wheels
 on:
   push:
     tags:
-      - '*'
+      - "*"
+  pull_request:
   workflow_dispatch:
+  schedule:
+    - cron: "30 4 15 * *"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
 
 
 jobs:
@@ -15,35 +24,64 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # macOS-11 has no Python 3.6.
-        os: [ubuntu-latest, windows-latest, macOS-10.15]
+        include:
+          - os: ubuntu-22.04
+          - os: ubuntu-22.04-arm
+          - os: windows-2022
+          - os: windows-11-arm
+          - os: macOS-14
+          - os: ubuntu-24.04-riscv
+
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          submodules: "recursive"
+          submodules: recursive
+          fetch-depth: 0
+          fetch-tags: true
+          persist-credentials: false
 
-      - name: Set up QEMU
-        if: runner.os == 'Linux'
-        uses: docker/setup-qemu-action@v1
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
-          platforms: arm64
+          enable-cache: "false"
 
-      - uses: pypa/cibuildwheel@v2.3.0
+      # Use the GitHub Action for all platforms except riscv64
+      - name: Build wheels on ${{ matrix.os }}
+        uses: pypa/cibuildwheel@8d2b08b68458a16aeb24b64e68a09ab1c8e82084 # v3.4.1
+        if: ${{ !endsWith(matrix.os, 'riscv') }}
         env:
-          # Only build CPython 3.6, because we have portable abi3 wheels.
-          # Windows arm64 is only available on 3.9 and later, Apple Silicon on
-          # 3.8 and later.
-          CIBW_BUILD: "cp36-* pp37-* pp38-* cp39-win_arm64 cp38-macosx_universal2"
-          CIBW_ARCHS_LINUX: "auto aarch64"
-          CIBW_ARCHS_MACOS: "auto universal2"
-          CIBW_TEST_COMMAND: python -c "from _argon2_cffi_bindings import ffi, lib; print(lib.ARGON2_VERSION_NUMBER)"
-          # Silence warning we can't do anything about.
-          CIBW_TEST_SKIP: "*-macosx_universal2:arm64"
+          CIBW_ARCHS: auto
 
-      - uses: actions/upload-artifact@v2
+      - name: Build wheels on ${{ matrix.os }}
+        run: uvx --python 3.14 cibuildwheel --output-dir wheelhouse
+        if: ${{ endsWith(matrix.os, 'riscv') }}
+        env:
+          CIBW_ARCHS: riscv64
+
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
-          name: wheels
-          path: wheelhouse/*.whl
-          if-no-files-found: error
+          name: wheels-${{ matrix.os }}-${{ strategy.job-index }}
+          path: ./wheelhouse/*.whl
 
-...
+  pypi-publish:
+    if: |
+      github.event.repository.fork == false
+      && github.event_name == 'push'
+      && startsWith(github.ref, 'refs/tags')
+    needs: wheels
+    runs-on: ubuntu-latest
+    name: Upload release to PyPI
+    environment:
+      name: release-pypi
+      url: https://pypi.org/p/argon2-cffi-bindings
+    permissions:
+      id-token: write  # necessary for trusted publishing
+    steps:
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: wheels-*
+          path: dist
+          merge-multiple: true
+      - name: List files
+        run: ls -la dist/
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

.github/workflows/zizmor.yml

@@ -0,0 +1,33 @@
+---
+# https://github.com/woodruffw/zizmor
+name: Zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          persona: pedantic
+...

.gitignore

@@ -1,7 +1,11 @@
-.tox
 *.egg-info
 *.so
+.DS_Store
+.direnv
 .eggs
+.tox
+.vscode
+__pycache__
 build
 dist
-__pycache__
+.envrc

.pre-commit-config.yaml

@@ -3,28 +3,29 @@ ci:
   autoupdate_schedule: monthly
 
 repos:
-  - repo: https://github.com/psf/black
-    rev: 21.11b1
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.12
     hooks:
-      - id: black
-        language_version: python3.10
+      - id: ruff-check
+        args: [--fix, --exit-non-zero-on-fix]
+      - id: ruff-format
 
