TST: Pin test dependencies to exact versions

[mdboom]

This is in response to #2227 causing an unwelcome surprise when pytest was updated. It was fine at the time, but this kind of thing gets really annoying during release time.

There is no reason not to pin our test dependencies, and let dependabot handle updating them so we can deal with any breakages when we want to, not to urgently unblock CI.

Summary

• Pin all test [dependency-groups] specifiers to exact == versions in cuda_bindings, cuda_core, and cuda_pathfinder so CI runs against a known-good set of packages
• Add three pip ecosystem entries to .github/dependabot.yml (one per subproject) so Dependabot opens PRs when newer PyPI versions are available

Notes

• cython and setuptools are intentionally left as range specifiers (>=3.2,<3.3 and >=80) since they are build-time dependencies with looser compatibility constraints
• ml-dtypes in cuda_core is left as >=0.5.4,<0.6.0 for the same reason

Test plan

• Verify CI passes with pinned versions
• Confirm dependabot config parses cleanly (check Actions tab after merge)

🤖 Generated with Claude Code

[rwgk]

WDYT about e.g.

"matplotlib>=3.5.0,<=3.10.9; python_version < '3.15'",

so that we don't lock in other packages to one very specific version? — I realize it's only for testing, but I wonder if e.g. numba or rapids testing could be affected by our choices here.

[mdboom]

Why would they test in the same venv as ours? If they wanted to test against a prerelease of cuda_bindings, only the library dependencies would apply, not the test dependencies.

[mdboom]

I think the only concern here is that /this/ list is self-consistent, for example, the numpy and matplotlib versions specified here are compatible (which they are).

[rwgk]

Why would the test in the same venv as ours?

I think I've seen that (SWQA testing), although digging up what I have in mind isn't easy.

I'm OK to be simple/strict first and see what happens.

[github-actions]

Doc Preview CI
🚀 View preview at https://nvidia.github.io/cuda-python/pr-preview/pr-2230/
https://nvidia.github.io/cuda-python/pr-preview/pr-2230/cuda-core/
https://nvidia.github.io/cuda-python/pr-preview/pr-2230/cuda-bindings/
https://nvidia.github.io/cuda-python/pr-preview/pr-2230/cuda-pathfinder/
Preview will be ready when the GitHub Pages deployment is complete.

[rwgk]

I think we also need to update the pixi.toml files as part of this PR, or at least explicitly call them out as follow-up work.

Right now this PR freezes the test dependencies in the package pyproject.toml dependency groups, but the pixi environments still have broad specs for the same test tools. That means some CI/developer test paths can still float even after this PR lands.

The main ones I noticed are:

• cuda_bindings/pixi.toml
• cuda_core/pixi.toml
• cuda_pathfinder/pixi.toml

If the goal is to stop unexpected pytest-side dependency changes from putting us into fire-fighting mode, the pixi-managed test environments should follow the same pinning policy as the pyproject.toml test groups, or we should document why they intentionally remain floating.

[rwgk]

Could we keep the previous lower bounds here rather than making these bare dependencies?

What I would do:

• Restore the lower bounds, because they encode the minimum supported/tested floor.
• Add upper bounds to prevent surprise future releases from breaking CI.
• Split NumPy by Python version if one cap cannot span the full Python matrix.
• Add a short comment for any Python-version split so it is clear this is compatibility-driven, not arbitrary.

Policy-wise, I think lower bounds and upper bounds serve different purposes: lower bound = minimum supported/tested floor; upper bound or exact pin = CI stability cap. I do not think we should lose the former while adding the latter.

For example, roughly this shape, informed by the CI/branch history so far:

"matplotlib>=3.5.0,<=3.10.9; python_version < '3.15'",
"numpy>=1.21.1,<=2.2.6; python_version < '3.11'",
"numpy>=1.21.1,<=2.4.6; python_version >= '3.11'",

[mdboom]

In general, this makes sense. There is no need for the two numpy entries, since the lack of availability of anything greater than 2.2.6 on Python 3.10 will automatically enforce that first rule.

[mdboom]

If the goal is to stop unexpected pytest-side dependency changes from putting us into fire-fighting mode, the pixi-managed test environments should follow the same pinning policy as the pyproject.toml test groups, or we should document why they intentionally remain floating.

One of the reasons I'm sort of anti-pixi is that it uses the conda (forge) packaging ecosystem which lags behind PyPI. It's not actually possible to pin these to the same versions right now, for example, because many of them have yet to be released. This creates a whole other set of fire-fighting surprises. We should either (a) use pixi everywhere, including in CI or (b) move to PyPI-based packaging everywhere and use uv's tooling rather than pixi. Supporting both is a major pain point -- one of them is always broken and they can't match. I'm personally more familiar with (b) and that is where the community is trending, but could be convinced otherwise.

This is a separate issue from needing to support both ecosystems for our users -- we do need to test on both there.