feat(dependabot): ✨ add dependabot for updating Python dependencies

[martonvago]

Description

This PR adds dependabot and configures it to update Python dependencies (managed by Poetry) in this repository.
The PRs will look something like:

See also Issue seedcase-project/.github#24

Testing

• Yes
• No, not needed (give a reason below)
• No, I need help writing them

I tested it in a minimal repo and it seemed to behave as expected.

Reviewer Focus

This PR only needs a quick review.

Checklist

For all PRs that are not general documentation

• Tests accompany or reflect changes to the code
• Tests ran and passed locally
• Ran the linter and formatter
• Build has passed locally
• Relevant documentation has been updated

[martonvago]

To update the version constraint in the manifest file only if the new version is not in range. Seems like some people prefer this because it leads to fewer updates on the whole, but I don't have any deeper insight

[lwjohnst86]

How does this work for poetry managed projects? There is no manifest file for poetry projects.

[martonvago]

Ah, I thought pyproject.toml was the ?equivalent of the? manifest file. In any case, with increase-if-necessary pyproject.toml will only be updated if the new version is outside the range specified in pyproject.toml.

[lwjohnst86]

Hmm, it seems that it only updates the poetry lock file: dependabot/dependabot-core#8603 which seems to be waiting on python-poetry/poetry-core#708

Maybe we wait a bit for those PRs to be merged, since it doesn't make sense to only update the lock file and not the pyproject.toml file.

[martonvago]

Hmm, but then I'm a bit confused about why it updated both of them in my test repo (e.g. if you look at this PR). Or am I looking at the wrong thing?

[lwjohnst86]

Hmmm, that is super odd... What's the open issues for then?? Well, let's just try it out and see how it works 😋😋

[martonvago]

I read around a bit about what some sensible default settings might be, but it's still pretty bare bones, so feel free to ignore or change.

I'm also not sure if any other future repos might want to use the same setup, in which case we might want it to be synced across them like some other files.

[signekb]

Looks good to me! I don't know much about dependabot, but I think it's nice to start implementing it :)
@lwjohnst86 should this be in the .github repo?