Dependabot ecosystem for PDM

[mrharpo]

Thanks for making such a versatile and robust tool! We are using it for all our python tools in our department.

Dependabot

The issue of Dependabot support has come up a few times here (Support for Dependabot, Add pdm parse to dependabot), but recently, the Dependabot team changed their policies and are accepting community submissions for new ecosystems:

If you are an ecosystem maintainer and are interested in integrating with Dependabot, and are willing to help provide the expertise necessary to build and support it, please open an issue and let us know so that we can discuss.

Currently

There is an open issue for adding support, but no updates recently. Looking through the source code shows a partial implementation with the pyproject parser, but:

     # PDM is not yet supported, so we want to ignore it for now because in
     # the current state of things, going on would result in updating
     # pyproject.toml but leaving pdm.lock out of sync, which is
     # undesirable. Leave PDM alone until properly supported

Not sure how far along this is, or what is left, but it seems like a lockfile parser is the next step towards a solution.

Is there any interest to help finish the Dependabot integration?

Update Action

In case it's helpful for anyone: until we have full dependabot support, we are running a custom GitHub Action that runs pdm update [args] on a weekly basis.