Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use Dependabot to manage Poetry dependency
This project uses Poetry to manage the Python package dependencies. The pipx tool is used in the GitHub Actions workflows to install Poetry in an isolated environment. Previously, the pipx commands used in the workflows caused the latest version of Poetry to be installed. This uncontrolled versioning approach might result in breakage of the project infrastructure at any time. The obvious solution would be to specify the Poetry version in the pipx command (e.g. `pipx install poetry==1.6.1`). The problem with that approach is that there is no mechanism for automating the update process, making it likely that the project infrastructure would use increasingly outdated Poetry versions over time. The project already uses the Dependabot service for automation of controlled updates of the Python package dependencies, but previously was not used to update the Poetry dependency. This is accomplished by adding the Poetry dependency to the dependency configuration file. Dependabot recognizes two forms of dependency data in the pyproject.toml file used to define the Python package dependencies: - Poetry - PEP 621 Since Poetry can't be used to manage itself, the obvious approach would be to define the Poetry dependency in a PEP 621 field in the file. However, this is not possible because if Dependabot finds Poetry data in pyproject.toml, it ignores the PEP 621 fields. So it is necessary to define the Poetry dependency in the Poetry fields of the file. A special dependencies group is created for this purpose and that group is excluded in the `poetry install` commands. Unfortunately pipx doesn't support using dependency configuration files so it is necessary to generate the dependency argument in the pipx command by parsing the project.toml file.
- Loading branch information
