Manage versioning of Poetry tool dependency

The project's Python package dependencies are managed by the Poetry tool.

Previously, the version of Poetry was not managed in any way.

The GitHub Actions workflows used whichever version of Poetry happened to be installed on the runner machine. This meant
that the GitHub Actions workflows could break at any time through the poetry installation on the runner machine being
updated to an incompatible version.

The contributors used whichever version of Poetry happened to be installed on their machine. This meant that they might
get different results from that produced by the environment of the GitHub Actions workflows.

The better solution is to take the same approach for managing the Poetry dependency as done for the project's other
dependencies:

* Install a specific version of Poetry according to a single source of versioning data.
* Use the Dependabot service to get automated update pull requests.

The logical place to define the Poetry package dependency version is in pyproject.toml, as is done for all direct Python
package dependencies.

Dependabot recognizes two forms of dependency data in the pyproject.toml file:

* Poetry
* PEP 621

Since Poetry can't be used to manage itself, the obvious approach would be to define the Poetry dependency in a PEP 621
field in the file. However, this is not possible because if Dependabot finds Poetry data in pyproject.toml, it ignores
the PEP 621 fields. So it is necessary to define the Poetry dependency in the Poetry fields of the file. A special
dependencies group is created for this purpose. That group is configured as "optional" so that it won't be installed
redundantly by `poetry install` commands.

Unfortunately pipx doesn't support using pyproject.toml as a dependency configuration file so it is necessary to
generate the dependency argument in the pipx command by parsing the contents of the project.toml file.

Author: per1234

.github/workflows/check-yaml-task.yml

@@ -1,10 +1,6 @@
 # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/check-yaml-task.md
 name: Check YAML
 
-env:
-  # See: https://github.com/actions/setup-python/tree/main#available-versions-of-python
-  PYTHON_VERSION: "3.9"
-
 # See: https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
 on:
   create:
@@ -103,9 +99,6 @@ jobs:
         with:
           python-version-file: pyproject.toml
 
-      - name: Install Poetry
-        run: pip install poetry
-
       - name: Install Task
         uses: arduino/setup-task@v2
         with:

.github/workflows/spell-check-task.yml

@@ -1,10 +1,6 @@
 # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/spell-check-task.md
 name: Spell Check
 
-env:
-  # See: https://github.com/actions/setup-python/tree/main#available-versions-of-python
-  PYTHON_VERSION: "3.9"
-
 # See: https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
 on:
   create:
@@ -57,9 +53,6 @@ jobs:
         with:
           python-version-file: pyproject.toml
 
-      - name: Install Poetry
-        run: pip install poetry
-
       - name: Install Task
         uses: arduino/setup-task@v2
         with:

Taskfile.yml

@@ -347,9 +347,42 @@ tasks:
             -r "{{.STYLELINTRC_SCHEMA_PATH}}" \
             -d "{{.INSTANCE_PATH}}"
 
+  poetry:install:
+    desc: Install Poetry
+    run: once
+    cmds:
+      - |
+        if ! which pipx &>/dev/null; then
+          echo "pipx not found or not in PATH."
+          echo "Please install: https://pipx.pypa.io/stable/installation/#installing-pipx"
+          exit 1
+        fi
+      - |
+        if ! which yq &>/dev/null; then
+          echo "yq not found or not in PATH."
+          echo "Please install: https://github.com/mikefarah/yq/#install"
+          exit 1
+        fi
+      - |
+        export PIPX_DEFAULT_PYTHON="$( \
+          task utility:normalize-path \
+            RAW_PATH="$(which python)" \
+        )"
+        pipx install \
+          --force \
+          "poetry==$( \
+            yq \
+              --input-format toml \
+              --output-format yaml \
+              '.tool.poetry.group.pipx.dependencies.poetry' \
+              < pyproject.toml
+          )"
+
   # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/poetry-task/Taskfile.yml
   poetry:install-deps:
     desc: Install dependencies managed by Poetry
+    deps:
+      - task: poetry:install
     cmds:
       - poetry install --no-root
 

poetry.lock

@@ -11,6 +11,14 @@ python = "~3.9"
 yamllint = "^1.36.0"
 codespell = "^2.4.1"
 
+# The dependencies in this group are installed using pipx; NOT Poetry. The use of a `poetry` section is a hack required
+# in order to be able to manage updates of these dependencies via Dependabot, as used for all other dependencies.
+[tool.poetry.group.pipx]
+optional = true
+
+[tool.poetry.group.pipx.dependencies]
+poetry = "2.1.1"
+
 [build-system]
 requires = ["poetry-core>=1.0.0"]
 build-backend = "poetry.core.masonry.api"