Enable Dependabot to update the actions in ci.yml

[seanh]

Problem: how to keep ci.yml's GitHub Actions up to date?

The pypi.yml GitHub Actions workflow that the cookiecutter renders into projects is actually just a caller workflow for the pypi.yml shared workflow. This has the advantage that Dependabot can keep actions in the shared workflow up to date for us and all of the actions (git checkout, Python package) are in the shared workflow, the caller workflow doesn't contain any actions to update.

Unfortunately the same is not true of the ci.yml workflow that the cookiecutter renders into projects. This workflow contains various versioned actions (git checkout, Python setup, caching, uploading and downloading artifacts). We can't have Dependabot update the copies of this workflow file in each project because that would cause the project to deviate from the template: make template would undo Dependabot's changes. Nor can we have Dependabot update the template ci.yml file in the cookiecutters repo because it's not a YAML file that Dependabot will understand, it's a Jinja2 template (it's also not in a location that Dependabot looks for).

Solution

Untried, but a possible solution might be to create a ci.yml workflow in the shared repo that:

1. Checks out the git repo
2. Sets up the Python versions
3. Runs a command in tox

With the Python versions and the tox command being arguments. Each project's ci.yml file will then make several calls to this shared workflow (one for each job).

The aim is for all the actions (and their version numbers) to live in a non-templated shared workflow that can be updated by Dependabot and for the project's workflow to not contain any actions version numbers itself.

The devil will be in the details though as there's caching, coverage artifacts, etc.