Modernize Python CI and packaging

[hownowstephen]

Summary

• Add PEP 621 project metadata, modern setuptools build configuration, and dev extras for ruff/build/twine
• Refresh CI with ruff lint/format checks, Python 3.10-3.14 test matrix, package build validation, setup-python/checkout v6, pip caching, and Dependabot
• Clean up legacy Python patterns across the library and tests while preserving existing behavior

Verification

• make lint
• make test
• python -m build --no-isolation
• twine check dist/customerio-2.4.0*

---

Note

Medium Risk
Moderate risk due to switching to pyproject.toml/PEP 621 packaging metadata, updating dependency constraints, and refactoring request payload/sanitization code paths that could subtly change runtime behavior.

Overview
Modernizes packaging and release tooling by adding pyproject.toml (PEP 621 metadata, dev extras, requests/urllib3 constraints, Python >=3.10), simplifying setup.py, adding MANIFEST.in to exclude tests from sdists, and updating Makefile targets for build, lint/format (ruff), and twine upload.

Refreshes CI and automation with a new GitHub Actions workflow that runs ruff lint/format checks, tests across Python 3.10–3.14, validates build artifacts via build + twine check, adds pip caching/concurrency, and introduces weekly Dependabot updates for GitHub Actions and pip.

Codebase cleanup/refactor: reorganizes exports in customerio/__init__.py, simplifies version definition, refactors transactional message request payload generation in api.py via shared field maps, and makes ClientBase._sanitize non-mutating; tests and the HTTPS test server are updated accordingly (including switching warning suppression to urllib3.disable_warnings()).

^{Reviewed by Cursor Bugbot for commit c77bd64. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	setuptools@​82.0.1
	build@​1.5.0
	twine@​6.2.0
	wheel@​0.47.0
	ruff@​0.15.12

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: pypi id under Apache-2.0 Location: Package overview From: ? → pypi/twine@6.2.0 → pypi/id@1.6.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/id@1.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi setuptools Location: Package overview From: pyproject.toml → pypi/setuptools@82.0.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/setuptools@82.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi setuptools Location: Package overview From: pyproject.toml → pypi/setuptools@82.0.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/setuptools@82.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8db8bec. Configure here.}

[washam-cio]

In general, the changes modernize, improve readability, and remove duplicated code. Just pointed out a couple of things.

There are also a couple of comments I added outside of this review.

[washam-cio]

typo here: preproceessing
But we probably can't make this change until we publish a new major version, right?

[hownowstephen]

yeah, planning on shipping this as a new major version. I believe this is a pre-existing bug, gonna fix it