Make Dependabot pip PRs produce coherent hash-pinned lockfiles

[brianmacy]

Summary

Context: after #7 merged, Dependabot opened 6 pip PRs within 5 minutes. The GitHub Actions ones (#8, #9, #10) were clean. The pip ones (#11 ipykernel 7.2, #12 awscli 1.44.84, #13 pandas 3.0.2) were all red. Two failure modes, both inherent to Dependabot's pip ecosystem:

1. Capped-major bumps get proposed anyway. #11 and #13 cross caps in requirements.in (ipykernel<7.0, pandas<3.0). Dependabot reads requirements.txt directly and doesn't honor .in ranges, so the lockfile drift-check job fires every time.
2. Hash set goes incoherent. When a direct-dep bump shifts transitives, Dependabot's pip updater edits a few == pins but leaves other transitives unversioned / un-hashed. pip install --require-hashes rejects the file. That's what killed deps(deps): bump awscli from 1.44.81 to 1.44.84 in the aws group across 1 directory #12 even though its version is range-compatible.

Neither is fixable by tweaking requirements.in. This PR addresses both.

Changes

• Drop the lockfile drift-check job in tests.yml. It was brittle against uv version skew and didn't pull its weight once caps live in dependabot.yml.
• Add ignore: rules in dependabot.yml mirroring requirements.in's upper bounds. Dependabot no longer proposes capped majors, so the weekly pip PR stream shrinks to patch/minor only. Folium is intentionally uncapped (0.x for a decade; eventual 1.0 expected non-breaking per upstream's changelog cadence).
• Add .github/workflows/dependabot-lockfile.yml — a pull_request_target workflow that fires on Dependabot pip PRs, regenerates requirements.txt with uv pip compile --universal --generate-hashes, pushes the coherent lockfile back onto the PR branch, and re-dispatches validation CI. Runs only for the dependabot[bot] actor.
• README: document the new flow (caps live in two places; auto-regen workflow handles hash coherence).

Why pull_request_target

pull_request from Dependabot runs with a read-only token and can't push back. pull_request_target runs with the base branch's perms and can, but is scoped only to this workflow and gated on github.actor == 'dependabot[bot]', so no attacker-controlled code executes with elevated perms. Pushes made via GITHUB_TOKEN don't re-trigger workflows automatically, so the workflow also re-dispatches tests.yml, notebook-ci.yml, notebook-hygiene.yml, and deps-audit.yml against the updated branch.

Test plan

• ruff check . — clean
• codespell — clean
• pytest tests/ -q — 13/13 pass
• python3 .github/scripts/notebook_hygiene.py — 6/6 notebooks pass
• actionlint on the new workflow — clean
• After merge: rebase Dependabot PR deps(deps): bump awscli from 1.44.81 to 1.44.84 in the aws group across 1 directory #12 (@dependabot rebase) and confirm the new workflow regenerates requirements.txt and the PR goes green
• Close PRs deps(deps): bump ipykernel from 6.31.0 to 7.2.0 in the jupyter group #11 and deps(deps): bump pandas from 2.3.3 to 3.0.2 #13 (capped majors — they will stop being proposed once this merges)

🤖 Generated with Claude Code