Poetry grapher generates lockfiles to determine versions in pyproject

[jakecoffman]

What are you trying to accomplish?

When there is no lockfile, Dependabot needs to generate one to determine what version would be installed at the time.

Anything you want to highlight for special attention from reviewers?

Copied patterns from the NPM lockfile generator which does the same thing.

How will you know you've accomplished your goal?

Versions will start replacing UNKNOWN in SBOMs where a pyproject exists but not a lockfile.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[brrygrdn]

LGTM, just one not on the log message

[Copilot]

Pull request overview

Adds a Poetry-specific ephemeral lockfile generation step to the Python dependency grapher so Dependabot can resolve exact installed versions (instead of UNKNOWN) for SBOM/dependency graphing when a repo has pyproject.toml but no committed poetry.lock.

Changes:

• Add Dependabot::Python::DependencyGrapher::LockfileGenerator to run poetry lock in a temp dir and return an in-memory poetry.lock.
• Update Dependabot::Python::DependencyGrapher#prepare! to generate and inject an ephemeral poetry.lock when the project is detected as Poetry via pyproject.toml.
• Add/extend specs to cover successful/failed ephemeral lockfile generation and resulting resolved PURLs/relationships.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
python/lib/dependabot/python/dependency_grapher.rb	Generates/injects an ephemeral Poetry lockfile during graph preparation and adjusts relevant file selection.
python/lib/dependabot/python/dependency_grapher/lockfile_generator.rb	Implements the temp-dir poetry lock flow and returns a DependencyFile for the generated lock.
python/spec/dependabot/python/dependency_grapher_spec.rb	Adds coverage for grapher behavior when poetry.lock is absent (generation attempt, success, failure).
python/spec/dependabot/python/dependency_grapher/lockfile_generator_spec.rb	New unit specs for lockfile generator success/failure/non-generation paths.