ci: Pin transitive dependencies for tests suites on Python>=3.8

[alexander-alderman-webb]

Description

Add transitive dependencies to all test groups that are generated by populate_tox.py.
Dependency versions are resolved via a dry run of pip through uv on the relevant Python version.
Pins one set of dependencies per Python version and per library version.

Issues

Reminders

• Please add tests to validate your changes, and lint your code using tox -e linters.
• Add GH Issue ID & Linear ID (if applicable)
• PR title should use conventional commit style (feat:, fix:, ref:, meta:)
• For external contributors: CONTRIBUTING.md, Sentry SDK development docs, Discord community

[github-actions]

Codecov Results 📊

✅ 28 passed | Total: 28 | Pass Rate: 100% | Execution Time: 8.34s

📊 Comparison with Base Branch

Metric	Change
Total Tests	—
Passed Tests	—
Failed Tests	—
Skipped Tests	—

✨ No test changes detected

All tests are passing successfully.

✅ Patch coverage is 100.00%. Project has 17056 uncovered lines.
❌ Project coverage is 24.44%. Comparing base (base) to head (head).

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
- Coverage    26.24%    24.44%     -1.8%
==========================================
  Files          190       189        -1
  Lines        22890     22573      -317
  Branches      7834      8559      +725
==========================================
+ Hits          6007      5517      -490
- Misses       16883     17056      +173
- Partials       506       483       -23

---

Generated by Codecov Action

[sentry-warden]

Transitive-dependency cache ignores Python version, so all but the first iteration return stale results

The inner loop calls _get_transitive_dependencies once per python_version, but fetch_package_dependencies caches results keyed only on package+version (no Python version). After the first iteration resolves deps on, say, Python 3.8, every subsequent iteration (3.9, 3.10, 3.11…) returns those same cached Python 3.8 pins while labelling them with the later Python version in the tox env name.

Evidence

• _fetch_package_dependencies_from_cache(package, version) at line 204 ignores python_version; cache hit returns immediately.
• _save_to_package_dependencies_cache(package, version, ...) at line 247 also omits python_version, so the first call's result is stored under just package+version.
• The new loop (lines 1189–1202) iterates over all release.python_versions; for a release supporting 3.8–3.11 the second through fourth calls will all hit the cache entry written by the first call.
• The dep strings embed the current python_version in the tox env name (e.g. 3.11-django-v4.2: …) but the pinned package versions came from the Python 3.8 resolution, which can differ (e.g. tzdata, asgiref, or other conditional deps).
• _get_dependency_probe_constraints at lines 167–193 also varies by python_version, so even the constraints used differ per iteration, yet the cached result from the first call ignores this.

_{Identified by Warden code-review · VCG-BDE}

[alexander-alderman-webb]

oh that's not good