-  - repo: https://github.com/PyCQA/isort
-    rev: 5.10.1
+  - repo: https://github.com/econchick/interrogate
+    rev: 1.7.0
     hooks:
-      - id: isort
-        additional_dependencies: [toml]
+      - id: interrogate
+        args: [tests]
 
-  - repo: https://github.com/PyCQA/flake8
-    rev: 4.0.1
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.4.2
     hooks:
-      - id: flake8
-        language_version: python3.10
+      - id: codespell
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.0.1
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: debug-statements
       - id: check-toml
+      - id: check-yaml

.python-version-default

@@ -0,0 +1 @@
+3.13

CHANGELOG.md

@@ -1,14 +1,66 @@
 # Changelog
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Calendar Versioning](https://calver.org/).
-The first digit of the version is the year, the second digit is incremented with each release, starting at 1 for each year.
-The third digit is when we need to start branches for older releases (only for emergencies).
+The **first number** of the version is the year.
+The **second number** is incremented with each release, starting at 1 for each year.
+The **third number** is when we need to start branches for older releases (only for emergencies).
+
+<!-- changelog follows -->
+
+## [Unreleased](https://github.com/hynek/argon2-cffi-bindings/compare/25.1.0...HEAD)
+
+<!-- [[[cog
+# Extract commit ID; refresh using `tox -e cog`
+import subprocess
+out = subprocess.check_output(["git", "submodule"], text=True)
+id = out.strip().split(" ", 1)[0]
+link = f'[**`{id[:7]}`**](https://github.com/P-H-C/phc-winner-argon2/commit/{id})'
+print(f"Vendoring *Argon2* @ {link}.")
+]]] -->
+Vendoring *Argon2* @ [**`f57e61e`**](https://github.com/P-H-C/phc-winner-argon2/commit/f57e61e19229e23c4445b85494dbf7c07de721cb).
+<!-- [[[end]]] -->
+
+
+### Added
+
+- Python 3.15 support.
+  No free-threading wheels for now, because *cibuildwheel* doesn't support Python 3.15, yet.
+
+- PyPy 3.11 wheels.
+
+- Wheels for Linux on RISC-V 64bit.
+  [#106](https://github.com/hynek/argon2-cffi-bindings/pull/106)
+
+
+## [25.1.0](https://github.com/hynek/argon2-cffi-bindings/compare/21.2.0...25.1.0) - 2025-07-30
+
+
+Vendoring Argon2 @ [**`f57e61e`**](https://github.com/P-H-C/phc-winner-argon2/commit/f57e61e19229e23c4445b85494dbf7c07de721cb).
+
+
+### Added
+
+- Official Python 3.12, 3.13, and 3.14 support.
+  No code or packaging changes were necessary.
+
+- Support for free-threading (aka nogil) on Python 3.14.
+  [#70](https://github.com/hynek/argon2-cffi-bindings/pull/70)
+  [#93](https://github.com/hynek/argon2-cffi-bindings/pull/93)
+
+- Wheels for Windows on ARM64.
+  [#83](https://github.com/hynek/argon2-cffi-bindings/pull/83)
+
+
+### Removed
+
+- Python 3.6, 3.7, and 3.8 support.
+  There is very little activity on the bindings repo, so it doesn't make sense to carry around the build complexity of those ancient Python versions.
+  The [21.2.0 wheels on PyPI](https://pypi.org/project/argon2-cffi-bindings/21.2.0/) include support for Python 3.6 and are based on the same Argon2 version.
 
 
 ## [21.2.0](https://github.com/hynek/argon2-cffi-bindings/compare/21.1.0...21.2.0) - 2021-12-01
 
-
-Vendoring *Argon2* @ [**`f57e61e`**](https://github.com/P-H-C/phc-winner-argon2/commit/f57e61e19229e23c4445b85494dbf7c07de721cb).
+Vendoring Argon2 @ [**`f57e61e`**](https://github.com/P-H-C/phc-winner-argon2/commit/f57e61e19229e23c4445b85494dbf7c07de721cb).
 
