Rename development requirement files

[ocelotl]

Fixes #3873

The issue here is that dependabot is opening security alerts for dependencies that are in our *requirements*txt files. The ideal solution would be to configure dependabot in such a way that these files are ignored but this seems to be impossible right now:

dependabot/dependabot-core#2883
dependabot/dependabot-core#1657

So, the proposed solution here is to rename all these files to something that is ignored by dependabot. This solution is less than ideal but it should work.

[lzchen]

@ocelotl

I keep making comments but for some reason they are disappearing. Is there any implications for changing the requirements.txt files and removing .txt? Will pip install -r requirements still work? Won't this technically break users who have pip install -r requirements.txt in their builds?

[lzchen]

@ocelotl

Apparently a lot of other language SIGs has switched to renovate for dependency checking. It allows for more granular configuration settings. Might be something worthwhile to look into.

We will have to make a request to add the action to our repo.

https://github.com/open-telemetry/community/issues?q=is%3Aissue+renovate+is%3Aclosed

Java config: https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/main/.github/renovate.json5

[aabmass]

The ideal solution would be to configure dependabot in such a way that these files are ignored but this seems to be impossible right now:

Think we discussed this in the SIG, but I don't think this should be our aim. Ideally it would bump lockfile dependency versions for us and send a PR. Actually Renovate supports this with "lockfile maintenance" and I believe it works with pip-compile if we can list out our test dependencies (not transitive dependencies) and let the tool manage the lockfile.

That said if you're if dependabot spam is really bad, I'm OK to do whatever workaround.