Check pip-compile and commit autoformatter changes

[A5rocks]

I'm not sure having a commit afterwards is the best behavior for if someone is rapidly iterating, but this specifically would make dependabot PRs nicer to deal with. (dependabot has a nasty habit of removing things from the lockfile: #2511 (comment))

https://github.com/A5rocks/trio/actions/runs/4120613215/jobs/7115511631 proof this works

(I think, after this, the next step is adding an action that enables the auto-merge feature on any PR dependabot makes. After that: make dependabot update our github actions (ie @actions/checkout which ATM is out of date))

[codecov]

Codecov Report

Merging #2559 (ed33f1b) into master (de6e018) will not change coverage.
The diff coverage is n/a.

❗ Current head ed33f1b differs from pull request most recent head 363f266. Consider uploading reports for the commit 363f266 to get more accurate results

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2559   +/-   ##
=======================================
  Coverage   92.45%   92.45%           
=======================================
  Files         118      118           
  Lines       16345    16345           
  Branches     3155     3155           
=======================================
  Hits        15112    15112           
  Misses       1104     1104           
  Partials      129      129           

[pquentin]

Thanks! LGTM.

[A5rocks]

I was searching through history on the gitter channel and it turns out this has been mentioned before and turned down as too much a burden on a developer: https://gitter.im/python-trio/general?at=5d426fcee2802b6790a860be

I could make this use a specific PR comment to trigger instead. Any opinions? (ie autoformat on its own line?)

[pquentin]

Or maybe you could only apply this on dependabot PRs?

[pquentin]

Thanks! Looks good to me.

[A5rocks]

I had to commit b1fbbd3 (and a few other things) to make this work on dependabot PRs. (actually, this still fails... https://github.com/python-trio/trio/actions/runs/4149501153/jobs/7178493177#step:6:22 ugh)

I'm not so sure that's secure; it certainly seems like a bad idea. Are these secure?

Looking at the docs (https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) says that this will only grant it if the actor has write permissions (or if we enabled a setting we probably didn't), so I suppose we're fine?