Remove dependabot for direct dependency management?

[molpopgen]

The bot is doing the wrong thing, ignoring the constraints specified in pyproject.toml.

I have also come to think that this way of updating dependencies isn't very useful. IMO, it is preferable to do them manually from time to time. I make allowances for security issues that affect install dependencies.

[molpopgen]

Rather than let bots do the work, I'd suggest that we update the lock file when a new Python version comes out (which also means that an older one is end-of-life'd). The rationale is that the new Python version will likely never get wheels for our locked dependency versions, meaning that it takes a while to set up a development environment because one needs to compile a bunch of stuff (and have those compilation dependencies present locally).

So, when a new Python version appears:

uv lock -p NEW_VERSION --upgrade
git commit uv.lock -m "update uv.lock"
submit a PR and see what happens....

[grahamgower]

Yeah, that makes sense. Dependabot was supposed to be a low-maintenance/lazy way to tell us when new package versions break things. But if it's not reliable, then we should yank it out. And get rid of mergify at the same time, because the only reason to have it is to merge bot PRs.

On a personal note, I stepped away from academic research in 2023, and I'm not doing anything related to simulation or popgen. So I'll definitely need poking to keep things up to date here. E.g. It's unlikely I'll even notice if a new python version is released.

[molpopgen]

Closed by #614