use pip-compile and dependabot grouped updates (#2656)

.github/dependabot.yml

@@ -1,9 +1,18 @@
 version: 2
 updates:
-- package-ecosystem: "github-actions"
-  directory: "/"
-  schedule:
-    interval: "monthly"
-    day: "monday"
-    time: "16:00"
-    timezone: "UTC"
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    groups:
+      github-actions:
+        patterns:
+          - '*'
+  - package-ecosystem: pip
+    directory: /requirements/
+    schedule:
+      interval: monthly
+    groups:
+      python-requirements:
+        patterns:
+          - '*'

.github/workflows/lock.yaml

@@ -1,8 +1,8 @@
-name: 'Lock threads'
-# Lock closed issues that have not received any further activity for
-# two weeks. This does not close open issues, only humans may do that.
-# We find that it is easier to respond to new issues with fresh examples
-# rather than continuing discussions on old issues.
+name: 'Lock inactive closed issues'
+# Lock closed issues that have not received any further activity for two weeks.
+# This does not close open issues, only humans may do that. We find that it is
+# easier to respond to new issues with fresh examples rather than continuing
+# discussions on old issues.
 
 on:
   schedule:

.github/workflows/publish.yaml

@@ -9,12 +9,12 @@ jobs:
     outputs:
       hash: ${{ steps.hash.outputs.hash }}
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
-      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
         with:
           python-version: '3.x'
-          cache: 'pip'
-          cache-dependency-path: 'requirements/*.txt'
+          cache: pip
+          cache-dependency-path: requirements/*.txt
       - run: pip install -r requirements/build.txt
       # Use the commit date instead of the current date during the build.
       - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
@@ -27,19 +27,19 @@ jobs:
         with:
           path: ./dist
   provenance:
-    needs: ['build']
+    needs: [build]
     permissions:
       actions: read
       id-token: write
       contents: write
     # Can't pin with hash due to how this workflow works.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
     with:
       base64-subjects: ${{ needs.build.outputs.hash }}
   create-release:
     # Upload the sdist, wheels, and provenance to a GitHub release. They remain
     # available as build artifacts for a while as well.
-    needs: ['provenance']
+    needs: [provenance]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -53,19 +53,19 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
   publish-pypi:
-    needs: ['provenance']
+    needs: [provenance]
     # Wait for approval before attempting to upload to PyPI. This allows reviewing the
     # files in the draft release.
-    environment: 'publish'
+    environment: publish
     runs-on: ubuntu-latest
     permissions:
       id-token: write
     steps:
       - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
-      - uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e
+      - uses: pypa/gh-action-pypi-publish@29930c9cf57955dc1b98162d0d8bc3ec80d9e75c
         with:
-          repository_url: https://test.pypi.org/legacy/
-          packages_dir: artifact/
-      - uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e
+          repository-url: https://test.pypi.org/legacy/
+          packages-dir: artifact/
+      - uses: pypa/gh-action-pypi-publish@29930c9cf57955dc1b98162d0d8bc3ec80d9e75c
         with:
           packages-dir: artifact/

.github/workflows/tests.yaml

@@ -9,9 +9,6 @@ on:
       - '*.md'
       - '*.rst'
   pull_request:
-    branches:
-      - main
-      - '*.x'
     paths-ignore:
       - 'docs/**'
       - '*.md'
@@ -24,27 +21,32 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - {name: Linux, python: '3.11', os: ubuntu-latest, tox: py311}
-          - {name: Windows, python: '3.11', os: windows-latest, tox: py311}
-          - {name: Mac, python: '3.11', os: macos-latest, tox: py311}
-          - {name: '3.12-dev', python: '3.12-dev', os: ubuntu-latest, tox: py312}
+          - {name: Linux, python: '3.12', os: ubuntu-latest, tox: py312}
+          - {name: Windows, python: '3.12', os: windows-latest, tox: py312}
+          - {name: Mac, python: '3.12', os: macos-latest, tox: py312}
+          - {name: '3.11', python: '3.11', os: ubuntu-latest, tox: py311}
           - {name: '3.10', python: '3.10', os: ubuntu-latest, tox: py310}
           - {name: '3.9', python: '3.9', os: ubuntu-latest, tox: py39}
           - {name: '3.8', python: '3.8', os: ubuntu-latest, tox: py38}
           - {name: 'PyPy', python: 'pypy-3.10', os: ubuntu-latest, tox: pypy310}
-          - {name: Typing, python: '3.11', os: ubuntu-latest, tox: typing}
+          - {name: Typing, python: '3.12', os: ubuntu-latest, tox: typing}
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
-      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912
         with:
           python-version: ${{ matrix.python }}
-          cache: 'pip'
-          cache-dependency-path: 'requirements/*.txt'
+          cache: pip
+          cache-dependency-path: requirements/*.txt
+      - name: update pip
+        run: |
+          pip install -U wheel
+          pip install -U setuptools
+          python -m pip install -U pip
       - name: cache mypy
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12
         with:
           path: ./.mypy_cache
-          key: mypy|${{ matrix.python }}|${{ hashFiles('pyproject.toml') }}
+          key: mypy|${{ matrix.python }}|${{ hashFiles('setup.cfg') }}
         if: matrix.tox == 'typing'
       - run: pip install tox
       - run: tox run -e ${{ matrix.tox }}

