Calm down dependabot

[maread99]

Given the number and nature of dev dependencies, dependabot would raise PRs pretty much every day (if it weren't limited to 5). Merging them all would clog up the commit history (I currently ignore them and raise a single PR manually every couple of weeks or so).

I'm thinking the ideal would be:

• Update dependencies once a fortnight, even monthly, via either
  • as presently, update manually via running the following pip-compile commands and raising a PR with the changes:
    • pip-compile --upgrade pyproject.toml
    • pip-compile --upgrade --extra=dev --output-file=requirements_dev.txt pyproject.toml (output location could change if set up dependabot for main requirements only...)
  • set up a GH workflow to automate the above, set to run once a month (see Run github cron workflow to update deps gerrymanoim/exchange_calendars#238).
• Use dependabot ONLY for the main requirements (not the dev). Don't merge the PRs that dependabot raises (rely instead on the above) but having dependabot raise the PRs will give an immediate heads up if a dependency upgrade causes market_prices to fail (as the tests executed when the PR is raised will show as failing).
  • This would require having requirements.txt in a separate directory to the requirements_dev.txt file. Probably could just move the requirements_dev.txt to a sub-directory (have a look through the workflows to change the location of any of them that look at it). EDIT - Done Add ETF Mappings and update dependencies #105. EDIT - that didn't work, dependabot looks in the configured directory and all its subdirectories, i.e. under the previous arrangement, with the configured directory as the project root, dependabot could still find requirements_dev.txt. Move requirements.txt #116 moves requirements.txt to a dedicated folder and sets dependabot to look only at that folder. The following dependabot issues cover ongoing conversations WRT making it easier to define / ignore the lock files that dependabot acts on:
    • Ignore manifests in specific subdirectories dependabot/dependabot-core#4364
    • How to add multiple directories in dependabot.yml config file? dependabot/dependabot-core#2824

[maread99]

That never worked as the tests triggered by the dependabot PRs were being executed in an environment that, necessarily, used the requirements_tests.txt file to install the dependencies, rather than the requirements.txt file that had been changed by the dependabot PR. Consequently was failing to test for compatibility with the bumped dependencies (rather tests were being run against the prior versions as defined on the requirments_test.txt).

#179 fixes by pointing dependabot at requirements_test.txt.