 
 ### Added
@@ -18,14 +70,14 @@ Vendoring *Argon2* @ [**`f57e61e`**](https://github.com/P-H-C/phc-winner-argon2/
 
 ### Changed
 
-- The compilation of the vendored *Argon2* C library is now left to *CFFI*.
-  This prevents the accidental usage of a system-wide *Argon2* installation.
+- The compilation of the vendored Argon2 C library is now left to CFFI.
+  This prevents the accidental usage of a system-wide Argon2 installation.
   [#1](https://github.com/hynek/argon2-cffi-bindings/pull/1)
 
 
 ## [21.1.0](https://github.com/hynek/argon2-cffi-bindings/releases/tag/21.1.0) - 2021-11-28
 
-Vendoring *Argon2* @ [**`f57e61e`**](https://github.com/P-H-C/phc-winner-argon2/commit/f57e61e19229e23c4445b85494dbf7c07de721cb).
+Vendoring Argon2 @ [**`f57e61e`**](https://github.com/P-H-C/phc-winner-argon2/commit/f57e61e19229e23c4445b85494dbf7c07de721cb).
 
 ### Added
 

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2021 Hynek Schlawack
+Copyright (c) 2021 Hynek Schlawack and the argon2-cffi-bindings contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,46 +1,51 @@
 # Low-level Python CFFI Bindings for Argon2
 
-*argon2-cffi-bindings* provides low-level [*CFFI*](https://cffi.readthedocs.io/) bindings to the [*Argon2*] password hashing algorithm including a vendored version of them.
+[![License: MIT](https://img.shields.io/badge/license-MIT-C06524)](https://github.com/hynek/argon2-cffi-bindings/blob/main/LICENSE)
+[![PyPI version](https://img.shields.io/pypi/v/argon2-cffi-bindings)](https://pypi.org/project/argon2-cffi-bindings/)
+[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/argon2-cffi-bindings.svg)](https://pypi.org/project/argon2-cffi-bindings)
+
+*argon2-cffi-bindings* provides low-level [CFFI](https://cffi.readthedocs.io/) bindings to the official implementation of the [Argon2] password hashing algorithm.
 
 <!-- [[[cog
-# Extract commit ID; refresh using `tox -e cog`
+# Extract commit ID; refresh using `tox -e cog-render`
 import subprocess
 out = subprocess.check_output(["git", "submodule"], text=True)
 id = out.strip().split(" ", 1)[0]
 link = f'[**`{id[:7]}`**](https://github.com/P-H-C/phc-winner-argon2/commit/{id})'
-print(f"The currently vendored *Argon2* commit ID is {link}.")
+print(f"The currently vendored Argon2 commit ID is {link}.")
 ]]] -->
-The currently vendored *Argon2* commit ID is [**`f57e61e`**](https://github.com/P-H-C/phc-winner-argon2/commit/f57e61e19229e23c4445b85494dbf7c07de721cb).
+The currently vendored Argon2 commit ID is [**`f57e61e`**](https://github.com/P-H-C/phc-winner-argon2/commit/f57e61e19229e23c4445b85494dbf7c07de721cb).
 <!-- [[[end]]] -->
 
+> [!NOTE]
 > If you want to hash passwords in an application, this package is **not** for you.
 > Have a look at [*argon2-cffi*] with its high-level abstractions!
 
 These bindings have been extracted from [*argon2-cffi*] and it remains its main consumer.
-However, they may be used by other packages that want to use the *Argon2* library without dealing with C-related complexities.
+However, they may be used by other packages that want to use the Argon2 library without dealing with C-related complexities.
 
 
 ## Usage
 
 *argon2-cffi-bindings* is available from [PyPI](https://pypi.org/project/argon2-cffi-bindings/).
-The provided *CFFI* bindings are compiled in API mode.
+The provided CFFI bindings are compiled in API mode.
 
 Best effort is given to provide binary wheels for as many platforms as possible.
 