.readthedocs.yaml

@@ -1,8 +1,8 @@
 version: 2
 build:
-  os: ubuntu-20.04
+  os: ubuntu-22.04
   tools:
-    python: "3.10"
+    python: "3.12"
 python:
   install:
     - requirements: requirements/docs.txt

requirements/build.txt

@@ -1,13 +1,12 @@
-# SHA1:80754af91bfb6d1073585b046fe0a474ce868509
 #
-# This file is autogenerated by pip-compile-multi
-# To update, run:
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
 #
-#    pip-compile-multi
+#    pip-compile build.in
 #
-build==0.10.0
-    # via -r requirements/build.in
-packaging==23.1
+build==1.0.3
+    # via -r build.in
+packaging==23.2
     # via build
 pyproject-hooks==1.0.0
     # via build

requirements/dev.in

@@ -1,6 +1,6 @@
 -r docs.in
 -r tests.in
 -r typing.in
-pip-compile-multi
+pip-tools
 pre-commit
 tox

requirements/dev.txt

@@ -1,60 +1,140 @@
-# SHA1:54b5b77ec8c7a0064ffa93b2fd16cb0130ba177c
 #
-# This file is autogenerated by pip-compile-multi
-# To update, run:
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
 #
-#    pip-compile-multi
+#    pip-compile dev.in
 #
--r docs.txt
--r tests.txt
--r typing.txt
-build==0.10.0
+alabaster==0.7.13
+    # via sphinx
+babel==2.14.0
+    # via sphinx
+build==1.0.3
     # via pip-tools
-cachetools==5.3.1
+cachetools==5.3.2
     # via tox
+certifi==2023.11.17
+    # via requests
 cfgv==3.4.0
     # via pre-commit
 chardet==5.2.0
     # via tox
-click==8.1.6
-    # via
-    #   pip-compile-multi
-    #   pip-tools
+charset-normalizer==3.3.2
+    # via requests
+click==8.1.7
+    # via pip-tools
 colorama==0.4.6
     # via tox
-distlib==0.3.7
+distlib==0.3.8
     # via virtualenv
-filelock==3.12.2
+docutils==0.18.1
+    # via
+    #   sphinx
+    #   sphinx-tabs
+filelock==3.13.1
     # via
     #   tox
     #   virtualenv
-identify==2.5.26
+identify==2.5.33
     # via pre-commit
-pip-compile-multi==2.6.3
-    # via -r requirements/dev.in
+idna==3.6
+    # via requests
+imagesize==1.4.1
+    # via sphinx
+iniconfig==2.0.0
+    # via pytest
+jinja2==3.1.2
+    # via sphinx
+markupsafe==2.1.3
+    # via jinja2
+mypy==1.8.0
+    # via -r typing.in
+mypy-extensions==1.0.0
+    # via mypy
+nodeenv==1.8.0
+    # via
+    #   pre-commit
+    #   pyright
+packaging==23.2
+    # via
+    #   build
+    #   pallets-sphinx-themes
+    #   pyproject-api
+    #   pytest
+    #   sphinx
+    #   tox
+pallets-sphinx-themes==2.1.1
+    # via -r docs.in
 pip-tools==7.3.0
-    # via pip-compile-multi
-platformdirs==3.10.0
+    # via -r dev.in
+platformdirs==4.1.0
     # via
     #   tox
     #   virtualenv
-pre-commit==3.3.3
-    # via -r requirements/dev.in
-pyproject-api==1.5.4
+pluggy==1.3.0
+    # via
+    #   pytest
+    #   tox
+pre-commit==3.6.0
+    # via -r dev.in
+pygments==2.17.2
+    # via
+    #   sphinx
+    #   sphinx-tabs
+pyproject-api==1.6.1
     # via tox
 pyproject-hooks==1.0.0
     # via build
+pyright==1.1.343
+    # via -r typing.in
+pytest==7.4.3
+    # via -r tests.in
 pyyaml==6.0.1
     # via pre-commit
-toposort==1.10
-    # via pip-compile-multi
-tox==4.9.0
-    # via -r requirements/dev.in
-virtualenv==20.24.3
+requests==2.31.0
+    # via sphinx
+snowballstemmer==2.2.0
+    # via sphinx
+sphinx==7.2.6
+    # via
+    #   -r docs.in
+    #   pallets-sphinx-themes
+    #   sphinx-issues
+    #   sphinx-tabs
+    #   sphinxcontrib-applehelp
+    #   sphinxcontrib-devhelp
+    #   sphinxcontrib-htmlhelp
+    #   sphinxcontrib-log-cabinet
+    #   sphinxcontrib-qthelp
+    #   sphinxcontrib-serializinghtml
+sphinx-issues==3.0.1
+    # via -r docs.in
+sphinx-tabs==3.4.4
+    # via -r docs.in
+sphinxcontrib-applehelp==1.0.7
+    # via sphinx
+sphinxcontrib-devhelp==1.0.5
+    # via sphinx
+sphinxcontrib-htmlhelp==2.0.4
+    # via sphinx
+sphinxcontrib-jsmath==1.0.1
+    # via sphinx
+sphinxcontrib-log-cabinet==1.0.1
+    # via -r docs.in
+sphinxcontrib-qthelp==1.0.6
+    # via sphinx
+sphinxcontrib-serializinghtml==1.1.9
+    # via sphinx
+tox==4.11.4
+    # via -r dev.in
+typing-extensions==4.9.0
+    # via mypy
+urllib3==2.1.0
+    # via requests
+virtualenv==20.25.0
     # via
     #   pre-commit
     #   tox
-wheel==0.41.1
+wheel==0.42.0
     # via pip-tools
 
 # The following packages are considered to be unsafe in a requirements file:

requirements/docs.in

@@ -1,5 +1,5 @@
-Pallets-Sphinx-Themes
-Sphinx
+pallets-sphinx-themes
+sphinx
 sphinx-issues
 sphinxcontrib-log-cabinet
 sphinx-tabs