Set up security update checks in CI

[fyliu]

Overview

We need to set up something like PyUp once we're deployed so that we're up-to-date for security updates.

Details

PyUP is a tool that updates all your project's Python dependency files through Pull Requests on GitHub/GitLab. It's repo is currently inactive and the project was converted to a product called Safety, this issue will explore alternatives including but not limited to:

• set up Dependabot to do the same
• set up a GHA to run pip-tools to do the updates (just update, no information on whether anything is vulnerable).

Action Items

• [ ] research alternatives and document in comments below
• [ ] Summarize a recommendation in a comment
• [ ] Review and get sign-off from
  • [ ] Lead dev
  • [ ] Product Lead
• [ ] Deploy solution
  • If the solution involves deploying via GitHub actions
    • [ ] document in the GitHub actions page

Resources/Instructions

• This issue relates to #218
• Looks like PyUp

[fyliu]

Looks like pyup hasn't been updated in years and the project was converted to a product called Safety. Here's a list of alternatives to consider. Or

• set up Dependabot to do the same
• set up a GHA to run pip-tools to do the updates (just update, no information on whether anything is vulnerable).

[ExperimentsInHonesty]

@fyliu I rewrote the issue a little bit. Please review and if you are good with the way it is now, please add the ready for product label back on.