 
 ### Disabling Vendored Code
 
-A copy of [*Argon2*] is vendored and used by default, but can be disabled if *argon2-cffi-bindings* is installed using:
+A copy of [Argon2] is vendored and used by default, but can be disabled if *argon2-cffi-bindings* is installed using:
 
 ```console
 $ env ARGON2_CFFI_USE_SYSTEM=1 \
-  python -m pip install --no-binary=argon2-cffi-bindings argon2-cffi-bindings
+  python -Im pip install --no-binary=argon2-cffi-bindings argon2-cffi-bindings
 ```
 
 
-### Overriding Automatic *SSE2* Detection
+### Overriding Automatic SSE2 Detection
 
-Usually the build process tries to guess whether or not it should use [*SSE2*](https://en.wikipedia.org/wiki/SSE2)-optimized code (see [`_ffi_build.py`](https://github.com/hynek/argon2-cffi-bindings/blob/main/src/_argon2_cffi_bindings/_ffi_build.py) for details).
+Usually the build process tries to guess whether or not it should use [SSE2](https://en.wikipedia.org/wiki/SSE2)-optimized code (see [`_ffi_build.py`](https://github.com/hynek/argon2-cffi-bindings/blob/main/src/_argon2_cffi_bindings/_ffi_build.py) for details).
 This can go wrong and is problematic for cross-compiling.
 
 Therefore you can use the `ARGON2_CFFI_USE_SSE2` environment variable to control the process:
@@ -66,15 +71,16 @@ Please refer to [*cffi* documentation](https://cffi.readthedocs.io/en/latest/usi
 
 The list of symbols that are provided can be found in the [`_ffi_build.py` file](https://github.com/hynek/argon2-cffi-bindings/blob/main/src/_argon2_cffi_bindings/_ffi_build.py).
 
-[*Argon2*]: https://github.com/p-h-c/phc-winner-argon2
+[Argon2]: https://github.com/p-h-c/phc-winner-argon2
 [*argon2-cffi*]: https://argon2-cffi.readthedocs.io/
 
 
 ## Project Information
 
-*argon2-cffi-bindings* is available under the MIT license, available from [PyPI](https://pypi.org/project/argon2-cffi-bindings/), the source code and documentation can be found on [GitHub](https://github.com/hynek/argon2-cffi-bindings).
-
-*argon2-cffi-bindings* targets Python 3.6 and later, including PyPy3.
+- [**Changelog**](https://github.com/hynek/argon2-cffi-bindings/blob/main/CHANGELOG.md)
+- [**Documentation**](https://github.com/hynek/argon2-cffi-bindings#readme)
+- [**PyPI**](https://pypi.org/project/argon2-cffi-bindings/)
+- [**Source Code**](https://github.com/hynek/argon2-cffi-bindings)
 
 
 ### Credits & License
@@ -82,21 +88,29 @@ The list of symbols that are provided can be found in the [`_ffi_build.py` file]
 *argon2-cffi-bindings* is written and maintained by [Hynek Schlawack](https://hynek.me/about/).
 It is released under the [MIT license](https://github.com/hynek/argon2-cffi/blob/main/LICENSE>).
 
-The development is kindly supported by [Variomedia AG](https://www.variomedia.de/).
+The development is kindly supported by [Variomedia AG](https://www.variomedia.de/) and all my amazing [GitHub Sponsors](https://github.com/sponsors/hynek).
 
-The authors of *Argon2* were very helpful to get the library to compile on ancient versions of Visual Studio for ancient versions of Python.
+The authors of Argon2 were very helpful to get the library to compile on ancient versions of Visual Studio for ancient versions of Python.
 
-The documentation quotes frequently in verbatim from the *Argon2* [paper](https://www.password-hashing.net/argon2-specs.pdf) to avoid mistakes by rephrasing.
+The documentation quotes frequently in verbatim from the Argon2 [paper](https://www.password-hashing.net/argon2-specs.pdf) to avoid mistakes by rephrasing.
 
 
 #### Vendored Code
 
-The original *Argon2* repo can be found at <https://github.com/P-H-C/phc-winner-argon2/>.
+The original Argon2 repo can be found at <https://github.com/P-H-C/phc-winner-argon2/>.
 
