ci(dependabot): enable auto poetry updates

[d33bs]

Description

This PR focuses on long-term sustainability for this project by enabling Dependabot to automatically update the Poetry lockfile. Normally this is a task which must be performed manually. By enabling this change we can have Dependabot automatically update the dependency references (which still fall into the constraints of the pyproject.toml file).

Thanks for any feedback!

What is the nature of your change?

• Bug fix (fixes an issue).
• Enhancement (adds functionality).
• Breaking change (fix or feature that would cause existing functionality to not work as expected).
• This change requires a documentation update.

Checklist

Please ensure that all boxes are checked before indicating that a pull request is ready for review.

• I have read the CONTRIBUTING.md guidelines.
• My code follows the style guidelines of this project.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have made corresponding changes to the documentation.
• My changes generate no new warnings.
• New and existing unit tests pass locally with my changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have deleted all non-relevant text in this pull request template.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.73%. Comparing base (e8880bc) to head (eea60f6).
Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #463      +/-   ##
==========================================
- Coverage   94.74%   94.73%   -0.01%     
==========================================
  Files          57       57              
  Lines        3156     3155       -1     
==========================================
- Hits         2990     2989       -1     
  Misses        166      166              

Flag	Coverage Δ
unittests	94.73% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[kenibrewer]

@d33bs Can we apply a groups policy that will put all non-major pip updates into a single dependabot PR?

Otherwise, dependabot opens a ton of PRs that are a hassle to merge individually.

Also, what are your thoughts about having the interval be monthly instead of weekly?

[d33bs]

Thanks @gwaybio and @kenibrewer, addressing the questions below:

@d33bs Can we apply a groups policy that will put all non-major pip updates into a single dependabot PR?
Otherwise, dependabot opens a ton of PRs that are a hassle to merge individually.

I don't have as much experience with this setting and will move forward with it as you mention. I'm cautious about this generally as I'd like to see isolated updates where possible to avoid dependency management chaos through the form of troubleshooting otherwise mysterious relationships when they're all combined in one spot. That said, I don't have any evidence this would happen here (just a feeling), so let's see how it goes with grouping!

Also, what are your thoughts about having the interval be monthly instead of weekly?

Sounds good, let's move forward with monthly updates.

[kenibrewer]

Re grouping, I think the testing will hopefully catch any weirdness and let us investigate before getting merged. But if it causes problems we can definitely go back to individual PRS.

Thanks!

[d33bs]

Thanks @kenibrewer ! Merging this in.