Use Dependabot to manage Poetry version

The project's Python package dependencies are managed by the Poetry tool.

Previously, the version of Poetry was managed in two inconsistent and sub-ideal ways:

* The version used during execution of the action was hardcoded in the action metadata file.
* The version used locally by contributors and by the GitHub Actions workflows was not managed at all.

The first is problematic because there is no mechanism to facilitate updates, which means it will never be updated.

The second is problematic because some versions might be incompatible, or produce different results than the version
used by the action.

The better solution is to take the same approach for managing the Poetry dependency as done for the project's other
dependencies:

* Install a specific version of Poetry according to a single source of versioning data.
* Use the Dependabot service to get automated update pull requests.

The logical place to define the Poetry package dependency version is in pyproject.toml, as is done for all direct Python
package dependencies.

Dependabot recognizes two forms of dependency data in the pyproject.toml file:

* Poetry
* PEP 621

Since Poetry can't be used to manage itself, the obvious approach would be to define the Poetry dependency in a PEP 621
field in the file. However, this is not possible because if Dependabot finds Poetry data in pyproject.toml, it ignores
the PEP 621 fields. So it is necessary to define the Poetry dependency in the Poetry fields of the file. A special
dependencies group is created for this purpose. That group is configured as "optional" so that it won't be installed
redundantly by `poetry install` commands.

Unfortunately pipx doesn't support using pyproject.toml as a dependency configuration file so it is necessary to
generate the dependency argument in the pipx command by parsing the project.toml file.

Author: per1234

Taskfile.yml

@@ -394,10 +394,22 @@ tasks:
           echo "Please install: https://pipx.pypa.io/stable/installation/#installing-pipx"
           exit 1
         fi
+      - |
+        if ! which yq &>/dev/null; then
+          echo "yq not found or not in PATH."
+          echo "Please install: https://github.com/mikefarah/yq/#install"
+          exit 1
+        fi
       - |
         pipx install \
           --python "{{.PYTHON_PATH}}" \
-          poetry
+          "poetry==$( \
+            yq \
+              --input-format toml \
+              --output-format yaml \
+              '.tool.poetry.group.pipx.dependencies.poetry' \
+              < pyproject.toml
+          )"
 
   # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/poetry-task/Taskfile.yml
   poetry:install-deps:

action.yml

@@ -87,7 +87,13 @@ runs:
         # Install Poetry.
         pipx install \
           --python "$(which python)" \
-          poetry==1.4.0
+            "poetry==$( \
+              yq \
+                --input-format toml \
+                --output-format yaml \
+                '.tool.poetry.group.pipx.dependencies.poetry' \
+                < pyproject.toml
+            )"
 
         # Install Python dependencies.
         poetry install \

pyproject.toml

@@ -32,6 +32,14 @@ optional = true
 [tool.poetry.group.external.dependencies]
 pyserial = "3.5"
 
+# The dependencies in this group are installed using pipx; NOT Poetry. The use of a `poetry` section is a hack required
+# in order to be able to manage updates of these dependencies via Dependabot, as used for all other dependencies.
+[tool.poetry.group.pipx]
+optional = true
+
+[tool.poetry.group.pipx.dependencies]
+poetry = "1.4.0"
+
 [build-system]
 requires = ["poetry-core"]
 build-backend = "poetry.core.masonry.api"