Add Dependabot to repo

[freakboy3742]

In the process of investigating #575, it was revealed that dependabot wasn't configured for this repository.

This PR adds specific version pins for the GitHub Actions in use, and enables dependabot weekly updates for actions and pip. It also updates the runtime to use Python 3.12, rather than 3.7.

PR Checklist:

• All new features have been tested
• All new features have been documented
• I have read the CONTRIBUTING.md file
• I will abide by the code of conduct

[github-actions]

Visit the preview URL for this PR (updated for commit bcd8bb1):

https://beeware-org--pr576-dependabot-d5qvtlq7.web.app

_{(expires Thu, 18 Jul 2024 03:05:20 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: b0da44bc067e7d9a4255c77cb2c5fce572218cec}

[rmartin16]

Since I'm curious :) is the intention to bump these requirements? If so, you may want to remove this comment in requirements.txt? FWIW, I'm not actually sure if Dependabot will assume a arbitrary requirements.txt file contains Python packages...but it does make sense I think...

beeware.github.io/requirements.txt

Lines 1 to 23 in 8ac4624

	Lektor==3.3.11
	pygments==2.15.0
	# Pinned dependencies.
	# These are pinned because they're versions that are known to work
	Babel==2.9.1
	blinker==1.6.2
	charset-normalizer==2.0.12
	click==8.1.3
	EXIFRead==2.3.2
	filetype==1.0.10
	Flask==2.3.2
	idna==3.7
	inifile==0.4.1
	itsdangerous==2.1.2
	Jinja2==3.1.4
	MarkupSafe==2.1.1
	mistune==0.8.4
	python-slugify==6.1.1
	requests==2.32.0
	text-unidecode==1.3
	urllib3==1.26.19
	watchdog==2.1.7
	Werkzeug==2.3.8

[freakboy3742]

Since I'm curious :) is the intention to bump these requirements?

Yes, that's the intention (or, at least, to use the same update scheme that we use on other repos).

If so, you may want to remove this comment in requirements.txt?

Everything below that line is pinning the full dependency tree. We've had some historical issues because of the interplay of dependencies between lektor, jinja, and a variety of other packages that have some weird dependencies chains. So - everything above the line is stuff we're explicitly depending on; everything below are the versions that are implied, but need to be pinned to prevent dependency chaos.

It's effectively a lockfile, but without adopting a lockfile syntax. The comment won't stop being true as a result of moving to dependabot; we'll just be doing more aggressive updates over time.

FWIW, I'm not actually sure if Dependabot will assume a arbitrary requirements.txt file contains Python packages...but it does make sense I think...

According to the docs, it will - the pip target handles requirements.txt and PEP621 pyproject.toml requirements.

[mhsmith]

As it stands, this will result in Dependabot generating updates for 21 packages instead of only 2. Surely you don't want to deal with that every Monday.

If these "historical issues" have been resolved, then the pins can be removed. If they haven't been resolved, then the pins should be reduced to the minimal set required, and a comment added explaining exactly why they're necessary, so we'll know when it's safe to remove them.

[freakboy3742]

That's a fair point. We're not really exposed to any security issues here, as it's a static site generator; manually updating the pins if/when need arises will be just as viable as continuously updating. Closing.

[rmartin16]

For posterity, there's still the group option for Dependabot to create a single PR to update all PyPI deps at once.