-Except for the components listed below, the *Argon2* code in this repository is copyright (c) 2015 Daniel Dinu, Dmitry Khovratovich (main authors), Jean-Philippe Aumasson and Samuel Neves, and under [CC0] license.
+Except for the components listed below, the Argon2 code in this repository is copyright (c) 2015 Daniel Dinu, Dmitry Khovratovich (main authors), Jean-Philippe Aumasson and Samuel Neves, and under [CC0] license.
 
-The string encoding routines in src/encoding.c are copyright (c) 2015 Thomas Pornin, and under [CC0] license.
+The string encoding routines in `src/encoding.c` are copyright (c) 2015 Thomas Pornin, and under [CC0] license.
 
-The [*BLAKE2*](https://www.blake2.net) code in ``src/blake2/`` is copyright (c) Samuel Neves, 2013-2015, and under [CC0] license.
+The [BLAKE2](https://www.blake2.net) code in `src/blake2/` is copyright (c) Samuel Neves, 2013-2015, and under [CC0] license.
 
 [CC0]: https://creativecommons.org/publicdomain/zero/1.0/
+
+
+### *argon2-cffi-bindings* for Enterprise
+
+Available as part of the [Tidelift Subscription](https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
+
+The maintainers of *argon2-cffi-bindings* and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open-source packages you use to build your applications.
+Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use.

pyproject.toml

@@ -1,25 +1,146 @@
 [build-system]
-requires = ["setuptools>=45",  "setuptools_scm>=6.2", "wheel", "cffi>=1.0.1"]
+requires = [
+    "setuptools>=77",
+    "setuptools_scm[toml]>=6.2",
+    "cffi>=1.0.1; python_version < '3.14'",
+    "cffi>=2; python_version >= '3.14'",
+]
 build-backend = "setuptools.build_meta"
 
 
+[project]
+dynamic = ["version"]
+name = "argon2-cffi-bindings"
+description = "Low-level CFFI bindings for Argon2"
+readme = { content-type = "text/markdown", file = "README.md" }
+authors = [{ name = "Hynek Schlawack", email = "hs@ox.cx" }]
+requires-python = ">=3.9"
+license = "MIT"
+license-files = ["LICENSE"]
+keywords = ["password", "hash", "hashing", "security", "bindings", "cffi"]
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Intended Audience :: Developers",
+    "Natural Language :: English",
+    "Operating System :: MacOS :: MacOS X",
+    "Operating System :: Microsoft :: Windows",
+    "Operating System :: POSIX",
+    "Operating System :: Unix",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Programming Language :: Python :: 3.15",
+    "Programming Language :: Python :: Free Threading",
+    "Programming Language :: Python :: Implementation :: CPython",
+    "Programming Language :: Python :: Implementation :: PyPy",
+    "Topic :: Security :: Cryptography",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+]
+dependencies = [
+    "cffi>=1.0.1; python_version < '3.14'",
+    "cffi>=2; python_version >= '3.14'",
+]
+
+[dependency-groups]
+tests = ["pytest"]
+dev = [{ include-group = "tests" }, "cogapp", "pre-commit"]
+
+
+[project.urls]
+Tidelift = "https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek"
+Changelog = "https://github.com/hynek/argon2-cffi-bindings/blob/main/CHANGELOG.md"
+GitHub = "https://github.com/hynek/argon2-cffi-bindings"
+Funding = "https://github.com/sponsors/hynek"
+
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+
 [tool.setuptools_scm]
-# Dev versions are PREVIOUS.post1.devXYZ
-version_scheme = "no-guess-dev"
+# Dev versions are PREVIOUS.devN with N being the # of commits since PREVIOUS.
+local_scheme = "no-local-version"
+
+
+[tool.cibuildwheel]
+build-frontend = "uv"
+build = [
+    "cp39-*",   # We have portable abi3 wheels.
+    "cp314t-*", # Free-threading / nogil.
+    # PyPy 3.9 is EOL and doesn't build on Windows anymore.
+    "pp310-*",
+    "pp311-*",
+]
+enable = ["pypy", "pypy-eol"]
+before-all = "uname -a"
+test-command = 'python -Ic "from _argon2_cffi_bindings import ffi, lib; print(lib.ARGON2_VERSION_NUMBER)"'
+
+[[tool.cibuildwheel.overrides]]
+select = "*linux_riscv64"
+build-frontend = "build"
+
+[tool.cibuildwheel.macos]
+# PyPy has no universal2, so let's build them all, always.
+archs = ["all"]
 
