try dependabot for pinned action-constraints.txt

[jku]

I've seen it mentioned that dependabot can actually use pip-compile in some situations: this would be preferable to the hack workflow we now have...

I assume there is some heuristic in dependabot where a <FILE>.in and a <FILE>.txt in same directory trigger using pip-compile... and our case hasn't worked because there is no .in file currently: should test this

[jku]

unfortunately the hashes still seems tricky:

• we want to install tuf-on-ci from the current commit (so not hash pinned from pip perspective)
• pip-compile adds tuf-on-ci into requirements.txt
• pip will not accept a requirements.txt where some files have hashes and some do not

In general it feels tricky to install the python code from the same commit:

• the current setup pip-compile ... repo/pyproject.toml does what I want: only lists dependencies in the requirements file, does not list tuf-on-ci itself
• dependabot does not understand it should do this however
• but any other mechanism adds tuf-on-ci to the pinned list in some way that is not really useful for installing from source ... e.g. tuf-on-ci @ file:///home/jkukkonen/src/tuf-on-ci/repo

[jku]

These issues kind of imply that the actions should not install the python code from source, but should use a release (of some kind) so the installation would be more standard... The problem is that I want to be able to run the whole thing from any commit, not just releases. So we are at an impasse