Appenv projects: support tools like renovate and dependabot

[elikoga]

Ultimately, deployments using e.g. batou, which use appenv as it's installation mechanism, save their requirements in the repository where appenv is used.

Since the requirements are locked by appenv, only the specified versions are used. Usage may run outdated and vulnerable dependency versions.

Tools like renovate and dependabot can update locked dependencies and warn if dependency requirements exclude known safe versions.

[elikoga]

Both renovate and dependabot only support a variety of pre-defined project package managers:
renovate manager support
Dependabot Supported ecosystems and repositories

While renovate supports some sort of mechanism that allows us to use custom files (fileMatch), dependabot does not.

Ultimately though, both support pip-compile

The pip-compile dependency locking format works (in the most basic way) by consuming a recuirements.in file and producing a requirements.txt file with locked dependencies.

This is similiar to appenvs locking format that consumes a requirements.txt and produces a requirements.lock.

[elikoga]

How to implement:
New Appenv Project format: Follow pip-compile's format and read a requirements.in and produce a requirements.txt

Add #1 together with a versioning scheme for appenv repositories that allows for executing migrations when upgrading in between versions.

[elikoga]

https://pypi.org/project/appenv/#description

releases gehören hierzu

[elikoga]

We can consider using uv with their pip compile integration