 
 [tool.pytest.ini_options]
-addopts = "-ra --strict-markers --capture=no"
+addopts = ["-ra", "--strict-markers", "--strict-config", "--capture=no"]
 xfail_strict = true
 testpaths = "tests"
-filterwarnings = [
-    "once::Warning",
-]
+filterwarnings = ["once::Warning"]
 
 
-[tool.black]
+[tool.interrogate]
+omit-covered-files = true
+verbose = 2
+fail-under = 100
+whitelist-regex = ["test_.*"]
+
+
+[tool.ruff]
+src = ["src", "tests"]
 line-length = 79
 
+[tool.ruff.lint]
+select = ["ALL"]
+ignore = [
+    "A001",    # shadowing is fine
+    "A002",    # shadowing is fine
+    "A003",    # shadowing is fine
+    "ANN",     # Mypy is better at this
+    "ARG001",  # unused arguments are normal when implementing interfaces
+    "COM",     # Formatter takes care of our commas
+    "D",       # We prefer our own docstring style.
+    "E501",    # leave line-length enforcement to formatter
+    "ERA001",  # Dead code detection is overly eager.
+    "FBT",     # we have one function that takes one bool; c'mon!
+    "FIX",     # Yes, we want XXX as a marker.
+    "INP001",  # sometimes we want Python files outside of packages
+    "ISC001",  # conflicts with ruff format
+    "PLC0415", # sometimes, imports must live elsewhere
+    "PLR2004", # numbers are sometimes fine
+    "PLW2901", # re-assigning within loop bodies is fine
+    "RUF001",  # leave my smart characters alone
+    "SLF001",  # private members are accessed by friendly functions
+    "TC",      # TYPE_CHECKING blocks break autodocs
+    "TD",      # we don't follow other people's todo style
+]
 
-[tool.isort]
-profile = "attrs"
+[tool.ruff.lint.per-file-ignores]
+"tests/*" = [
+    "ARG",    # stubs don't care about arguments
+    "S101",   # assert
+    "SIM300", # Yoda rocks in asserts
+    "PT011",  # broad is fine
+    "TRY002", # stock exceptions are fine in tests
+    "EM101",  # no need for exception msg hygiene in tests
+]
+
+[tool.ruff.lint.isort]
+lines-between-types = 1
+lines-after-imports = 2

setup.py

@@ -1,112 +1,42 @@
 # SPDX-License-Identifier: MIT
 
-import pathlib
 import platform
 import sys
+import sysconfig
 
-from setuptools import find_packages, setup
+from setuptools import setup
 
 
-###############################################################################
-
-NAME = "argon2-cffi-bindings"
-DESCRIPTION = "Low-level CFFI bindings for Argon2"
-URL = "https://github.com/hynek/argon2-cffi-bindings"
-LICENSE = "MIT"
-AUTHOR = "Hynek Schlawack"
-EMAIL = "hs@ox.cx"
-
-CFFI_MODULES = ["src/_argon2_cffi_bindings/_ffi_build.py:ffi"]
-PYTHON_REQUIRES = ">=3.6"
-SETUP_REQUIRES = ["cffi>=1.0.1", "setuptools_scm>=6.2"]
-INSTALL_REQUIRES = ["cffi>=1.0.1"]
-EXTRAS_REQUIRE = {"tests": ["pytest"]}
-EXTRAS_REQUIRE["dev"] = EXTRAS_REQUIRE["tests"] + [
-    "cogapp",
-    "pre-commit",
-    "wheel",
-]
-
-KEYWORDS = ["password", "hash", "hashing", "security", "bindings", "cffi"]
-PROJECT_URLS = {
-    "Source Code": "https://github.com/hynek/argon2-cffi-bindings",
-    "Funding": "https://github.com/sponsors/hynek",
-    "Tidelift": "https://tidelift.com/subscription/pkg/pypi-argon2-cffi?"
-    "utm_source=pypi-argon2-cffi&utm_medium=pypi",
-    "Ko-fi": "https://ko-fi.com/the_hynek",
-}
-CLASSIFIERS = [
-    "Development Status :: 5 - Production/Stable",
-    "Intended Audience :: Developers",
-    "License :: OSI Approved :: MIT License",
-    "Natural Language :: English",
-    "Operating System :: MacOS :: MacOS X",
-    "Operating System :: Microsoft :: Windows",
-    "Operating System :: POSIX",
-    "Operating System :: Unix",
-    "Programming Language :: Python :: 3",
-    "Programming Language :: Python :: 3.6",
-    "Programming Language :: Python :: 3.7",
-    "Programming Language :: Python :: 3.8",
-    "Programming Language :: Python :: 3.9",
-    "Programming Language :: Python :: 3.10",
-    "Programming Language :: Python :: Implementation :: CPython",
-    "Programming Language :: Python :: Implementation :: PyPy",
-    "Programming Language :: Python",
-    "Topic :: Security :: Cryptography",
-    "Topic :: Security",
-    "Topic :: Software Development :: Libraries :: Python Modules",
-]
-
-
-###############################################################################
-
+cmdclass = {}
 
