use pip-compile and dependabot grouped updates (#5329)

.github/dependabot.yml

@@ -1,9 +1,18 @@
 version: 2
 updates:
-- package-ecosystem: "github-actions"
-  directory: "/"
-  schedule:
-    interval: "monthly"
-    day: "monday"
-    time: "16:00"
-    timezone: "UTC"
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    groups:
+      github-actions:
+        patterns:
+          - '*'
+  - package-ecosystem: pip
+    directory: /requirements/
+    schedule:
+      interval: monthly
+    groups:
+      python-requirements:
+        patterns:
+          - '*'

.github/workflows/lock.yaml

@@ -1,8 +1,8 @@
-name: 'Lock threads'
-# Lock closed issues that have not received any further activity for
-# two weeks. This does not close open issues, only humans may do that.
-# We find that it is easier to respond to new issues with fresh examples
-# rather than continuing discussions on old issues.
+name: 'Lock inactive closed issues'
+# Lock closed issues that have not received any further activity for two weeks.
+# This does not close open issues, only humans may do that. We find that it is
+# easier to respond to new issues with fresh examples rather than continuing
+# discussions on old issues.
 
 on:
   schedule:

.github/workflows/publish.yaml

@@ -13,8 +13,8 @@ jobs:
       - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
         with:
           python-version: '3.x'
-          cache: 'pip'
-          cache-dependency-path: 'requirements/*.txt'
+          cache: pip
+          cache-dependency-path: requirements*/*.txt
       - run: pip install -r requirements/build.txt
       # Use the commit date instead of the current date during the build.
       - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
@@ -27,7 +27,7 @@ jobs:
         with:
           path: ./dist
   provenance:
-    needs: ['build']
+    needs: [build]
     permissions:
       actions: read
       id-token: write
@@ -39,7 +39,7 @@ jobs:
   create-release:
     # Upload the sdist, wheels, and provenance to a GitHub release. They remain
     # available as build artifacts for a while as well.
-    needs: ['provenance']
+    needs: [provenance]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -53,16 +53,15 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
   publish-pypi:
-    needs: ['provenance']
+    needs: [provenance]
     # Wait for approval before attempting to upload to PyPI. This allows reviewing the
     # files in the draft release.
-    environment: 'publish'
+    environment: publish
     runs-on: ubuntu-latest
     permissions:
       id-token: write
     steps:
       - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
-      # Try uploading to Test PyPI first, in case something fails.
       - uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e
         with:
           repository-url: https://test.pypi.org/legacy/

.github/workflows/tests.yaml

@@ -9,9 +9,6 @@ on:
       - '*.md'
       - '*.rst'
   pull_request:
-    branches:
-      - main
-      - '*.x'
     paths-ignore:
       - 'docs/**'
       - '*.md'
@@ -24,24 +21,24 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - {name: Linux, python: '3.11', os: ubuntu-latest, tox: py311}
-          - {name: Windows, python: '3.11', os: windows-latest, tox: py311}
-          - {name: Mac, python: '3.11', os: macos-latest, tox: py311}
-          - {name: '3.12-dev', python: '3.12-dev', os: ubuntu-latest, tox: py312}
+          - {name: Linux, python: '3.12', os: ubuntu-latest, tox: py312}
+          - {name: Windows, python: '3.12', os: windows-latest, tox: py312}
+          - {name: Mac, python: '3.12', os: macos-latest, tox: py312}
+          - {name: '3.11', python: '3.11', os: ubuntu-latest, tox: py311}
           - {name: '3.10', python: '3.10', os: ubuntu-latest, tox: py310}
           - {name: '3.9', python: '3.9', os: ubuntu-latest, tox: py39}
           - {name: '3.8', python: '3.8', os: ubuntu-latest, tox: py38}
           - {name: 'PyPy', python: 'pypy-3.10', os: ubuntu-latest, tox: pypy310}
-          - {name: 'Minimum Versions', python: '3.11', os: ubuntu-latest, tox: py311-min}
+          - {name: 'Minimum Versions', python: '3.12', os: ubuntu-latest, tox: py312-min}
           - {name: 'Development Versions', python: '3.8', os: ubuntu-latest, tox: py38-dev}
-          - {name: Typing, python: '3.11', os: ubuntu-latest, tox: typing}
+          - {name: Typing, python: '3.12', os: ubuntu-latest, tox: typing}
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'
-          cache-dependency-path: 'requirements/*.txt'
+          cache-dependency-path: requirements*/*.txt
       - name: cache mypy
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
         with:

.pre-commit-config.yaml

@@ -25,10 +25,6 @@ repos:
         additional_dependencies:
           - flake8-bugbear
           - flake8-implicit-str-concat
-  - repo: https://github.com/peterdemin/pip-compile-multi
-    rev: v2.6.3
-    hooks:
-      - id: pip-compile-multi-verify
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.4.0
     hooks:

.readthedocs.yaml

@@ -1,8 +1,8 @@
 version: 2
 build:
-  os: ubuntu-20.04
+  os: ubuntu-22.04
   tools:
-    python: "3.10"
+    python: "3.12"
 python:
   install:
     - requirements: requirements/docs.txt

requirements-skip/README.md

@@ -0,0 +1,2 @@
+Dependabot will only update files in the `requirements` directory. This directory is
+separate because the pins in here should not be updated automatically.

requirements-skip/tests-dev.txt

@@ -0,0 +1,6 @@
+https://github.com/pallets/werkzeug/archive/refs/heads/main.tar.gz
+https://github.com/pallets/jinja/archive/refs/heads/main.tar.gz
+https://github.com/pallets/markupsafe/archive/refs/heads/main.tar.gz
+https://github.com/pallets/itsdangerous/archive/refs/heads/main.tar.gz
+https://github.com/pallets/click/archive/refs/heads/main.tar.gz
+https://github.com/pallets-eco/blinker/archive/refs/heads/main.tar.gz

requirements/tests-pallets-min.in → requirements-skip/tests-min.in

@@ -1,6 +1,6 @@
-Werkzeug==3.0.0
-Jinja2==3.1.2
-MarkupSafe==2.1.1
+werkzeug==3.0.0
+jinja2==3.1.2
+markupsafe==2.1.1
 itsdangerous==2.1.2
 click==8.1.3
 blinker==1.6.2

requirements-skip/tests-min.txt

@@ -0,0 +1,21 @@
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile tests-min.in
+#
+blinker==1.6.2
+    # via -r tests-min.in
+click==8.1.3
+    # via -r tests-min.in
+itsdangerous==2.1.2
+    # via -r tests-min.in
+jinja2==3.1.2
+    # via -r tests-min.in
+markupsafe==2.1.1
+    # via
+    #   -r tests-min.in
+    #   jinja2
+    #   werkzeug
+werkzeug==3.0.0
+    # via -r tests-min.in

requirements/build.txt

@@ -1,13 +1,12 @@
-# SHA1:80754af91bfb6d1073585b046fe0a474ce868509
 #
-# This file is autogenerated by pip-compile-multi
-# To update, run:
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
 #
-#    pip-compile-multi
+#    pip-compile build.in
 #
-build==0.10.0
-    # via -r requirements/build.in
-packaging==23.1
+build==1.0.3
+    # via -r build.in
+packaging==23.2
     # via build
 pyproject-hooks==1.0.0
     # via build

requirements/dev.in

@@ -1,6 +1,6 @@
 -r docs.in
 -r tests.in
 -r typing.in
-pip-compile-multi
+pip-tools
 pre-commit
 tox