Poetry 2 upgrade (PEP612-conformity) and gh-actions renovation

[dalito]

• change pyproject.toml to PEP612 style for poetry 2.x
• update all gh-actions for poetry 2.x
• change action to load other actions by hash-ID (the PR updates each to its latest release)
• enable dependabot for monthly action-updates (will create a PR not autoupdate)
• prepared pypi-publish action for trusted publishing; it is commented out now since you need to change the configuration in PyPI as well to enable it. Note that the env name is not pypias in the screenshots of the PyPI-docs but pypi-release.
• simplified the action test-upstream by using poetry sync
• figured out how to install poetry-dynamic-versioning that it actually works in gh-actions with current poetry 2.0.1

Ignore the windows test failures or merge #360 first. 😄

Closes linkml/linkml#2520

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.38%. Comparing base (1b5e9f7) to head (f612aff).
Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #364      +/-   ##
==========================================
- Coverage   63.43%   63.38%   -0.06%     
==========================================
  Files          63       63              
  Lines        8982     8980       -2     
  Branches     2574     2572       -2     
==========================================
- Hits         5698     5692       -6     
- Misses       2665     2669       +4     
  Partials      619      619              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sneakers-the-rat]

pretty straightforward.

ideally the changes to the actions would be in a separate PR so they don't hold up the changes to pyproject.toml (idk what needs to get done there to get the CD working), but this looks fine aside from two minor changes in pyproject

[sneakers-the-rat]

Huh, hadn't looked at this action before. I am not exactly sure what the point is, because unless we are looking at the results of this run regularly it doesn't rly force us to do anything and isn't visible e.g. on PRs? This would probably be easier to do by just running pip install rather than poetry if the intention is to test against the deps people would get if they installed normally.

Just passing thoughts, not needed to change in this PR.

[dalito]

Dependabot makes PRs . It updates hashes so using hashes looses its pain. See here for an example PR. If desired it can automerge or assign to someone; I prefer to merge myself after short review of changes (which are also conveniently linked in the PRs).
The dependabot config in this PR only looks for action-updates but not for python-package updates (I am unsure if you thought it would touch Python packages because you mentioned pip).

[dalito]

Sorry, I thought your comment was on dependabot, now I see its on check-dependencies.yaml. - I just updated it. I don't know why its present in the repo.

[sneakers-the-rat]

Suggested change

	readme = "README.md"
	readme = { file = "README.md", content-type = "text/markdown" }

[dalito]

I looked it up: If the file path ends in a case-insensitive .md suffix, then tools MUST assume the content-type is text/markdown.
So we don't need to change.

[sneakers-the-rat]

oh that's a nice little touch :)

[dalito]

@sneakers-the-rat requested changes done. Thank you for the thorough and quick review!

If the core maintainers would like to have this split I could to it. But I think it is not very useful to update the action-scripts just a little bit to make the updated pyproject.toml work (to a state that you in principle don't want) and then update separately to a state that you want.

[sneakers-the-rat]

what da heck is windows doing lol https://github.com/linkml/linkml-runtime/actions/runs/13048917327/job/36404669816?pr=364

[dalito]

Oh. I have never seen something like that locally on Win10/11.

But I vaguely remember reading somewhere that the windows runner uses a c: and d: drive somehow. ...will have a look.

Will also look at the unix failure. Earlier there was no problem, but maybe the job got cancelled before running due to the default use of fail-fast and the (expected) windows failure.

Update: Unix is fine now.

[dalito]

The problem on Windows is caused by a library used by poetry 2 that uses os.relpath for one dir on c: and the other on d: (which obviously cannot work). There are already issues for this problem python-poetry/poetry#10028 and pypa/installer#260

[dalito]

Solved the problem for poetry 2 by using pipx inject to install dynamic-versioning plugin into the pipx-environment. The issue only occurs if the (new in poetry 2) auto-installation of plugins is used.

So now it is ready for review. The remaining windows issues are as expected until #360 is merged.

[sneakers-the-rat]

after loving it while it was the only tool of its kind, i have grown to really not like poetry - this looks like it was a lot more work than it should have been, it always is. other packaging tools make lockfiles without all the drama. glad poetry finally relented and implemented it, and thanks for doing that work <3

[dalito]

For the failures of test_upstream I created an issue linkml/linkml#2520.

[dalito]

On ubuntu-latest the poetry-dynamic-versioning plugin also did not work when auto-installed, see version 0.0.0 in pick a2eed4c remove tag listing

So I changed the actions to use pipx inject to install the plugin on all platforms. I also slightly simplified the action test-upstream by using poetry sync. On my work I manually triggered the workflow and it passed (except on 3.8 which should not matter much).

[amc-corey-cox]

This also looks good to me. I appreciate your cleaning things up a little here as well. What is our strategy for fixing the windows build failures?

[dalito]

What is our strategy for fixing the windows build failures?

Merging #360? 😉 - It just needs another review.

[sneakers-the-rat]

idk how pipx works but i'm noticing it's getting the wrong python version here - https://github.com/linkml/linkml-runtime/actions/runs/13116111241/job/36590689408?pr=364#step:6:16

maybe because poetry>=2 is not available for python 3.8? seems like a problem that we can jump to a different python without knowing it tho.

[dalito]

It does not matter which version is used by pipx. It is isolated from the Python installed for the workflows.

pipx uses the default Python version of the runner.