 if platform.python_implementation() == "CPython":
     try:
-        import wheel.bdist_wheel
-    except ImportError:
-        BDistWheel = None
-    else:
+        try:
+            from setuptools.command.bdist_wheel import bdist_wheel
+        except ImportError:
+            from wheel.bdist_wheel import bdist_wheel
 
-        class BDistWheel(wheel.bdist_wheel.bdist_wheel):
+        class BDistWheel(bdist_wheel):
             def finalize_options(self):
-                self.py_limited_api = f"cp3{sys.version_info[1]}"
-                wheel.bdist_wheel.bdist_wheel.finalize_options(self)
+                # Free-threaded CPython doesn't support limited API.
+                if sysconfig.get_config_var("Py_GIL_DISABLED"):
+                    self.py_limited_api = False
+                else:
+                    self.py_limited_api = f"cp3{sys.version_info[1]}"
 
+                super().finalize_options()
 
-else:
-    BDistWheel = None
+        cmdclass["bdist_wheel"] = BDistWheel
+    except ImportError:
+        pass
 
 
 if __name__ == "__main__":
-    cmdclass = {}
-    if BDistWheel is not None:
-        cmdclass["bdist_wheel"] = BDistWheel
     setup(
-        name=NAME,
-        use_scm_version=True,  # setuptools_scm
-        description=DESCRIPTION,
-        license=LICENSE,
-        url=URL,
-        project_urls=PROJECT_URLS,
-        author=AUTHOR,
-        author_email=EMAIL,
-        maintainer=AUTHOR,
-        maintainer_email=EMAIL,
-        long_description=pathlib.Path("README.md").read_text(),
-        long_description_content_type="text/markdown",
-        keywords=KEYWORDS,
-        packages=find_packages(where="src"),
-        package_dir={"": "src"},
-        classifiers=CLASSIFIERS,
-        python_requires=PYTHON_REQUIRES,
-        setup_requires=SETUP_REQUIRES,
-        install_requires=INSTALL_REQUIRES,
-        extras_require=EXTRAS_REQUIRE,
+        # Ensure limited API is set on CPython
         cmdclass=cmdclass,
         # CFFI
         zip_safe=False,
         ext_package="_argon2_cffi_bindings",
-        cffi_modules=CFFI_MODULES,
+        cffi_modules=["src/_argon2_cffi_bindings/_ffi_build.py:ffi"],
     )

src/_argon2_cffi_bindings/_ffi_build.py

@@ -2,6 +2,7 @@
 
 import os
 import platform
+import sysconfig
 
 from pathlib import Path
 
@@ -11,6 +12,8 @@ from cffi import FFI
 use_system_argon2 = os.environ.get("ARGON2_CFFI_USE_SYSTEM", "0") == "1"
 use_sse2 = os.environ.get("ARGON2_CFFI_USE_SSE2", None)
 windows = platform.system() == "Windows"
+# Free-threaded CPython doesn't support limited API.
+limited_api = not sysconfig.get_config_var("Py_GIL_DISABLED")
 
