Separate package-specific `pyproject.toml` from development dependencies

[jenstroeger]

Currently, the pyproject.toml file contains both package specific metadata and dependencies (organized into [project] tables, link) and development dependencies and settings for the package (organized into [tools] tables, link). Particulalry, the development dependencies currently masquerade as package extras (which they’re not):

python-package-template/pyproject.toml

Lines 40 to 72 in 29d02e3

	# The 'actions' requirements match exactly the packages installed by the workflows.
	# We keep them listed here to ensure the infrastructure BOM is consistent with what's
	# installed. Make sure to keep the requirements in sync with the workflows!
	actions = [
	"commitizen ==4.5.0",
	"twine ==6.1.0",
	]
	dev = [
	"flit >=3.2.0,<4.0.0",
	"mypy >=1.0.0,<1.15",
	"pip-audit >=2.4.4,<3.0.0",
	"pylint >=3.0.0,<3.4.0",
	"perflint >=0.8.0,<1.0.0",
	"cyclonedx-bom >=4.0.0,<5.0.0",
	]
	docs = [
	"sphinx >=5.1.1,<9.0.0",
	"sphinx-markdown-builder >=0.6.4,<1.0.0",
	]
	hooks = [
	"pre-commit >=3.0.0,<4.1.0",
	]
	# Note that the `custom_exit_code` and `env` plugins may currently be unmaintained.
	test = [
	"faker ==37.1.0",
	"hypothesis >=6.21.0,<6.130.9",
	"pytest >=7.2.0,<9.0.0",
	"pytest-cases ==3.8.6",
	"pytest-custom_exit_code ==0.3.0",
	"pytest-cov ==6.1.0",
	"pytest-doctestplus ==1.3.0",
	"pytest-env ==1.1.5",
	]

I’m starting to think that it makes much sense to separate the package related dependencies & metadata (the pyproject.toml) from the package’s development dependencies & tools settings (e.g. a develop-requirements.txt and a develop.toml file), in order to avoid leaking dev deps and settings into a published sdist package (related PR #948).

That way, a published sdist package would contain only data required for its installation, and not leak development information.

Hmm… 🤔