Enable Dependabot for Python dependency updates

[GeigerJ2]

Ping @agoscinski @danielhollas
(this came up while working on the developer guide in #7215)

Problem

We currently have no automated mechanism to track new releases of our Python dependencies. Dependabot is already configured for GitHub Actions updates (.github/dependabot.yml), but not for Python packages.

Incompatibilities are only caught reactively — either by the nightly test-install workflow or when a developer happens to notice. This was previously handled by a dedicated Dependency Manager role (AEP 002), but that role has not really been enforced in recent years (and everyone did a bit of dependency management, as it became relevant).

Proposal

Extend .github/dependabot.yml to also cover Python dependencies:

- package-ecosystem: pip
  directory: /
  schedule:
    interval: monthly
  groups:
    python-minor-patch:
      update-types:
      - minor
      - patch

This would make Dependabot open PRs to bump versions in pyproject.toml (and uv.lock if supported).

Considerations

• Grouping: Minor/patch updates are grouped into a single monthly PR (as shown above) to avoid noise — this addresses the concern raised in Keeping dependencies up-to-date #4799. Major version bumps get individual PRs for easier review.
• Loose constraints: Our pyproject.toml uses compatible release (~=) and range operators, not pinned versions. Dependabot PRs would bump the lower bounds or widen ranges — review carefully to avoid unnecessary constraint tightening.
• Lock file: uv.lock should be updated alongside pyproject.toml changes. Dependabot has experimental uv support --- check whether it updates uv.lock automatically, or whether the existing uv-lock pre-commit hook covers it when the PR is checked out locally.
• environment.yml: Changes to pyproject.toml also need to be reflected in environment.yml via ./utils/dependency_management.py generate-all. This is handled by a pre-commit hook, but Dependabot PRs may not trigger it — a CI check or manual step may be needed.
• Nightly CI complement: The existing nightly test-install workflow tests against loose constraints and catches breakage from new upstream releases. Dependabot complements this by proactively proposing the version bumps, rather than waiting for something to break.
• conda-forge sync: After merging a Dependabot PR, verify that the updated dependency version is also available on conda-forge, since we require dual availability (PyPI + conda-forge).

Related issues

• Keeping dependencies up-to-date #4799 — Keeping dependencies up-to-date (@chrisjsewell): raised the need for automated tracking, but noted Dependabot's lack of grouping at the time. Grouping is now supported.
• possible hints for packaging improvements #6084 — Possible hints for packaging improvements (@ltalirz): pointed to repo-review for general packaging best practices (orthogonal but worth a look).

[danielhollas]

It looks like perhaps Dependabot support for uv is not so great;

Dependabot has announced support for uv, but there are some use cases that are not yet working. See astral-sh/uv#2512 for updates.

Perhaps we should consider Renovate, more info here:

https://docs.astral.sh/uv/guides/integration/dependency-bots/