 
 # Try to detect cross-compilation.
@@ -48,6 +51,7 @@ if use_system_argon2:
         "_ffi",
         "#include <argon2.h>",
         libraries=["argon2"],
+        py_limited_api=limited_api,
     )
 else:
     lib_base = Path("extras") / "libargon2" / "src"
@@ -55,7 +59,8 @@ else:
         "_ffi",
         "#include <argon2.h>",
         extra_compile_args=["-msse2"] if (optimized and not windows) else None,
-        include_dirs=[os.path.join("extras", "libargon2", "include")],
+        include_dirs=[str(Path("extras", "libargon2", "include"))],
+        py_limited_api=limited_api,
         sources=[
             str(lib_base / path)
             for path in [

tests/test_build.py

@@ -4,7 +4,7 @@ from _argon2_cffi_bindings._ffi_build import _get_target_platform
 
 
 @pytest.mark.parametrize(
-    "arch_flags, expected",
+    ("arch_flags", "expected"),
     [
         (" -arch arm64", "arm64"),
         ("abc -arch  arm64  xyz", "arm64"),

tox.ini

@@ -1,72 +1,50 @@
-[flake8]
-exclude = src/_argon2_cffi_bindings/_ffi.py
-ignore:
-    # Black vs flake8 conflict
-    E203
-
-
-# We don't run pre-commit in CI, because we use pre-commit.ci.
-[gh-actions]
-python =
-    3.6: py36
-    3.7: py37
-    3.8: py38
-    3.9: py39
-    3.10: py310, cogCheck
-    pypy-3: pypy3
-
-
 [tox]
-envlist = pre-commit,cogCheck,cog,py36,py37,py38,py39,py310,pypy3,system-argon2,pypi-description
-isolated_build = true
+min_version = 4.25
+env_list =
+    pre-commit,
+    cog-{check,render},
+    3.{9-15},
+    3.1{4-5}t,
+    pypy3.{9-11},
+    system-argon2
 
 
 [testenv:pre-commit]
 description = Run all pre-commit hooks.
-basepython = python3.10
 skip_install = true
 deps = pre-commit
-passenv = HOMEPATH  # needed on Windows
 commands = pre-commit run --all-files
 
 
-[testenv:cog]
-description = "Update README"
+[testenv:cog-render]
+description = Update README and CHANGELOG
 skip_install = true
-deps =
-    cogapp>=3.3.0
-commands = python -m cogapp -rP README.md CHANGELOG.md
+deps = cogapp>=3.3.0
+commands = cog -rP README.md CHANGELOG.md
 
 
-[testenv:cogCheck]
-description = "Ensure README.md is up to date"
+[testenv:cog-check]
+description = Ensure README and CHANGELOG are up-to-date
 skip_install = true
-deps = {[testenv:cog]deps}
-commands = python -m cogapp --check -P README.md CHANGELOG.md
+deps = {[testenv:cog-render]deps}
+commands = cog --check -P README.md CHANGELOG.md
 
 
 [testenv]
 description = Run tests.
-extras = tests
-commands =
-    python -m pytest {posargs}
+dependency_groups = tests
+commands = pytest {posargs}
 
 
 [testenv:system-argon2]
 description = Run tests against bindings that use a system installation of Argon2.
-setenv = ARGON2_CFFI_USE_SYSTEM=1
-extras = tests
+set_env = ARGON2_CFFI_USE_SYSTEM=1
+dependency_groups = tests
 install_command = pip install {opts} --no-binary=argon2-cffi-bindings {packages}
-commands =
-    python -m pytest {posargs}
 
 
-[testenv:pypi-description]
-description = Ensure README.rst renders on PyPI.
+[testenv:clean]
+description = Remove build artifacts.
+allowlist_externals = rm
 skip_install = true
-deps =
-    twine
-    pip >= 18.0.0
-commands =
-    pip wheel -w {envtmpdir}/build --no-deps .
-    twine check {envtmpdir}/build/*
+commands = rm -rf .tox build src/argon2_cffi_bindings.egg-info