Remove lockfiles, manage Gradle dependencies with Dependabot (#1535)

Dependabot currently does not update lockfiles in multi-module projects
(see https://github.com/dependabot/dependabot-core/issues/14633)

To work around this issue, we will simply remove our lockfiles, and
change our version catalog to use fully specified versions.
The removal of lockfiles introduces two issues:

1. It is less visible what our dependency graph is
2. Our builds are potentially non-reproducible

To work around this, two mitigations are in place:

1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the
build if any dependencies declare a version range
2. Enable GitHub dependency submission, which provides insight into the
project SBOM

build-logic/src/main/kotlin/pklAllProjects.gradle.kts

@@ -20,12 +20,14 @@ plugins { id("com.diffplug.spotless") }
 
 val buildInfo = extensions.create<BuildInfo>("buildInfo", project)
 
-dependencyLocking { lockAllConfigurations() }
-
 configurations {
   val rejectedVersionSuffix = Regex("-alpha|-beta|-eap|-m|-rc|-snapshot", RegexOption.IGNORE_CASE)
   configureEach {
     resolutionStrategy {
+      // forbid dependencies whose pom.xml's include version ranges, because this will lead to
+      // unreproducible builds.
+
+      failOnDynamicVersions()
       componentSelection {
         all {
           if (rejectedVersionSuffix.containsMatchIn(candidate.version)) {
@@ -77,12 +79,6 @@ plugins.withType(MavenPublishPlugin::class).configureEach {
   }
 }
 
-// settings.gradle.kts sets `--write-locks`
-// if Gradle command line contains this task name
-val updateDependencyLocks by tasks.registering {
-  doLast { configurations.filter { it.isCanBeResolved }.forEach { it.resolve() } }
-}
-
 val allDependencies by tasks.registering(DependencyReportTask::class)
 
 tasks.withType(Test::class).configureEach {